---
summary: How users sign in and how crew members get their own identities.
title: Authentication
path: authentication
status: published
---

# Authentication

ScaiCrew follows the ScaiLabs rule: **ScaiKey is identity; ScaiCrew is authorization.** ScaiKey
proves who you are; ScaiCrew decides what you may do (which workspace, which role) and issues its own
session token carrying that decision.

There are two distinct identity stories:

- **[Login](/docs/scaicrew/authentication/login)** — how a human signs in (OAuth + PKCE through ScaiKey, a
  ScaiCrew-minted session token, workspace selection).
- **[Identities](/docs/scaicrew/authentication/identities)** — how each crew member gets its own ScaiKey service
  account so its actions are attributable and revocable.

Roles ascend `viewer < operator < author < admin`. Service callers are trusted at the audience level
and bypass role gating.