diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
index 55dd1e5d..512a051a 100644
--- a/.github/actions/spelling/allow.txt
+++ b/.github/actions/spelling/allow.txt
@@ -218,6 +218,7 @@ Phishing
 pid
 pipeable
 pipefail
+PKCE
 placeholders
 platops
 plpgsql
diff --git a/source/standards/standards/authentication-and-authorization.html.md.erb b/source/standards/standards/authentication-and-authorization.html.md.erb
new file mode 100644
index 00000000..2d25a69a
--- /dev/null
+++ b/source/standards/standards/authentication-and-authorization.html.md.erb
@@ -0,0 +1,24 @@
+---
+title: Authentication and authorization
+last_reviewed_on: 2026-06-08
+review_in: 12 months
+weight: 5
+---
+
+# <%= current_page.data.title %>
+
+CFT services should use OpenID Connect with CFT IDAM for user authentication.
+
+Authentication and authorization are separate concerns. OpenID Connect establishes the user identity. Services are responsible for their own authorization decisions.
+
+### OpenID Connect flows
+
+Use the authorization code flow for browser-based user authentication.
+
+Use PKCE where the client stack supports it.
+
+Use client credentials only for service-to-service authentication where no user is involved.
+
+Avoid password and implicit grants for new integrations.
+
+For implementation guidance, see the [OpenID Connect Guide for CFT Developers Using CFT IDAM](https://tools.hmcts.net/confluence/spaces/SISM/pages/1973296310/OpenID+Connect+Guide+for+CFT+Developers+Using+CFT+IDAM).