Can we use auth and CMS content in one platform?

Yes. Teams can manage content and project user authentication in the same platform, which reduces integration complexity for products that need both content delivery and user sessions.

Can users have scoped API keys?

Yes. Noma supports user-scoped API key flows for authenticated project users, including listing, creating, and revoking keys through auth endpoints and SDK methods.

Is this suitable for production security workflows?

Yes, when implemented with server-side token handling, secure cookie strategy, proper key rotation, and route-level authorization checks. Noma provides the auth primitives; teams define final app security posture.

Built-in auth · API-first CMS · 2026

CMS with built-in auth

Noma combines structured content workflows with project-scoped end-user authentication, so teams can manage publishing and identity in one platform instead of stitching multiple products for core functionality.

Start a free trial View Noma pricing Headless CMS overview

Positioning

Why teams want auth and CMS in one place

Many product teams need both a content platform and end-user identity flows. Running separate systems can increase implementation overhead, token-handling complexity, and operational surface area.

Noma gives teams one platform for structured content plus project-scoped user auth primitives, which simplifies architecture for many SaaS products, customer portals, and member-facing websites.

Auth capability

Core flows available in Noma

Noma project auth supports common production flows: signup, password login, social id_token login, refresh, logout, logout-all, email verification lifecycle, and password updates.

Project-scoped user sessions and refresh lifecycle.
Social login token exchange paths for supported providers.
Email verification resend and confirmation flows.
User-scoped API keys with create, list, revoke controls.

Developer setup

Server-side auth integration pattern

Keep auth handling on the server. Initialize SDK in secure contexts and avoid exposing secret values in browser bundles.

import { createClient } from "@nomacms/js-sdk";
 
const noma = createClient({
  projectId: process.env.NOMA_PROJECT_ID!,
});

This pattern works across Next.js route handlers, server actions, backend APIs, and worker services.

Session flow

Signup, login, refresh, and profile checks

The SDK exposes straightforward methods for account creation and session lifecycle. Teams can layer this into app-specific cookie/session adapters.

await noma.signUp({
  email: "[email protected]",
  password: "secure-password",
  display_name: "Demo User",
});
 
await noma.signInWithPassword({
  email: "[email protected]",
  password: "secure-password",
});
 
await noma.refreshSession();
const me = await noma.me();

For social auth, use the SDK social sign-in method with provider id_token exchange in server-safe paths.

User API keys

Scoped keys for user-level automation

Some products need user-scoped programmatic access. Noma supports user API key management so teams can allow controlled integrations without sharing broad project credentials.

const key = await noma.createUserApiKey({
  name: "automation-key",
  scopes: ["read"],
});
 
const keys = await noma.listUserApiKeys();
await noma.revokeUserApiKey(String((key as any).id));

Security model

How teams should deploy this safely

Built-in auth reduces integration burden, but secure implementation still matters. Keep tokens server-side, enforce authorization at route boundaries, and rotate credentials as part of regular ops.

Pair auth with Noma content permissions and versioned publishing workflows for a stronger overall product control model.

Automation

Agent-ready auth and content operations

Teams can automate recurring auth and content tasks with scripts, CI jobs, and assistant workflows using SDK and webhook patterns.

For agent-driven workflows, use @nomacms/mcp-server and Agent Skills to standardize implementation in developer tools.

Decision guide

When this is a strong fit

Noma is a strong fit when your product requires both structured CMS delivery and end-user auth flows without stitching multiple core vendors together.

If your team is spending too much time integrating separate auth and CMS stacks, a unified platform model can reduce complexity and improve delivery speed.

Continue with related pages: CMS for developers, CMS with versioning, and CMS for agencies.