# Auth Overview

Mastra lets you choose how you handle authentication, so you can secure access to your application's endpoints using the identity system that fits your stack.

You can start with simple shared secret JWT authentication and switch to providers like Supabase, Firebase Auth, Auth0, Clerk, or WorkOS when you need more advanced identity features.

## Default behavior

Authentication is optional in Mastra. When you configure authentication:

- **All built-in API routes** (`/api/agents/*`, `/api/workflows/*`, etc.) require authentication by default
- **Custom API routes** also require authentication by default
- **Public access** can be enabled on custom routes using `requiresAuth: false`

If no authentication is configured, all routes are publicly accessible.

See [Custom API Routes](https://mastra.ai/docs/server/custom-api-routes) for controlling authentication on custom endpoints.

## Available providers

### Built-in

- [Simple Auth](https://mastra.ai/docs/server/auth/simple-auth) - Token-to-user mapping for development and API keys
- [JSON Web Token (JWT)](https://mastra.ai/docs/server/auth/jwt) - HMAC-signed JWT verification

### Third-party integrations

- [Auth0](https://mastra.ai/docs/server/auth/auth0)
- [Better Auth](https://mastra.ai/docs/server/auth/better-auth)
- [Clerk](https://mastra.ai/docs/server/auth/clerk)
- [Firebase](https://mastra.ai/docs/server/auth/firebase)
- [Supabase](https://mastra.ai/docs/server/auth/supabase)
- [WorkOS](https://mastra.ai/docs/server/auth/workos)

### Advanced

- [Composite Auth](https://mastra.ai/docs/server/auth/composite-auth) - Combine multiple auth providers
- [Custom Auth Provider](https://mastra.ai/docs/server/auth/custom-auth-provider) - Build your own provider