add JWT info to auth setup

ethanpalm · ethanpalm · commit 2d25e49079ef · 2025-05-29T10:23:57.000-07:00
diff --git a/authentication-personalization/authentication-setup.mdx b/authentication-personalization/authentication-setup.mdx
@@ -3,29 +3,237 @@ title: "Authentication Setup"
 description: "Guarantee privacy of your docs by authenticating users"
 icon: "file-lock"
 ---
+Authentication requires users to log in before accessing your documentation. This guide covers setup for each available handshake method.
+
+**Need help choosing?** See the [overview](/authentication-personalization/overview) to compare options.
 
 <Info>
   Authentication methods are available on the [Growth and Enterprise plans](https://mintlify.com/pricing?ref=authentication). Please{" "}
   <a href="mailto:sales@mintlify.com">contact sales</a> for more information.
 </Info>
 
-Authentication offers full privacy for all of your
-documentation content by requiring users to authenticate before viewing any content, such as:
+## Configuring authentication
+
+Select the handshake method that you want to configure.
+
+<Tabs>
+  <Tab title="JWT">
+### Prerequisites
+
+ * An authentication system that can generate and sign JWTs.
+ * A backend service that can create redirect URLs.
+
+### Implementation
+
+<Steps>
+  <Step title="Generate a private key.">
+    1. In your dashboard, go to [Authentication](https://dashboard.mintlify.com/settings/deployment/authentication).
+    2. Select **Full Authentication** or **Partial Authentication**.
+    3. Select **JWT**.
+    4. Enter the URL of your existing login flow and select **Save changes**.
+    5. Select **Generate new key**.
+    6. Store your key securely where it can be accessed by your backend.
+  </Step>
+  <Step title="Integrate Mintlify authentication into your login flow.">
+    Modify your existing login flow to include these steps after user authentication:
+    
+    * Create a JWT containing the authenticated user's info in the `User` format. See [Sending Data](/authentication-personalization/sending-data) for more information.
+    * Sign the JWT with your secret key, using the EdDSA algorithm.
+    * Create a redirect URL back to the `/login/jwt-callback` path of your docs, including the JWT as the hash.
+  </Step>
+</Steps>
+
+### Example
+Your documentation is hosted at `docs.foo.com` with an existing authentication system at `foo.com`. You want to extend your login flow to grant access to the docs.
+
+To do this, create a login endpoint at `https://foo.com/docs-login` that extends your existing authentication.
+
+After verifying user credentials:
+* Generate a JWT with user data in Mintlify's format.
+* Sign the JWT and redirect to `https://docs.foo.com/login/jwt-callback#{SIGNED_JWT}`.
+
+<CodeGroup>
+```ts TypeScript
+import * as jose from 'jose';
+import { Request, Response } from 'express';
+
+const TWO_WEEKS_IN_MS = 1000 * 60 * 60 * 24 * 7 * 2;
+
+const signingKey = await jose.importPKCS8(process.env.MINTLIFY_PRIVATE_KEY, 'EdDSA');
+
+export async function handleRequest(req: Request, res: Response) {
+  const user = {
+    expiresAt: Math.floor((Date.now() + TWO_WEEKS_IN_MS) / 1000), // 2 week session expiration
+    groups: res.locals.user.groups,
+    content: {
+      firstName: res.locals.user.firstName,
+      lastName: res.locals.user.lastName,
+    },
+  };
+
+  const jwt = await new jose.SignJWT(user)
+    .setProtectedHeader({ alg: 'EdDSA' })
+    .setExpirationTime('10 s') // 10 second JWT expiration
+    .sign(signingKey);
+
+  return res.redirect(`https://docs.foo.com/login/jwt-callback#${jwt}`);
+}
+```
+
+```python Python
+import jwt # pyjwt
+import os
+
+from datetime import datetime, timedelta
+from fastapi.responses import RedirectResponse
+
+private_key = os.getenv(MINTLIFY_JWT_PEM_SECRET_NAME, '')
+
+@router.get('/auth')
+async def return_mintlify_auth_status(current_user):
+  jwt_token = jwt.encode(
+    payload={
+      'exp': int((datetime.now() + timedelta(seconds=10)).timestamp()),    # 10 second JWT expiration
+      'expiresAt': int((datetime.now() + timedelta(weeks=2)).timestamp()), # 1 week session expiration
+      'groups': ['admin'] if current_user.is_admin else [],
+      'content': {
+        'firstName': current_user.first_name,
+        'lastName': current_user.last_name,
+      },
+    },
+    key=private_key,
+    algorithm='EdDSA'
+  )
+
+  return RedirectResponse(url=f'https://docs.foo.com/login/jwt-callback#{jwt_token}', status_code=302)
+```
+</CodeGroup>
+
+### Redirecting unauthenticated users
+
+When an unauthenticated user tries to access a protected page, their intended destination is automatically preserved:
+
+1. User attempts to visit a protected page: `https://docs.foo.com/quickstart`.
+2. Redirect to your login URL with a redirect query parameter: `https://foo.com/docs-login?redirect=%2Fquickstart`.
+3. After authentication, redirect to `https://docs.foo.com/login/jwt-callback?redirect=%2Fquickstart#{SIGNED_JWT}`.
+4. User lands in their original destination.
+  </Tab>
+<Tab title="OAuth 2.0">
+### Prerequisites
+
+- You have an existing OAuth server that supports the Authorization Code flow.
+    - You can create a new API endpoint that can be accessed by the returned OAuth access token.
+
+### Implementation
+
+<Steps>
+  <Step title="Configure your Authentication settings">
+    Go to your [Mintlify authentication settings](https://dashboard.mintlify.com/products/authentication), select the OAuth option, and fill out the required fields:
+
+    - **Authorization URL**: The base URL for the authorization request, to which we will add the appropriate query parameters.
+    - **Client ID**: An ID for the OAuth 2.0 client to be used.
+    - **Scopes**: An array of scopes that will be requested. TODO: clarify why there could be multiple
+    - **Token URL**: The base URL for the token exchange request.
+    - **Info API URL** (optional): The endpoint that will be hit to retrieve user info. If omitted, the OAuth flow will only be used to verify identity, and the user info will be empty.
+  </Step>
+  <Step title="Configure your OAuth client">
+    Copy the Redirect URL listed in the [Mintlify authentication settings](https://dashboard.mintlify.com/products/authentication) and add it as an authorized redirect URL for your OAuth server.
+  </Step>
+  <Step title="Create your Info API (Optional)">
+    If you want to take advantage of authentication's customization features, you'll need to create an endpoint to retrieve info about your users.
+    Create an API endpoint that can be accessed with an OAuth access token, and responds with a JSON payload following the [User](../sending-data) format.
+
+    Return to your [Mintlify authentication settings](https://dashboard.mintlify.com/products/authentication) and add the Info API URL
+    to your OAuth configuration.
+  </Step>
+</Steps>
+
+## Example
+
+I have an existing OAuth server that supports the Authorization Code flow. I want to set up authentication for my docs hosted at `foo.com/docs`.
+
+To set up authentication with Mintlify, I create an endpoint `api.foo.com/docs/user-info` which requires an OAuth access token with the `docs-user-info` scope, and responds with the user's custom data according to Mintlify’s specification.
+
+I then go to the dashboard settings, navigate to the Authentication settings, select OAuth, and enter the relevant values for the OAuth flow and Info API endpoint:
+- **Authorization URL**: `https://auth.foo.com/authorization`
+- **Client ID**: `ydybo4SD8PR73vzWWd6S0ObH`
+- **Scopes**: `['docs-user-info']`
+- **Token URL**: `https://auth.foo.com/exchange`
+- **Info API URL**: `https://api.foo.com/docs/user-info`
+
+Finally, I copy the Redirect URL displayed in the dashboard settings and add it as an authorized redirect URL in my OAuth client configuration settings.
+
+
+  </Tab>
+<Tab title="Mintlify Dashboard">
+### Prerequisites
+
+- Your documentation readers are also your documentation editors.
+
+### Implementation
+
+### Example
+
+I want to set up authentication for my docs hosted at `docs.foo.com`. I want my docs
+to be internal, and the people that will be viewing my docs are the same people that
+contribute to my docs.
+
+To set up authentication with Mintlify, I can go to my [dashboard settings](https://dashboard.mintlify.com/products/authentication)
+and enable Authentication with the Mintlify Auth Handshake.
+
+I can then ensure that anyone that should be able to read the docs has been added as a user in
+my [dashboard settings](https://dashboard.mintlify.com/settings/organization/members).
+
+## Implementation
+
+<Steps>
+  <Step title="Configure your Authentication settings">
+    Go to your [Mintlify dashboard
+    settings](https://dashboard.mintlify.com/products/authentication) and select
+    the Mintlify Auth Handshake.
+  </Step>
+  <Step title="Add users">
+    Ensure that any users that should be able to view your documentation have
+    been added as users in your [Mintlify dashboard
+    settings](https://dashboard.mintlify.com/settings/organization/members).
+  </Step>
+</Steps>
+
+
+  </Tab>
+  <Tab title="Password">
+<Info>
+Password authentication is used for access control only. Does not allow for personalizaiton.
+</Info>
+
+### Prerequisites
+
+- Your security requirements allow for password sharing between documentation readers.
+
+### Implementation
+
+<Steps>
+  <Step title="Add a password">
+    Go to your [dashboard
+    settings](https://dashboard.mintlify.com/products/authentication) and create
+    a password.
+  </Step>
+  <Step title="Share your password">
+    Securely share the password with your documentation readers. That's it!
+  </Step>
+</Steps>
 
-- Documentation page content
-- Images used in documentation pages
-- Search results
-- AI assistant interactions
+## Example
 
-You can authenticate users through handshake methods such as:
+I want to set up authentication for my docs hosted at `docs.foo.com`. I don't want
+to have to keep track of who can and cannot access the docs. My main use case for
+authentication is to prevent competitors from snooping - password sharing is secure
+enough for my team.
 
-- [Password](./authentication-setup/password)
-- [JWT](./authentication-setup/jwt)
-- [OAuth](./authentication-setup/oauth)
-- [Mintlify dashboard](./authentication-setup/mintlify)
+To set up authentication with Mintlify, I go to my Mintlify dashboard and add at
+least one password. I then share that password, along with the private docs URL,
+with potential customers.
 
-Authentication is similar to our [Personalization](./personalization) offering, but with guaranteed privacy. In addition
-to securing your documentation content, all features that are available via
-Personalization are also available via Authentication.
 
-Check out our docs for more info on [choosing Authentication vs Personalization](./authentication-vs-personalization).
+  </Tab>
+</Tabs>
diff --git a/authentication-personalization/overview.mdx b/authentication-personalization/overview.mdx
@@ -49,6 +49,7 @@ Authentication and personalization offer multiple handshake methods for controll
 **Mintlify dashboard**: Allow all of your dashboard users to access your docs.
 * Pros of Mintlify dashboard:
   * No configuration required.
+  * Enables private preview deployments, restricting access to authenticated users only.
 * Cons of Mintlify dashboard:
   * Requires all users of your docs to have an account in your Mintlify dashboard.
 
