OAuth 2.0 and OpenID Connect integration with Google (Google Identity Services), Microsoft (MSAL), GitHub, and enterprise identity providers (Okta, Auth0, Azure AD B2C) for social login and workforce SSO, including the PKCE extension for public clients (mobile apps) where client secrets cannot be stored securely. Authorization Code Flow with PKCE used for all user-facing integrations; Client Credentials Flow for machine-to-machine API integrations that authenticate as a service rather than a user. SAML 2.0 for enterprise SSO: integration with corporate IdPs (Okta, Active Directory Federation Services, OneLogin, PingIdentity) so enterprise customers can log into your product using their existing corporate credentials, with SP-initiated and IdP-initiated flows both supported. Attribute mapping from SAML assertions to your user model: NameID, email, department, role, and any custom attributes needed for role assignment or feature gating. SCIM 2.0 for automated user lifecycle management: when a user is added to the enterprise customer's IdP group, they are provisioned in your system with the correct role; when they leave, they are deprovisioned, no manual off-boarding step and no orphaned accounts accumulating in your user table. JWT validation for tokens issued by external IdPs: signature verification against the IdP's JWKS endpoint, claim validation (issuer, audience, expiry), and session management that respects the token's expiry without forcing users to re-authenticate unnecessarily.