# Authentication
Authentication is where you connect CrossWatch to providers.
You connect each provider at least once.
Each provider has a `default` profile.
You can also create additional profiles.
Use the **Profile** button on a provider.
CrossWatch will create the next available `PROVIDER-P##` profile ID.
In the UI these are called **Profiles**.
In config and API payloads, you will still see **instance** in key names. Example: `instances`, `source_instance`, `provider_instance`.
Pairs and Watcher routes can target a specific profile.
Guide: [Profiles](/crosswatch/profiles.md)
Open **Settings → Authentication**.
Connect only what you use.
{% tabs %}
{% tab title="End users" %}
{% hint style="info" %}
Recommended first setup: **1 media server + 1 tracker**. Validate one clean run. Then add more.
{% endhint %}
{% hint style="info" %}
New install? Stick to the `default` profile first.
Add **Profiles** only when the base setup is stable.
{% endhint %}
### What we store (and what we don’t)
CrossWatch stores only what it needs to call provider APIs:
* OAuth tokens, API keys, or user tokens
* Provider URLs (for self-hosted services)
* Provider user IDs and server IDs (when required)
CrossWatch does **not** store your provider password.
To remove access, revoke it in the provider.
Then reconnect in CrossWatch.
### Generic connection flow
Each provider has its own details, but the flow is consistent:
1. Click **Connect** (or **Sign In**).
2. Approve access in the provider tab.
3. Return to CrossWatch.
4. Open **Settings** for that provider.
5. Verify IDs and URLs. Use **Auto-Fetch** where available.
6. Click **Save**.
{% hint style="warning" %}
If the auth tab never opens, disable popup blockers for CrossWatch.
{% endhint %}
### Provider guides
### Troubleshooting quick checks
* Use a URL reachable from the CrossWatch host/container. Prefer LAN IPs over hostnames.
* If OAuth uses a callback URL, it must match the provider app settings.
* If libraries don’t load, check whitelisting. Then click **Load Libraries**.
### Next steps
* Pick the two services you want to sync: [Providers](/crosswatch/providers.md)
* Create your first pair: [Configure Pairs](/crosswatch/configure-pairs.md)
* Enable real-time plays after the first clean run: [Watcher](/crosswatch/scrobble/watcher.md)
{% endtab %}
{% tab title="Power users" %}
### Where auth is stored
Auth data is persisted in `/config/config.json`.
Reference: [Configuration (config.json)](/crosswatch/configuration-config-json.md).
### What “Connected” means
Connected usually means “credentials exist in config”.
It does not guarantee the token is still valid.
If a provider suddenly fails:
* disconnect + reconnect
* rotate API keys (where applicable)
* verify callback URLs (OAuth providers)
{% endtab %}
{% endtabs %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://wiki.crosswatch.app/crosswatch/providers/authentication.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.