Principle:Helicone Helicone Authentication Flow
| Knowledge Sources | |
|---|---|
| Domains | Authentication, Security, User Management |
| Last Updated | 2026-02-14 06:32 GMT |
Overview
Authentication Flow is the orchestration of multi-provider user identity verification, supporting email/password, social OAuth, and enterprise SSO sign-in methods through a unified configuration.
Description
Modern web applications must support multiple authentication methods to accommodate different user segments: individual developers prefer email/password or social login (GitHub, Google), while enterprise customers require SSO via SAML or OIDC with their corporate identity provider. An authentication flow system provides a unified configuration that declares which providers are available, how sessions are managed, and what happens after successful authentication (redirects, token issuance, account creation).
In Helicone, the authentication system is built on Better Auth and provides dedicated pages for sign-in, sign-up, and SSO. The auth configuration centralizes provider setup, session management, and callback handling. Each authentication page handles its specific flow while sharing the underlying auth infrastructure.
Usage
Use a multi-provider authentication flow when:
- Users need to authenticate via different identity providers.
- Enterprise customers require SSO integration.
- The application must support both self-service and managed authentication.
- Session management must be consistent across all auth methods.
Theoretical Basis
Multi-provider authentication implements the Federated Identity pattern, where the application delegates identity verification to external identity providers (IdPs) and trusts their assertions. The configuration-driven approach follows the Abstract Factory pattern: the auth configuration creates provider-specific authentication handlers without the application code knowing the details of each provider's protocol. The sign-in flow follows the Post/Redirect/Get (PRG) pattern to prevent form resubmission, and sessions implement stateless token-based authentication using signed JWTs or encrypted session cookies.