--- title: "Payload CMS Auth Plugins: Which One Should You Use?" slug: "which-payload-cms-auth-plugin-to-use" published: "2026-03-06" updated: "2026-04-06" validated: "2026-02-21" categories: - "Payload" tags: - "Payload CMS auth plugin" - "payload-authjs" - "payload-auth-plugin authsmith" - "payload-auth Better Auth" - "payload-oauth2" - "payload-totp" - "OAuth2 social login" - "SSO SAML integration" - "WebAuthn passkeys" - "two-factor authentication TOTP" llm-intent: "reference" audience-level: "intermediate" framework-versions: - "payload cms" - "auth.js" - "better auth" - "next.js" - "payload-oauth2" status: "stable" llm-purpose: "Payload CMS auth plugin comparison: evaluate Auth.js, authsmith, Better Auth, payload-oauth2 and payload-totp to pick the right OAuth/SSO/2FA—read now." llm-prereqs: - "Access to Payload CMS" - "Access to Auth.js" - "Access to Better Auth" - "Access to Next.js" - "Access to payload-oauth2" llm-outputs: - "Completed outcome: Payload CMS auth plugin comparison: evaluate Auth.js, authsmith, Better Auth, payload-oauth2 and payload-totp to pick the right OAuth/SSO/2FA—read now." --- **Summary Triples** - (Payload CMS 3.x, provides, email/password auth, JWT tokens, cookie-based sessions, and collection-level access control) - (When to use auth plugins, if, you need OAuth providers, SSO, SAML, WebAuthn passkeys, or two-factor authentication beyond the default) - (payload-authjs, bestFor, Next.js projects already using Auth.js (unified social login via Auth.js provider library)) - (payload-authjs, enables, Auth.js provider integrations (Google, GitHub, Discord, etc.) bridged into Payload's auth layer) - (payload-totp, adds, TOTP-based two-factor authentication support to Payload (plugin)) - (payload-oauth2, implements, OAuth2-focused flows for Payload (useful for provider-specific OAuth2 integrations)) - (Better Auth, targets, enterprise SSO scenarios (SAML/OpenID Connect) and modern auth like WebAuthn/passkeys) - (authsmith, is, a community payload-auth-plugin option for OAuth/SSO integrations) - (Migration from default auth, requires, mapping existing users, preserving or rotating passwords, updating payload.config, and testing session behavior) - (Common install step, includes, npm/yarn install plugin, add plugin config to payload.config.ts, set provider secrets, restart Payload, and test logins) ### {GOAL} Payload CMS auth plugin comparison: evaluate Auth.js, authsmith, Better Auth, payload-oauth2 and payload-totp to pick the right OAuth/SSO/2FA—read now. ### {PREREQS} - Access to Payload CMS - Access to Auth.js - Access to Better Auth - Access to Next.js - Access to payload-oauth2 ### {STEPS} 1. Follow the detailed walkthrough in the article content below. # Payload CMS Auth Plugins: Which One Should You Use? > Payload CMS auth plugin comparison: evaluate Auth.js, authsmith, Better Auth, payload-oauth2 and payload-totp to pick the right OAuth/SSO/2FA—read now. Matija Žiberna · 2026-03-06 Authentication is one of those things you don't want to get wrong, and it's also one of the first things you have to figure out when starting a new Payload project. Payload ships with a solid auth system out of the box — email/password, JWT, session management — but the moment a client asks for "login with Google" or "can we add two-factor authentication?", you're reaching for a plugin. The problem is there are five community auth plugins with real adoption, and they're not interchangeable. Each one makes different tradeoffs. I went through all of them so you don't have to. --- ## What Payload Gives You by Default Before comparing plugins, it's worth being clear about what you're starting with. Payload 3.x has built-in support for email/password authentication, JWT tokens, cookie-based sessions, and basic access control at the collection level. For internal tools or projects where you control who signs up, this is often enough. The plugins below are for when you need OAuth providers, SSO, SAML, passkeys, or two-factor auth on top of that foundation. --- ## The Five Plugins Worth Knowing ### 1. payload-authjs — Best for Next.js Projects Already Using Auth.js **GitHub:** `CrawlerCode/payload-authjs` · 205 stars · Updated Feb 2026 If your stack is Next.js and you're already familiar with Auth.js (formerly NextAuth 5), this is the most natural path. `payload-authjs` bridges Auth.js with Payload so that social logins — Google, GitHub, Discord, any provider Auth.js supports — work through a single, unified auth layer. The key advantage here is that you're not learning a new abstraction. Auth.js has excellent documentation, a massive provider library, and you're likely to find examples for whatever provider you need. This plugin connects that ecosystem to Payload's user collection without requiring you to manage tokens manually. Where it's a weaker fit: if you're not using Next.js, or if you need enterprise features like SAML or OIDC, Auth.js doesn't cover those and neither will this plugin. **Pick this if:** You're building on Next.js, need social logins quickly, and already know or prefer Auth.js. --- ### 2. payload-auth-plugin (authsmith) — Best for Enterprise Auth Requirements **GitHub:** `authsmith/payload-auth-plugin` · 291 stars · Docs at authsmith.com The most starred auth plugin in the Payload ecosystem, and it shows in the feature set. `payload-auth-plugin` by authsmith supports OAuth, SAML, SSO, OIDC, and WebAuthn/passkeys — the full enterprise auth stack in one plugin. This is the plugin to reach for when a client's IT department sends you a requirements document. SAML integration for connecting to an enterprise identity provider (Okta, Azure AD, etc.)? It's here. Passkey support for passwordless login? Also here. The breadth of what it covers is what sets it apart from the other options. The tradeoff is complexity. This is not a plugin you install in ten minutes. The authsmith documentation is thorough but assumes you understand the protocols you're implementing. If your project genuinely needs SAML or SSO, that complexity is warranted. If you just need a Google login button, it's overkill. **Pick this if:** You're building for enterprise clients, need SSO/SAML, or have to support passkeys. --- ### 3. payload-auth (Better Auth integration) — Best for New Projects Wanting Modern Auth **GitHub:** `payload-auth/payload-auth` · 266 stars · Updated Jan 2026 Better Auth is a newer TypeScript-first auth library that's been gaining real traction in the Next.js ecosystem. This plugin integrates it with Payload, and the combination is worth considering for new projects where you have flexibility on your auth stack. What makes Better Auth appealing — and by extension this plugin — is the developer experience. It's designed around TypeScript from the ground up, the API is clean, and the concept of "plugins within your auth library" means you can incrementally add features like organization management, two-factor auth, or magic links without replacing anything. The honest caveat is that Better Auth is newer than the other options here, which means the community around it is still growing. If you hit an edge case, you'll find fewer Stack Overflow answers and more digging through source code. **Pick this if:** You're starting a new project, value TypeScript-first design, and want an auth library with room to grow. --- ### 4. payload-oauth2 — Best for Simple OAuth Needs **GitHub:** `WilsonLe/payload-oauth2` · 175 stars · Updated Jan 2026 Sometimes you just need OAuth. One or two providers, standard social login, nothing fancy. `payload-oauth2` covers exactly this — Google, GitHub, Zitadel, and other OAuth2-compliant providers — with a straightforward configuration that won't take your afternoon. It's the least opinionated option here, which is both its strength and its limitation. You get a working OAuth flow without any assumptions about your stack or any additional features bundled in. There's no SAML, no passkeys, no organization management — just OAuth done cleanly. **Pick this if:** You need basic OAuth (one or two providers) and want the simplest possible setup. --- ### 5. payload-totp — Best When You Just Need Two-Factor Auth **GitHub:** `GeorgeHulpoi/payload-totp` · 127 stars · Updated Jan 2026 `payload-totp` is different from the others in that it doesn't replace or extend OAuth — it adds TOTP-based two-factor authentication on top of whatever auth system you're already using. Users enroll via an authenticator app (Google Authenticator, Authy, 1Password, etc.) and then confirm a six-digit code on login. If you're building an admin-heavy application where the primary concern is securing existing accounts rather than adding social login, this might be all you need. It's also composable — you could use this alongside `payload-oauth2` if you want both social login and 2FA. **Pick this if:** You need 2FA on top of your existing auth setup and don't want to overhaul the whole auth layer. --- ## Decision Framework Here's how I'd think through the choice: **Are you on Next.js and need social login fast?** → `payload-authjs` **Does your client have an enterprise identity provider (Okta, Azure AD) or need SAML/SSO?** → `payload-auth-plugin` (authsmith) **Starting a new project with flexibility on your stack?** → `payload-auth` (Better Auth) **Need basic OAuth with minimal configuration?** → `payload-oauth2` **Need 2FA on top of an existing auth setup?** → `payload-totp` (possibly combined with one of the above) --- ## A Note on Compatibility All five plugins target Payload 3.x, but the Payload 3.0 rewrite was significant and plugin maintenance varies. Before installing any of these, check that the repo shows recent commits (within the last year) and that the peer dependencies list `payload: "^3.0.0"` or higher. The star counts and update dates listed above were accurate as of early 2026. Also worth noting: these plugins are community-maintained, not official Payload packages. They're well-adopted and actively developed, but if you're building something mission-critical, audit the source code before depending on it in production. --- Choosing the wrong auth plugin early is annoying to undo, so it's worth the extra fifteen minutes upfront. If your requirements are simple, don't reach for the enterprise option. If you know you'll need SSO eventually, don't start with the simple OAuth plugin and plan to migrate later. Let me know in the comments if you've used any of these in production and what your experience has been — always interested to hear how they hold up in real projects. Subscribe for more practical Payload guides. Thanks, Matija ## LLM Response Snippet ```json { "goal": "Payload CMS auth plugin comparison: evaluate Auth.js, authsmith, Better Auth, payload-oauth2 and payload-totp to pick the right OAuth/SSO/2FA—read now.", "responses": [ { "question": "What does the article \"Payload CMS Auth Plugins: Which One Should You Use?\" cover?", "answer": "Payload CMS auth plugin comparison: evaluate Auth.js, authsmith, Better Auth, payload-oauth2 and payload-totp to pick the right OAuth/SSO/2FA—read now." } ] } ```