Authentication
Dune runs two completely separate authentication systems on the same server:
| System | Who it's for | Sessions stored at | Cookie name |
|---|---|---|---|
| Admin auth | Content editors, admins | admin.runtimeDir/sessions/ |
dune-admin-session |
| Public auth | Site visitors | admin.runtimeDir/site-sessions/ |
dune-site-session |
The two systems share no state, no user records, and no session cookies. An admin user is not a site user, and vice versa.
Admin authentication
Covered in Administration. Login at {admin.path}/login (default /admin/login). Users managed via the admin panel UI or data/users/ YAML files.
Public site authentication
Allows visitors to register and log in to your public site — for gated content, comments, subscriptions, or any user-specific feature. Three login methods are supported:
- OAuth — GitHub, Google, Discord
- Magic link — passwordless email link
- External JWT — validate tokens issued by Clerk, Auth0, or any HS256/RS256 issuer
See Public Authentication for setup and usage.
Content gating
Once a visitor is authenticated, their roles (assigned at login or after payment) control access to individual pages via the roles: frontmatter field.
See Content Gating for configuration.