Skip to main content

Authentication

The starter has two separate authentication surfaces:

SurfaceUsersAppPurpose
UI AuthenticationEnd-users of the website or appapps/uiSign in, register, reset password, OAuth login, and access user-specific frontend features.
Strapi Admin SSOCMS editors and administratorsapps/strapiSign in to the Strapi admin panel to manage content and CMS settings.
Keep these separate

End-user authentication is not Strapi admin authentication. A visitor account in the UI does not grant access to the CMS admin panel, and a Strapi admin user is not the same as an end-user account.

End-User Authentication

UI Authentication uses Better Auth for the session cookie and Strapi Users & Permissions for the user JWT. The UI stores the Strapi JWT in the Better Auth session and uses it for authenticated user-facing API calls.

Start here when you are working on website/app sign-in, registration, password reset, OAuth login, or user-specific frontend data.

Strapi Admin Authentication

Strapi Admin SSO is for CMS users who log into /admin. In this starter, Microsoft SSO authenticates Strapi admin users through Microsoft Entra ID, while Strapi still controls admin roles and permissions.

Start here when you are working on CMS editor/admin login.