Which Payload CMS Auth Plugin Should You Use?

Authentication is one of those things you don't want to get wrong, and it's also one of the first things you have to figure out when starting a new Payload project. Payload ships with a solid auth system out of the box — email/password, JWT, session management — but the moment a client asks for "login with Google" or "can we add two-factor authentication?", you're reaching for a plugin.

The problem is there are five community auth plugins with real adoption, and they're not interchangeable. Each one makes different tradeoffs. I went through all of them so you don't have to.

What Payload Gives You by Default

Before comparing plugins, it's worth being clear about what you're starting with. Payload 3.x has built-in support for email/password authentication, JWT tokens, cookie-based sessions, and basic access control at the collection level. For internal tools or projects where you control who signs up, this is often enough.

The plugins below are for when you need OAuth providers, SSO, SAML, passkeys, or two-factor auth on top of that foundation.

The Five Plugins Worth Knowing

1. payload-authjs — Best for Next.js Projects Already Using Auth.js

GitHub: CrawlerCode/payload-authjs · 205 stars · Updated Feb 2026

If your stack is Next.js and you're already familiar with Auth.js (formerly NextAuth 5), this is the most natural path. payload-authjs bridges Auth.js with Payload so that social logins — Google, GitHub, Discord, any provider Auth.js supports — work through a single, unified auth layer.

The key advantage here is that you're not learning a new abstraction. Auth.js has excellent documentation, a massive provider library, and you're likely to find examples for whatever provider you need. This plugin connects that ecosystem to Payload's user collection without requiring you to manage tokens manually.

Where it's a weaker fit: if you're not using Next.js, or if you need enterprise features like SAML or OIDC, Auth.js doesn't cover those and neither will this plugin.

Pick this if: You're building on Next.js, need social logins quickly, and already know or prefer Auth.js.

2. payload-auth-plugin (authsmith) — Best for Enterprise Auth Requirements

GitHub: authsmith/payload-auth-plugin · 291 stars · Docs at authsmith.com

The most starred auth plugin in the Payload ecosystem, and it shows in the feature set. payload-auth-plugin by authsmith supports OAuth, SAML, SSO, OIDC, and WebAuthn/passkeys — the full enterprise auth stack in one plugin.

This is the plugin to reach for when a client's IT department sends you a requirements document. SAML integration for connecting to an enterprise identity provider (Okta, Azure AD, etc.)? It's here. Passkey support for passwordless login? Also here. The breadth of what it covers is what sets it apart from the other options.

The tradeoff is complexity. This is not a plugin you install in ten minutes. The authsmith documentation is thorough but assumes you understand the protocols you're implementing. If your project genuinely needs SAML or SSO, that complexity is warranted. If you just need a Google login button, it's overkill.

Pick this if: You're building for enterprise clients, need SSO/SAML, or have to support passkeys.

3. payload-auth (Better Auth integration) — Best for New Projects Wanting Modern Auth

GitHub: payload-auth/payload-auth · 266 stars · Updated Jan 2026

Better Auth is a newer TypeScript-first auth library that's been gaining real traction in the Next.js ecosystem. This plugin integrates it with Payload, and the combination is worth considering for new projects where you have flexibility on your auth stack.

What makes Better Auth appealing — and by extension this plugin — is the developer experience. It's designed around TypeScript from the ground up, the API is clean, and the concept of "plugins within your auth library" means you can incrementally add features like organization management, two-factor auth, or magic links without replacing anything.

The honest caveat is that Better Auth is newer than the other options here, which means the community around it is still growing. If you hit an edge case, you'll find fewer Stack Overflow answers and more digging through source code.

Pick this if: You're starting a new project, value TypeScript-first design, and want an auth library with room to grow.

4. payload-oauth2 — Best for Simple OAuth Needs

GitHub: WilsonLe/payload-oauth2 · 175 stars · Updated Jan 2026

Sometimes you just need OAuth. One or two providers, standard social login, nothing fancy. payload-oauth2 covers exactly this — Google, GitHub, Zitadel, and other OAuth2-compliant providers — with a straightforward configuration that won't take your afternoon.

It's the least opinionated option here, which is both its strength and its limitation. You get a working OAuth flow without any assumptions about your stack or any additional features bundled in. There's no SAML, no passkeys, no organization management — just OAuth done cleanly.

Pick this if: You need basic OAuth (one or two providers) and want the simplest possible setup.

5. payload-totp — Best When You Just Need Two-Factor Auth

GitHub: GeorgeHulpoi/payload-totp · 127 stars · Updated Jan 2026

payload-totp is different from the others in that it doesn't replace or extend OAuth — it adds TOTP-based two-factor authentication on top of whatever auth system you're already using. Users enroll via an authenticator app (Google Authenticator, Authy, 1Password, etc.) and then confirm a six-digit code on login.

If you're building an admin-heavy application where the primary concern is securing existing accounts rather than adding social login, this might be all you need. It's also composable — you could use this alongside payload-oauth2 if you want both social login and 2FA.

Pick this if: You need 2FA on top of your existing auth setup and don't want to overhaul the whole auth layer.

Decision Framework

Here's how I'd think through the choice:

Are you on Next.js and need social login fast? → payload-authjs

Does your client have an enterprise identity provider (Okta, Azure AD) or need SAML/SSO? → payload-auth-plugin (authsmith)

Starting a new project with flexibility on your stack? → payload-auth (Better Auth)

Need basic OAuth with minimal configuration? → payload-oauth2

Need 2FA on top of an existing auth setup? → payload-totp (possibly combined with one of the above)

A Note on Compatibility

All five plugins target Payload 3.x, but the Payload 3.0 rewrite was significant and plugin maintenance varies. Before installing any of these, check that the repo shows recent commits (within the last year) and that the peer dependencies list payload: "^3.0.0" or higher. The star counts and update dates listed above were accurate as of early 2026.

Also worth noting: these plugins are community-maintained, not official Payload packages. They're well-adopted and actively developed, but if you're building something mission-critical, audit the source code before depending on it in production.

Choosing the wrong auth plugin early is annoying to undo, so it's worth the extra fifteen minutes upfront. If your requirements are simple, don't reach for the enterprise option. If you know you'll need SSO eventually, don't start with the simple OAuth plugin and plan to migrate later.

Let me know in the comments if you've used any of these in production and what your experience has been — always interested to hear how they hold up in real projects. Subscribe for more practical Payload guides.

Thanks, Matija