> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dynamic.xyz/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate with an external JWT

> Sign users into Dynamic with a JWT issued by your own authentication provider.

<Note>
  Bring Your Own Auth (BYOA) is an enterprise feature. Contact us [in Slack](https://dynamic.xyz/slack) or at [hello@dynamic.xyz](mailto:hello@dynamic.xyz) to enable it.
</Note>

If you already issue your own JWTs (e.g. from Auth0, Firebase Auth, Supabase, or your own backend), you can exchange that JWT for a Dynamic session. After sign-in, the user behaves like any other Dynamic user — with access to wallets, user management, and the rest of the SDK.

For concepts and configuration, see [Bring Your Own Auth](/overview/authentication/bring-your-own-auth).

<Note>
  Issue a Dynamic-specific JWT from your auth provider — separate from your application's normal access token — so the token Dynamic receives cannot be used to access resources on your own servers. See [Bring Your Own Auth](/overview/authentication/bring-your-own-auth) for the full recommendation.
</Note>

## Prerequisites

* [BYOA configured](/overview/authentication/bring-your-own-auth) in your Dynamic dashboard (issuer, JWKS URL).
* Before this: create and initialize a Dynamic client (see [Creating a Dynamic Client](/javascript/reference/client/create-dynamic-client), [Initializing the Dynamic Client](/javascript/reference/client/initialize-dynamic-client)).
* Your backend issues a JWT with at least `iss`, `sub`, and `exp` claims.

## Usage

Call `signInWithExternalJwt` with the JWT issued by your auth provider. Dynamic verifies the signature against your configured JWKS URL, validates the claims, and establishes a session.

```javascript theme={"system"}
import { signInWithExternalJwt } from '@dynamic-labs-sdk/client';

const signIn = async (externalJwt, externalUserId) => {
  try {
    await signInWithExternalJwt({
      externalJwt,
      externalUserId,
    });

  } catch (e) {
    console.error('Dynamic sign-in failed:', e);
  }
};
```

## Parameters

| Parameter        | Type     | Required | Description                                                                                                                                              |
| ---------------- | -------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `externalJwt`    | `string` | Yes      | The raw encoded JWT issued by your authentication provider.                                                                                              |
| `externalUserId` | `string` | Yes      | The user ID in your authentication system. Must match the `sub` claim in the JWT — Dynamic derives the stored external user ID from the JWT server-side. |

## Related

* [Bring Your Own Auth](/overview/authentication/bring-your-own-auth) — Concepts, configuration, and JWT requirements.
* [External auth step-up](/javascript/authentication-methods/step-up-auth/external-auth) — Issue elevated access tokens from your backend for sensitive actions.
