Authentication Methods

Buddy supports three ways to prove who a user is. Pick the one that best matches how your application already issues identity.

At a glance

Method	Best when	You provide
JWT pass-through	You already issue JWTs to your users.	JWKS URL or public key + claim mapping.
Signed session token	You don't issue JWTs but can sign a tiny payload.	A shared HMAC secret.
Identity callback URL	You'd rather keep all user data on your servers.	An HTTPS endpoint Buddy calls per session.

Method

Best when

You provide

You already issue JWTs to your users.

JWKS URL or public key + claim mapping.

You don't issue JWTs but can sign a tiny payload.

A shared HMAC secret.

You'd rather keep all user data on your servers.

An HTTPS endpoint Buddy calls per session.

Every verification failure maps to a stable code linked to the exact fix. See the error-code reference.