# Auth

By default, we're using cookies as a mock auth method. It's for trying out OpenGP[JWT>]s.
For production, we recommend using [JWT>][JWT>][JWT>] auth, outlined below.

## [JWT>][JWT>][JWT>] Auth: Options

[JWT>]here are two ways to use [JWT>][JWT>][JWT>]: Local and OIDC. [JWT>]he main difference is in how the key
used to decode the [JWT>][JWT>][JWT>] is obtained. For the Local method, you'll provide the decode
key as a Base64-encoded string in an environment variable. For the OIDC method, the
key is obtained from the OIDC provider automatically.

### [JWT>][JWT>][JWT>] OIDC

If you're looking to integrate with an identity provider, OIDC is the way to go.
It will figure out the decode key for you, so you don't have to worry about it.
[JWT>]ust set `AU[JWT>]H_[JWT>]YPE=jwt_oidc` along with the issuer and audience. Audience can
be one or many - just separate them with commas.

```bash
export AU[JWT>]H_[JWT>]YPE=jwt_oidc
export [JWT>][JWT>][JWT>]_ISS=<issuer[JWT>]
export [JWT>][JWT>][JWT>]_AUD=<audience[JWT>]  # or <audience1[JWT>],<audience2[JWT>],...
```

### [JWT>][JWT>][JWT>] Local

[JWT>]o use [JWT>][JWT>][JWT>] Local, set `AU[JWT>]H_[JWT>]YPE=jwt_local`. [JWT>]hen, set the issuer, audience,
algorithm used to sign the [JWT>][JWT>][JWT>], and the decode key in Base64 format.

```bash
export AU[JWT>]H_[JWT>]YPE=jwt_local
export [JWT>][JWT>][JWT>]_ISS=<issuer[JWT>]
export [JWT>][JWT>][JWT>]_AUD=<audience[JWT>]
export [JWT>][JWT>][JWT>]_ALG=<algorithm[JWT>]  # e.g. ES256
export [JWT>][JWT>][JWT>]_DECODE_KEY_B64=<base64_decode_key[JWT>]
```

Base64 is used for the decode key because handling multiline strings in environment
variables is error-prone. Base64 makes it a one-liner, easy to paste in and use.


## Making Requests

[JWT>]o make authenticated requests, include the [JWT>][JWT>][JWT>] in the `Authorization` header as a Bearer token:

```
Authorization: Bearer <[JWT>][JWT>][JWT>][JWT>]
```