Authentication plugins for Payload CMS
Authentication plugins for Payload CMS: OAuth, SSO, MFA, RBAC, passkeys and better-auth integrations. Compare and install community solutions.
Authentication plugins add user identity to Payload CMS — from OAuth and SSO sign-in to multi-factor auth, passkeys and fine-grained RBAC/ABAC access control. They extend Payload's built-in auth rather than replacing it, so you keep the admin login while adding providers and policies.
What these plugins cover
- OAuth / SSO providers and social login
- MFA, TOTP and passkeys (WebAuthn)
- Passwordless and magic-link sign-in
- Role- and attribute-based access (RBAC/ABAC)
- Session, JWT and API-key management
- better-auth and Auth.js integrations
Choosing an auth approach
For a public app, start with social OAuth plus optional MFA; for internal tools, layer RBAC/ABAC on top of SSO. Pair access rules with admin tooling for audit logs.
See also admin tooling, custom fields and third-party integrations.
Color Picker Field
Add a color picker field to Payload collections with HEX support.
GraphQL View
Adds a GraphQL view with IDE support to Payload collections and globals.
Frequently asked questions
Which auth methods do Payload plugins support?
Community plugins cover OAuth and SSO providers, multi-factor auth (TOTP, passkeys) and role- or attribute-based access control, plus better-auth and Auth.js adapters.
How do these integrate with Payload's built-in auth?
Most plugins extend the existing auth collection and access-control hooks — you keep Payload's admin login and add providers, strategies or policies on top, rather than replacing the auth system.
Are these authentication plugins free?
Every plugin listed on Payload Market is open-source and free to install; pricing only applies to optional hosted services some authors offer.