* **No-auth mode**: If you select **Basic Setup** in the [TUI](/tui), or your [OpenRAG `.env` file](/reference/configuration) doesn't include OAuth credentials, then the OpenRAG OpenSearch instance runs in no-auth mode.

   This mode uses one anonymous JWT token for OpenSearch authentication.
   There is no differentiation between users; all users that access your OpenRAG instance can access all documents uploaded to your knowledge base.

* **OAuth mode**: If you select **Advanced Setup** in the [TUI](/tui), or your [OpenRAG `.env` file](/reference/configuration) includes OAuth credentials, then the OpenRAG OpenSearch instance runs in OAuth mode.

   This mode uses a unique JWT token for each OpenRAG user, and each document is tagged with user ownership.
   Documents are filtered by user owner; users see only the documents that they uploaded or have access to through their cloud storage accounts.

   To enable OAuth mode after initial setup, see [Ingest files with OAuth connectors](/ingestion#oauth-ingestion).