diff --git a/api/v1/auth.go b/api/v1/auth.go
index ccb607b9..6d950600 100644
--- a/api/v1/auth.go
+++ b/api/v1/auth.go
@@ -62,7 +62,7 @@ func (s *APIV1Service) SignIn(c echo.Context) error {
 	ctx := c.Request().Context()
 	signin := &SignIn{}
 
-	disablePasswordLoginSystemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+	disablePasswordLoginSystemSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 		Name: SystemSettingDisablePasswordLoginName.String(),
 	})
 	if err != nil {
@@ -186,7 +186,7 @@ func (s *APIV1Service) SignInSSO(c echo.Context) error {
 		return echo.NewHTTPError(http.StatusInternalServerError, "Incorrect login credentials, please try again")
 	}
 	if user == nil {
-		allowSignUpSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+		allowSignUpSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 			Name: SystemSettingAllowSignUpName.String(),
 		})
 		if err != nil {
@@ -303,7 +303,7 @@ func (s *APIV1Service) SignUp(c echo.Context) error {
 		// Change the default role to host if there is no host user.
 		userCreate.Role = store.RoleHost
 	} else {
-		allowSignUpSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+		allowSignUpSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 			Name: SystemSettingAllowSignUpName.String(),
 		})
 		if err != nil {
@@ -321,7 +321,7 @@ func (s *APIV1Service) SignUp(c echo.Context) error {
 			return echo.NewHTTPError(http.StatusUnauthorized, "signup is disabled").SetInternal(err)
 		}
 
-		disablePasswordLoginSystemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+		disablePasswordLoginSystemSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 			Name: SystemSettingDisablePasswordLoginName.String(),
 		})
 		if err != nil {
diff --git a/api/v1/memo.go b/api/v1/memo.go
index f1a962cd..5be7462a 100644
--- a/api/v1/memo.go
+++ b/api/v1/memo.go
@@ -277,7 +277,7 @@ func (s *APIV1Service) CreateMemo(c echo.Context) error {
 	}
 
 	// Find disable public memos system setting.
-	disablePublicMemosSystemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+	disablePublicMemosSystemSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 		Name: SystemSettingDisablePublicMemosName.String(),
 	})
 	if err != nil {
@@ -714,7 +714,7 @@ func (s *APIV1Service) UpdateMemo(c echo.Context) error {
 		visibility := store.Visibility(patchMemoRequest.Visibility.String())
 		updateMemoMessage.Visibility = &visibility
 		// Find disable public memos system setting.
-		disablePublicMemosSystemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+		disablePublicMemosSystemSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 			Name: SystemSettingDisablePublicMemosName.String(),
 		})
 		if err != nil {
@@ -905,7 +905,7 @@ func (s *APIV1Service) convertMemoFromStore(ctx context.Context, memo *store.Mem
 }
 
 func (s *APIV1Service) getMemoDisplayWithUpdatedTsSettingValue(ctx context.Context) (bool, error) {
-	memoDisplayWithUpdatedTsSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+	memoDisplayWithUpdatedTsSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 		Name: SystemSettingMemoDisplayWithUpdatedTsName.String(),
 	})
 	if err != nil {
diff --git a/api/v1/resource.go b/api/v1/resource.go
index b2434f8d..00f6ebd2 100644
--- a/api/v1/resource.go
+++ b/api/v1/resource.go
@@ -186,7 +186,7 @@ func (s *APIV1Service) UploadResource(c echo.Context) error {
 	}
 
 	// This is the backend default max upload size limit.
-	maxUploadSetting := s.Store.GetSystemSettingValueWithDefault(ctx, SystemSettingMaxUploadSizeMiBName.String(), "32")
+	maxUploadSetting := s.Store.GetWorkspaceSettingWithDefaultValue(ctx, SystemSettingMaxUploadSizeMiBName.String(), "32")
 	var settingMaxUploadSizeBytes int
 	if settingMaxUploadSizeMiB, err := strconv.Atoi(maxUploadSetting); err == nil {
 		settingMaxUploadSizeBytes = settingMaxUploadSizeMiB * MebiByte
@@ -390,7 +390,7 @@ func convertResourceFromStore(resource *store.Resource) *Resource {
 // 2. *LocalStorage*: `create.InternalPath`.
 // 3. Others( external service): `create.ExternalLink`.
 func SaveResourceBlob(ctx context.Context, s *store.Store, create *store.Resource, r io.Reader) error {
-	systemSettingStorageServiceID, err := s.GetSystemSetting(ctx, &store.FindSystemSetting{Name: SystemSettingStorageServiceIDName.String()})
+	systemSettingStorageServiceID, err := s.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{Name: SystemSettingStorageServiceIDName.String()})
 	if err != nil {
 		return errors.Wrap(err, "Failed to find SystemSettingStorageServiceIDName")
 	}
@@ -413,7 +413,7 @@ func SaveResourceBlob(ctx context.Context, s *store.Store, create *store.Resourc
 		return nil
 	} else if storageServiceID == LocalStorage {
 		// `LocalStorage` means save blob into local disk
-		systemSettingLocalStoragePath, err := s.GetSystemSetting(ctx, &store.FindSystemSetting{Name: SystemSettingLocalStoragePathName.String()})
+		systemSettingLocalStoragePath, err := s.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{Name: SystemSettingLocalStoragePathName.String()})
 		if err != nil {
 			return errors.Wrap(err, "Failed to find SystemSettingLocalStoragePathName")
 		}
diff --git a/api/v1/storage.go b/api/v1/storage.go
index 1fc13e04..a18cae5a 100644
--- a/api/v1/storage.go
+++ b/api/v1/storage.go
@@ -209,7 +209,7 @@ func (s *APIV1Service) DeleteStorage(c echo.Context) error {
 		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("storageId"))).SetInternal(err)
 	}
 
-	systemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{Name: SystemSettingStorageServiceIDName.String()})
+	systemSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{Name: SystemSettingStorageServiceIDName.String()})
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find storage").SetInternal(err)
 	}
diff --git a/api/v1/system.go b/api/v1/system.go
index 89513535..d3e0984f 100644
--- a/api/v1/system.go
+++ b/api/v1/system.go
@@ -97,7 +97,7 @@ func (s *APIV1Service) GetSystemStatus(c echo.Context) error {
 		systemStatus.Host = &User{ID: hostUser.ID}
 	}
 
-	systemSettingList, err := s.Store.ListSystemSettings(ctx, &store.FindSystemSetting{})
+	systemSettingList, err := s.Store.ListWorkspaceSettings(ctx, &store.FindWorkspaceSetting{})
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting list").SetInternal(err)
 	}
diff --git a/api/v1/system_setting.go b/api/v1/system_setting.go
index bd05a0cc..7cb79f12 100644
--- a/api/v1/system_setting.go
+++ b/api/v1/system_setting.go
@@ -110,7 +110,7 @@ func (s *APIV1Service) GetSystemSettingList(c echo.Context) error {
 		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
 	}
 
-	list, err := s.Store.ListSystemSettings(ctx, &store.FindSystemSetting{})
+	list, err := s.Store.ListWorkspaceSettings(ctx, &store.FindWorkspaceSetting{})
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting list").SetInternal(err)
 	}
@@ -174,7 +174,7 @@ func (s *APIV1Service) CreateSystemSetting(c echo.Context) error {
 		}
 	}
 
-	systemSetting, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+	systemSetting, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 		Name:        systemSettingUpsert.Name.String(),
 		Value:       systemSettingUpsert.Value,
 		Description: systemSettingUpsert.Description,
@@ -289,7 +289,7 @@ func (upsert UpsertSystemSettingRequest) Validate() error {
 	return nil
 }
 
-func convertSystemSettingFromStore(systemSetting *store.SystemSetting) *SystemSetting {
+func convertSystemSettingFromStore(systemSetting *store.WorkspaceSetting) *SystemSetting {
 	return &SystemSetting{
 		Name:        SystemSettingName(systemSetting.Name),
 		Value:       systemSetting.Value,
diff --git a/api/v2/apidocs.swagger.yaml b/api/v2/apidocs.swagger.yaml
index 71c43d49..a1630073 100644
--- a/api/v2/apidocs.swagger.yaml
+++ b/api/v2/apidocs.swagger.yaml
@@ -18,8 +18,101 @@ consumes:
 produces:
   - application/json
 paths:
+  /api/v2/auth/signin:
+    post:
+      summary: SignIn signs in the user with the given username and password.
+      operationId: AuthService_SignIn
+      responses:
+        "200":
+          description: A successful response.
+          schema:
+            $ref: '#/definitions/v2SignInResponse'
+        default:
+          description: An unexpected error response.
+          schema:
+            $ref: '#/definitions/googlerpcStatus'
+      parameters:
+        - name: username
+          in: query
+          required: false
+          type: string
+        - name: password
+          in: query
+          required: false
+          type: string
+      tags:
+        - AuthService
+  /api/v2/auth/signin/sso:
+    post:
+      summary: SignInWithSSO signs in the user with the given SSO code.
+      operationId: AuthService_SignInWithSSO
+      responses:
+        "200":
+          description: A successful response.
+          schema:
+            $ref: '#/definitions/v2SignInWithSSOResponse'
+        default:
+          description: An unexpected error response.
+          schema:
+            $ref: '#/definitions/googlerpcStatus'
+      parameters:
+        - name: idpId
+          in: query
+          required: false
+          type: integer
+          format: int32
+        - name: code
+          in: query
+          required: false
+          type: string
+        - name: redirectUri
+          in: query
+          required: false
+          type: string
+      tags:
+        - AuthService
+  /api/v2/auth/signout:
+    post:
+      summary: SignOut signs out the user.
+      operationId: AuthService_SignOut
+      responses:
+        "200":
+          description: A successful response.
+          schema:
+            $ref: '#/definitions/v2SignOutResponse'
+        default:
+          description: An unexpected error response.
+          schema:
+            $ref: '#/definitions/googlerpcStatus'
+      tags:
+        - AuthService
+  /api/v2/auth/signup:
+    post:
+      summary: SignUp signs up the user with the given username and password.
+      operationId: AuthService_SignUp
+      responses:
+        "200":
+          description: A successful response.
+          schema:
+            $ref: '#/definitions/v2SignUpResponse'
+        default:
+          description: An unexpected error response.
+          schema:
+            $ref: '#/definitions/googlerpcStatus'
+      parameters:
+        - name: username
+          in: query
+          required: false
+          type: string
+        - name: password
+          in: query
+          required: false
+          type: string
+      tags:
+        - AuthService
   /api/v2/auth/status:
     post:
+      summary: GetAuthStatus returns the current auth status of the user.
       operationId: AuthService_GetAuthStatus
       responses:
         "200":
@@ -1922,6 +2015,23 @@ definitions:
     type: object
   v2SetMemoResourcesResponse:
     type: object
+  v2SignInResponse:
+    type: object
+    properties:
+      user:
+        $ref: '#/definitions/v2User'
+  v2SignInWithSSOResponse:
+    type: object
+    properties:
+      user:
+        $ref: '#/definitions/v2User'
+  v2SignOutResponse:
+    type: object
+  v2SignUpResponse:
+    type: object
+    properties:
+      user:
+        $ref: '#/definitions/v2User'
   v2StrikethroughNode:
     type: object
     properties:
diff --git a/api/v2/memo_service.go b/api/v2/memo_service.go
index ec4939c3..3889dda4 100644
--- a/api/v2/memo_service.go
+++ b/api/v2/memo_service.go
@@ -666,7 +666,7 @@ func (s *APIV2Service) convertMemoFromStore(ctx context.Context, memo *store.Mem
 }
 
 func (s *APIV2Service) getMemoDisplayWithUpdatedTsSettingValue(ctx context.Context) (bool, error) {
-	memoDisplayWithUpdatedTsSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+	memoDisplayWithUpdatedTsSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 		Name: apiv1.SystemSettingMemoDisplayWithUpdatedTsName.String(),
 	})
 	if err != nil {
@@ -684,7 +684,7 @@ func (s *APIV2Service) getMemoDisplayWithUpdatedTsSettingValue(ctx context.Conte
 }
 
 func (s *APIV2Service) getDisablePublicMemosSystemSettingValue(ctx context.Context) (bool, error) {
-	disablePublicMemosSystemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+	disablePublicMemosSystemSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 		Name: apiv1.SystemSettingDisablePublicMemosName.String(),
 	})
 	if err != nil {
diff --git a/api/v2/workspace_service.go b/api/v2/workspace_service.go
index 2b070501..112061d3 100644
--- a/api/v2/workspace_service.go
+++ b/api/v2/workspace_service.go
@@ -37,7 +37,7 @@ func (s *APIV2Service) UpdateWorkspaceProfile(ctx context.Context, request *apiv
 	// Update system settings.
 	for _, field := range request.UpdateMask.Paths {
 		if field == "allow_registration" {
-			_, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+			_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 				Name:  "allow-signup",
 				Value: strconv.FormatBool(request.WorkspaceProfile.AllowRegistration),
 			})
@@ -45,7 +45,7 @@ func (s *APIV2Service) UpdateWorkspaceProfile(ctx context.Context, request *apiv
 				return nil, status.Errorf(codes.Internal, "failed to update allow_registration system setting: %v", err)
 			}
 		} else if field == "disable_password_login" {
-			_, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+			_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 				Name:  "disable-password-login",
 				Value: strconv.FormatBool(request.WorkspaceProfile.DisablePasswordLogin),
 			})
@@ -53,7 +53,7 @@ func (s *APIV2Service) UpdateWorkspaceProfile(ctx context.Context, request *apiv
 				return nil, status.Errorf(codes.Internal, "failed to update disable_password_login system setting: %v", err)
 			}
 		} else if field == "additional_script" {
-			_, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+			_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 				Name:  "additional-script",
 				Value: request.WorkspaceProfile.AdditionalScript,
 			})
@@ -61,7 +61,7 @@ func (s *APIV2Service) UpdateWorkspaceProfile(ctx context.Context, request *apiv
 				return nil, status.Errorf(codes.Internal, "failed to update additional_script system setting: %v", err)
 			}
 		} else if field == "additional_style" {
-			_, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+			_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 				Name:  "additional-style",
 				Value: request.WorkspaceProfile.AdditionalStyle,
 			})
diff --git a/internal/jobs/presign_link.go b/internal/jobs/presign_link.go
index 36c49bc8..b5a80935 100644
--- a/internal/jobs/presign_link.go
+++ b/internal/jobs/presign_link.go
@@ -97,7 +97,7 @@ func signExternalLinks(ctx context.Context, dataStore *store.Store) error {
 // Returns error only in case of internal problems (ie: database or configuration issues).
 // May return nil client and nil error.
 func findObjectStorage(ctx context.Context, dataStore *store.Store) (*s3.Client, error) {
-	systemSettingStorageServiceID, err := dataStore.GetSystemSetting(ctx, &store.FindSystemSetting{Name: apiv1.SystemSettingStorageServiceIDName.String()})
+	systemSettingStorageServiceID, err := dataStore.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{Name: apiv1.SystemSettingStorageServiceIDName.String()})
 	if err != nil {
 		return nil, errors.Wrap(err, "Failed to find SystemSettingStorageServiceIDName")
 	}
diff --git a/proto/api/v2/auth_service.proto b/proto/api/v2/auth_service.proto
index 6fb9dd7d..e3f6443a 100644
--- a/proto/api/v2/auth_service.proto
+++ b/proto/api/v2/auth_service.proto
@@ -8,9 +8,26 @@ import "google/api/annotations.proto";
 option go_package = "gen/api/v2";
 
 service AuthService {
+  // GetAuthStatus returns the current auth status of the user.
   rpc GetAuthStatus(GetAuthStatusRequest) returns (GetAuthStatusResponse) {
     option (google.api.http) = {post: "/api/v2/auth/status"};
   }
+  // SignIn signs in the user with the given username and password.
+  rpc SignIn(SignInRequest) returns (SignInResponse) {
+    option (google.api.http) = {post: "/api/v2/auth/signin"};
+  }
+  // SignInWithSSO signs in the user with the given SSO code.
+  rpc SignInWithSSO(SignInWithSSORequest) returns (SignInWithSSOResponse) {
+    option (google.api.http) = {post: "/api/v2/auth/signin/sso"};
+  }
+  // SignUp signs up the user with the given username and password.
+  rpc SignUp(SignUpRequest) returns (SignUpResponse) {
+    option (google.api.http) = {post: "/api/v2/auth/signup"};
+  }
+  // SignOut signs out the user.
+  rpc SignOut(SignOutRequest) returns (SignOutResponse) {
+    option (google.api.http) = {post: "/api/v2/auth/signout"};
+  }
 }
 
 message GetAuthStatusRequest {}
@@ -18,3 +35,35 @@ message GetAuthStatusRequest {}
 message GetAuthStatusResponse {
   User user = 1;
 }
+
+message SignInRequest {
+  string username = 1;
+  string password = 2;
+}
+
+message SignInResponse {
+  User user = 1;
+}
+
+message SignInWithSSORequest {
+  int32 idp_id = 1;
+  string code = 2;
+  string redirect_uri = 3;
+}
+
+message SignInWithSSOResponse {
+  User user = 1;
+}
+
+message SignUpRequest {
+  string username = 1;
+  string password = 2;
+}
+
+message SignUpResponse {
+  User user = 1;
+}
+
+message SignOutRequest {}
+
+message SignOutResponse {}
diff --git a/proto/gen/api/v2/README.md b/proto/gen/api/v2/README.md
index 22077041..028790bc 100644
--- a/proto/gen/api/v2/README.md
+++ b/proto/gen/api/v2/README.md
@@ -50,6 +50,14 @@
 - [api/v2/auth_service.proto](#api_v2_auth_service-proto)
     - [GetAuthStatusRequest](#memos-api-v2-GetAuthStatusRequest)
     - [GetAuthStatusResponse](#memos-api-v2-GetAuthStatusResponse)
+    - [SignInRequest](#memos-api-v2-SignInRequest)
+    - [SignInResponse](#memos-api-v2-SignInResponse)
+    - [SignInWithSSORequest](#memos-api-v2-SignInWithSSORequest)
+    - [SignInWithSSOResponse](#memos-api-v2-SignInWithSSOResponse)
+    - [SignOutRequest](#memos-api-v2-SignOutRequest)
+    - [SignOutResponse](#memos-api-v2-SignOutResponse)
+    - [SignUpRequest](#memos-api-v2-SignUpRequest)
+    - [SignUpResponse](#memos-api-v2-SignUpResponse)
   
     - [AuthService](#memos-api-v2-AuthService)
   
@@ -804,6 +812,120 @@ Used internally for obfuscating the page token.
 
 
 
+
+<a name="memos-api-v2-SignInRequest"></a>
+
+### SignInRequest
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| username | [string](#string) |  |  |
+| password | [string](#string) |  |  |
+
+
+
+
+
+
+<a name="memos-api-v2-SignInResponse"></a>
+
+### SignInResponse
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| user | [User](#memos-api-v2-User) |  |  |
+
+
+
+
+
+
+<a name="memos-api-v2-SignInWithSSORequest"></a>
+
+### SignInWithSSORequest
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| idp_id | [int32](#int32) |  |  |
+| code | [string](#string) |  |  |
+| redirect_uri | [string](#string) |  |  |
+
+
+
+
+
+
+<a name="memos-api-v2-SignInWithSSOResponse"></a>
+
+### SignInWithSSOResponse
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| user | [User](#memos-api-v2-User) |  |  |
+
+
+
+
+
+
+<a name="memos-api-v2-SignOutRequest"></a>
+
+### SignOutRequest
+
+
+
+
+
+
+
+<a name="memos-api-v2-SignOutResponse"></a>
+
+### SignOutResponse
+
+
+
+
+
+
+
+<a name="memos-api-v2-SignUpRequest"></a>
+
+### SignUpRequest
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| username | [string](#string) |  |  |
+| password | [string](#string) |  |  |
+
+
+
+
+
+
+<a name="memos-api-v2-SignUpResponse"></a>
+
+### SignUpResponse
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| user | [User](#memos-api-v2-User) |  |  |
+
+
+
+
+
  
 
  
@@ -818,7 +940,11 @@ Used internally for obfuscating the page token.
 
 | Method Name | Request Type | Response Type | Description |
 | ----------- | ------------ | ------------- | ------------|
-| GetAuthStatus | [GetAuthStatusRequest](#memos-api-v2-GetAuthStatusRequest) | [GetAuthStatusResponse](#memos-api-v2-GetAuthStatusResponse) |  |
+| GetAuthStatus | [GetAuthStatusRequest](#memos-api-v2-GetAuthStatusRequest) | [GetAuthStatusResponse](#memos-api-v2-GetAuthStatusResponse) | GetAuthStatus returns the current auth status of the user. |
+| SignIn | [SignInRequest](#memos-api-v2-SignInRequest) | [SignInResponse](#memos-api-v2-SignInResponse) | SignIn signs in the user with the given username and password. |
+| SignInWithSSO | [SignInWithSSORequest](#memos-api-v2-SignInWithSSORequest) | [SignInWithSSOResponse](#memos-api-v2-SignInWithSSOResponse) | SignInWithSSO signs in the user with the given SSO code. |
+| SignUp | [SignUpRequest](#memos-api-v2-SignUpRequest) | [SignUpResponse](#memos-api-v2-SignUpResponse) | SignUp signs up the user with the given username and password. |
+| SignOut | [SignOutRequest](#memos-api-v2-SignOutRequest) | [SignOutResponse](#memos-api-v2-SignOutResponse) | SignOut signs out the user. |
 
  
 
diff --git a/proto/gen/api/v2/auth_service.pb.go b/proto/gen/api/v2/auth_service.pb.go
index 458a2e35..c2e054cd 100644
--- a/proto/gen/api/v2/auth_service.pb.go
+++ b/proto/gen/api/v2/auth_service.pb.go
@@ -106,6 +106,396 @@ func (x *GetAuthStatusResponse) GetUser() *User {
 	return nil
 }
 
+type SignInRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
+	Password string `protobuf:"bytes,2,opt,name=password,proto3" json:"password,omitempty"`
+}
+
+func (x *SignInRequest) Reset() {
+	*x = SignInRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_api_v2_auth_service_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignInRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignInRequest) ProtoMessage() {}
+
+func (x *SignInRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_api_v2_auth_service_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignInRequest.ProtoReflect.Descriptor instead.
+func (*SignInRequest) Descriptor() ([]byte, []int) {
+	return file_api_v2_auth_service_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *SignInRequest) GetUsername() string {
+	if x != nil {
+		return x.Username
+	}
+	return ""
+}
+
+func (x *SignInRequest) GetPassword() string {
+	if x != nil {
+		return x.Password
+	}
+	return ""
+}
+
+type SignInResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	User *User `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
+}
+
+func (x *SignInResponse) Reset() {
+	*x = SignInResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_api_v2_auth_service_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignInResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignInResponse) ProtoMessage() {}
+
+func (x *SignInResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_api_v2_auth_service_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignInResponse.ProtoReflect.Descriptor instead.
+func (*SignInResponse) Descriptor() ([]byte, []int) {
+	return file_api_v2_auth_service_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *SignInResponse) GetUser() *User {
+	if x != nil {
+		return x.User
+	}
+	return nil
+}
+
+type SignInWithSSORequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	IdpId       int32  `protobuf:"varint,1,opt,name=idp_id,json=idpId,proto3" json:"idp_id,omitempty"`
+	Code        string `protobuf:"bytes,2,opt,name=code,proto3" json:"code,omitempty"`
+	RedirectUri string `protobuf:"bytes,3,opt,name=redirect_uri,json=redirectUri,proto3" json:"redirect_uri,omitempty"`
+}
+
+func (x *SignInWithSSORequest) Reset() {
+	*x = SignInWithSSORequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_api_v2_auth_service_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignInWithSSORequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignInWithSSORequest) ProtoMessage() {}
+
+func (x *SignInWithSSORequest) ProtoReflect() protoreflect.Message {
+	mi := &file_api_v2_auth_service_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignInWithSSORequest.ProtoReflect.Descriptor instead.
+func (*SignInWithSSORequest) Descriptor() ([]byte, []int) {
+	return file_api_v2_auth_service_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *SignInWithSSORequest) GetIdpId() int32 {
+	if x != nil {
+		return x.IdpId
+	}
+	return 0
+}
+
+func (x *SignInWithSSORequest) GetCode() string {
+	if x != nil {
+		return x.Code
+	}
+	return ""
+}
+
+func (x *SignInWithSSORequest) GetRedirectUri() string {
+	if x != nil {
+		return x.RedirectUri
+	}
+	return ""
+}
+
+type SignInWithSSOResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	User *User `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
+}
+
+func (x *SignInWithSSOResponse) Reset() {
+	*x = SignInWithSSOResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_api_v2_auth_service_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignInWithSSOResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignInWithSSOResponse) ProtoMessage() {}
+
+func (x *SignInWithSSOResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_api_v2_auth_service_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignInWithSSOResponse.ProtoReflect.Descriptor instead.
+func (*SignInWithSSOResponse) Descriptor() ([]byte, []int) {
+	return file_api_v2_auth_service_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *SignInWithSSOResponse) GetUser() *User {
+	if x != nil {
+		return x.User
+	}
+	return nil
+}
+
+type SignUpRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
+	Password string `protobuf:"bytes,2,opt,name=password,proto3" json:"password,omitempty"`
+}
+
+func (x *SignUpRequest) Reset() {
+	*x = SignUpRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_api_v2_auth_service_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignUpRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignUpRequest) ProtoMessage() {}
+
+func (x *SignUpRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_api_v2_auth_service_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignUpRequest.ProtoReflect.Descriptor instead.
+func (*SignUpRequest) Descriptor() ([]byte, []int) {
+	return file_api_v2_auth_service_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *SignUpRequest) GetUsername() string {
+	if x != nil {
+		return x.Username
+	}
+	return ""
+}
+
+func (x *SignUpRequest) GetPassword() string {
+	if x != nil {
+		return x.Password
+	}
+	return ""
+}
+
+type SignUpResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	User *User `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
+}
+
+func (x *SignUpResponse) Reset() {
+	*x = SignUpResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_api_v2_auth_service_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignUpResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignUpResponse) ProtoMessage() {}
+
+func (x *SignUpResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_api_v2_auth_service_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignUpResponse.ProtoReflect.Descriptor instead.
+func (*SignUpResponse) Descriptor() ([]byte, []int) {
+	return file_api_v2_auth_service_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *SignUpResponse) GetUser() *User {
+	if x != nil {
+		return x.User
+	}
+	return nil
+}
+
+type SignOutRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *SignOutRequest) Reset() {
+	*x = SignOutRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_api_v2_auth_service_proto_msgTypes[8]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignOutRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignOutRequest) ProtoMessage() {}
+
+func (x *SignOutRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_api_v2_auth_service_proto_msgTypes[8]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignOutRequest.ProtoReflect.Descriptor instead.
+func (*SignOutRequest) Descriptor() ([]byte, []int) {
+	return file_api_v2_auth_service_proto_rawDescGZIP(), []int{8}
+}
+
+type SignOutResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *SignOutResponse) Reset() {
+	*x = SignOutResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_api_v2_auth_service_proto_msgTypes[9]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignOutResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignOutResponse) ProtoMessage() {}
+
+func (x *SignOutResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_api_v2_auth_service_proto_msgTypes[9]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignOutResponse.ProtoReflect.Descriptor instead.
+func (*SignOutResponse) Descriptor() ([]byte, []int) {
+	return file_api_v2_auth_service_proto_rawDescGZIP(), []int{9}
+}
+
 var File_api_v2_auth_service_proto protoreflect.FileDescriptor
 
 var file_api_v2_auth_service_proto_rawDesc = []byte{
@@ -120,27 +510,82 @@ var file_api_v2_auth_service_proto_rawDesc = []byte{
 	0x74, 0x41, 0x75, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
 	0x6e, 0x73, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
 	0x0b, 0x32, 0x12, 0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32,
-	0x2e, 0x55, 0x73, 0x65, 0x72, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x32, 0x84, 0x01, 0x0a, 0x0b,
-	0x41, 0x75, 0x74, 0x68, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x75, 0x0a, 0x0d, 0x47,
-	0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x22, 0x2e, 0x6d,
-	0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x47, 0x65, 0x74, 0x41,
-	0x75, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x23, 0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e,
-	0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x22, 0x13, 0x2f,
-	0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x73, 0x74, 0x61, 0x74,
-	0x75, 0x73, 0x42, 0xa8, 0x01, 0x0a, 0x10, 0x63, 0x6f, 0x6d, 0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73,
-	0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x42, 0x10, 0x41, 0x75, 0x74, 0x68, 0x53, 0x65, 0x72,
-	0x76, 0x69, 0x63, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x30, 0x67, 0x69, 0x74,
-	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x75, 0x73, 0x65, 0x6d, 0x65, 0x6d, 0x6f, 0x73,
-	0x2f, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x65, 0x6e,
-	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x3b, 0x61, 0x70, 0x69, 0x76, 0x32, 0xa2, 0x02, 0x03,
-	0x4d, 0x41, 0x58, 0xaa, 0x02, 0x0c, 0x4d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x41, 0x70, 0x69, 0x2e,
-	0x56, 0x32, 0xca, 0x02, 0x0c, 0x4d, 0x65, 0x6d, 0x6f, 0x73, 0x5c, 0x41, 0x70, 0x69, 0x5c, 0x56,
-	0x32, 0xe2, 0x02, 0x18, 0x4d, 0x65, 0x6d, 0x6f, 0x73, 0x5c, 0x41, 0x70, 0x69, 0x5c, 0x56, 0x32,
-	0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x0e, 0x4d,
-	0x65, 0x6d, 0x6f, 0x73, 0x3a, 0x3a, 0x41, 0x70, 0x69, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x2e, 0x55, 0x73, 0x65, 0x72, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x22, 0x47, 0x0a, 0x0d, 0x53,
+	0x69, 0x67, 0x6e, 0x49, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08,
+	0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
+	0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x61, 0x73, 0x73,
+	0x77, 0x6f, 0x72, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x73, 0x73,
+	0x77, 0x6f, 0x72, 0x64, 0x22, 0x38, 0x0a, 0x0e, 0x53, 0x69, 0x67, 0x6e, 0x49, 0x6e, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69,
+	0x2e, 0x76, 0x32, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x22, 0x64,
+	0x0a, 0x14, 0x53, 0x69, 0x67, 0x6e, 0x49, 0x6e, 0x57, 0x69, 0x74, 0x68, 0x53, 0x53, 0x4f, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x15, 0x0a, 0x06, 0x69, 0x64, 0x70, 0x5f, 0x69, 0x64,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x69, 0x64, 0x70, 0x49, 0x64, 0x12, 0x12, 0x0a,
+	0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x63, 0x6f, 0x64,
+	0x65, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x5f, 0x75, 0x72,
+	0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63,
+	0x74, 0x55, 0x72, 0x69, 0x22, 0x3f, 0x0a, 0x15, 0x53, 0x69, 0x67, 0x6e, 0x49, 0x6e, 0x57, 0x69,
+	0x74, 0x68, 0x53, 0x53, 0x4f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x26, 0x0a,
+	0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x6d, 0x65,
+	0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x52,
+	0x04, 0x75, 0x73, 0x65, 0x72, 0x22, 0x47, 0x0a, 0x0d, 0x53, 0x69, 0x67, 0x6e, 0x55, 0x70, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61,
+	0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61,
+	0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x22, 0x38,
+	0x0a, 0x0e, 0x53, 0x69, 0x67, 0x6e, 0x55, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x26, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12,
+	0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x55, 0x73,
+	0x65, 0x72, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x22, 0x10, 0x0a, 0x0e, 0x53, 0x69, 0x67, 0x6e,
+	0x4f, 0x75, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x11, 0x0a, 0x0f, 0x53, 0x69,
+	0x67, 0x6e, 0x4f, 0x75, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0xa9, 0x04,
+	0x0a, 0x0b, 0x41, 0x75, 0x74, 0x68, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x75, 0x0a,
+	0x0d, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x22,
+	0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x47, 0x65,
+	0x74, 0x41, 0x75, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x23, 0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76,
+	0x32, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x22,
+	0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x73, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x12, 0x60, 0x0a, 0x06, 0x53, 0x69, 0x67, 0x6e, 0x49, 0x6e, 0x12, 0x1b,
+	0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69,
+	0x67, 0x6e, 0x49, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x6d, 0x65,
+	0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x49,
+	0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x15, 0x22, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f,
+	0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x12, 0x79, 0x0a, 0x0d, 0x53, 0x69, 0x67, 0x6e, 0x49, 0x6e,
+	0x57, 0x69, 0x74, 0x68, 0x53, 0x53, 0x4f, 0x12, 0x22, 0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e,
+	0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x49, 0x6e, 0x57, 0x69, 0x74,
+	0x68, 0x53, 0x53, 0x4f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x6d, 0x65,
+	0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x49,
+	0x6e, 0x57, 0x69, 0x74, 0x68, 0x53, 0x53, 0x4f, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x1f, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x19, 0x22, 0x17, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76,
+	0x32, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x2f, 0x73, 0x73,
+	0x6f, 0x12, 0x60, 0x0a, 0x06, 0x53, 0x69, 0x67, 0x6e, 0x55, 0x70, 0x12, 0x1b, 0x2e, 0x6d, 0x65,
+	0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x55,
+	0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73,
+	0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x55, 0x70, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x22, 0x13,
+	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x73, 0x69, 0x67,
+	0x6e, 0x75, 0x70, 0x12, 0x64, 0x0a, 0x07, 0x53, 0x69, 0x67, 0x6e, 0x4f, 0x75, 0x74, 0x12, 0x1c,
+	0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69,
+	0x67, 0x6e, 0x4f, 0x75, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x6d,
+	0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e,
+	0x4f, 0x75, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1c, 0x82, 0xd3, 0xe4,
+	0x93, 0x02, 0x16, 0x22, 0x14, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x61, 0x75, 0x74,
+	0x68, 0x2f, 0x73, 0x69, 0x67, 0x6e, 0x6f, 0x75, 0x74, 0x42, 0xa8, 0x01, 0x0a, 0x10, 0x63, 0x6f,
+	0x6d, 0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x42, 0x10,
+	0x41, 0x75, 0x74, 0x68, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+	0x50, 0x01, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x75,
+	0x73, 0x65, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2f, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2f, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x3b, 0x61,
+	0x70, 0x69, 0x76, 0x32, 0xa2, 0x02, 0x03, 0x4d, 0x41, 0x58, 0xaa, 0x02, 0x0c, 0x4d, 0x65, 0x6d,
+	0x6f, 0x73, 0x2e, 0x41, 0x70, 0x69, 0x2e, 0x56, 0x32, 0xca, 0x02, 0x0c, 0x4d, 0x65, 0x6d, 0x6f,
+	0x73, 0x5c, 0x41, 0x70, 0x69, 0x5c, 0x56, 0x32, 0xe2, 0x02, 0x18, 0x4d, 0x65, 0x6d, 0x6f, 0x73,
+	0x5c, 0x41, 0x70, 0x69, 0x5c, 0x56, 0x32, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64,
+	0x61, 0x74, 0x61, 0xea, 0x02, 0x0e, 0x4d, 0x65, 0x6d, 0x6f, 0x73, 0x3a, 0x3a, 0x41, 0x70, 0x69,
+	0x3a, 0x3a, 0x56, 0x32, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -155,21 +600,40 @@ func file_api_v2_auth_service_proto_rawDescGZIP() []byte {
 	return file_api_v2_auth_service_proto_rawDescData
 }
 
-var file_api_v2_auth_service_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_api_v2_auth_service_proto_msgTypes = make([]protoimpl.MessageInfo, 10)
 var file_api_v2_auth_service_proto_goTypes = []interface{}{
 	(*GetAuthStatusRequest)(nil),  // 0: memos.api.v2.GetAuthStatusRequest
 	(*GetAuthStatusResponse)(nil), // 1: memos.api.v2.GetAuthStatusResponse
-	(*User)(nil),                  // 2: memos.api.v2.User
+	(*SignInRequest)(nil),         // 2: memos.api.v2.SignInRequest
+	(*SignInResponse)(nil),        // 3: memos.api.v2.SignInResponse
+	(*SignInWithSSORequest)(nil),  // 4: memos.api.v2.SignInWithSSORequest
+	(*SignInWithSSOResponse)(nil), // 5: memos.api.v2.SignInWithSSOResponse
+	(*SignUpRequest)(nil),         // 6: memos.api.v2.SignUpRequest
+	(*SignUpResponse)(nil),        // 7: memos.api.v2.SignUpResponse
+	(*SignOutRequest)(nil),        // 8: memos.api.v2.SignOutRequest
+	(*SignOutResponse)(nil),       // 9: memos.api.v2.SignOutResponse
+	(*User)(nil),                  // 10: memos.api.v2.User
 }
 var file_api_v2_auth_service_proto_depIdxs = []int32{
-	2, // 0: memos.api.v2.GetAuthStatusResponse.user:type_name -> memos.api.v2.User
-	0, // 1: memos.api.v2.AuthService.GetAuthStatus:input_type -> memos.api.v2.GetAuthStatusRequest
-	1, // 2: memos.api.v2.AuthService.GetAuthStatus:output_type -> memos.api.v2.GetAuthStatusResponse
-	2, // [2:3] is the sub-list for method output_type
-	1, // [1:2] is the sub-list for method input_type
-	1, // [1:1] is the sub-list for extension type_name
-	1, // [1:1] is the sub-list for extension extendee
-	0, // [0:1] is the sub-list for field type_name
+	10, // 0: memos.api.v2.GetAuthStatusResponse.user:type_name -> memos.api.v2.User
+	10, // 1: memos.api.v2.SignInResponse.user:type_name -> memos.api.v2.User
+	10, // 2: memos.api.v2.SignInWithSSOResponse.user:type_name -> memos.api.v2.User
+	10, // 3: memos.api.v2.SignUpResponse.user:type_name -> memos.api.v2.User
+	0,  // 4: memos.api.v2.AuthService.GetAuthStatus:input_type -> memos.api.v2.GetAuthStatusRequest
+	2,  // 5: memos.api.v2.AuthService.SignIn:input_type -> memos.api.v2.SignInRequest
+	4,  // 6: memos.api.v2.AuthService.SignInWithSSO:input_type -> memos.api.v2.SignInWithSSORequest
+	6,  // 7: memos.api.v2.AuthService.SignUp:input_type -> memos.api.v2.SignUpRequest
+	8,  // 8: memos.api.v2.AuthService.SignOut:input_type -> memos.api.v2.SignOutRequest
+	1,  // 9: memos.api.v2.AuthService.GetAuthStatus:output_type -> memos.api.v2.GetAuthStatusResponse
+	3,  // 10: memos.api.v2.AuthService.SignIn:output_type -> memos.api.v2.SignInResponse
+	5,  // 11: memos.api.v2.AuthService.SignInWithSSO:output_type -> memos.api.v2.SignInWithSSOResponse
+	7,  // 12: memos.api.v2.AuthService.SignUp:output_type -> memos.api.v2.SignUpResponse
+	9,  // 13: memos.api.v2.AuthService.SignOut:output_type -> memos.api.v2.SignOutResponse
+	9,  // [9:14] is the sub-list for method output_type
+	4,  // [4:9] is the sub-list for method input_type
+	4,  // [4:4] is the sub-list for extension type_name
+	4,  // [4:4] is the sub-list for extension extendee
+	0,  // [0:4] is the sub-list for field type_name
 }
 
 func init() { file_api_v2_auth_service_proto_init() }
@@ -203,6 +667,102 @@ func file_api_v2_auth_service_proto_init() {
 				return nil
 			}
 		}
+		file_api_v2_auth_service_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignInRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_api_v2_auth_service_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignInResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_api_v2_auth_service_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignInWithSSORequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_api_v2_auth_service_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignInWithSSOResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_api_v2_auth_service_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignUpRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_api_v2_auth_service_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignUpResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_api_v2_auth_service_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignOutRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_api_v2_auth_service_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignOutResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -210,7 +770,7 @@ func file_api_v2_auth_service_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_api_v2_auth_service_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   2,
+			NumMessages:   10,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/proto/gen/api/v2/auth_service.pb.gw.go b/proto/gen/api/v2/auth_service.pb.gw.go
index 247a3a5b..f79d1ac8 100644
--- a/proto/gen/api/v2/auth_service.pb.gw.go
+++ b/proto/gen/api/v2/auth_service.pb.gw.go
@@ -49,6 +49,132 @@ func local_request_AuthService_GetAuthStatus_0(ctx context.Context, marshaler ru
 
 }
 
+var (
+	filter_AuthService_SignIn_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
+
+func request_AuthService_SignIn_0(ctx context.Context, marshaler runtime.Marshaler, client AuthServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq SignInRequest
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_AuthService_SignIn_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.SignIn(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_AuthService_SignIn_0(ctx context.Context, marshaler runtime.Marshaler, server AuthServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq SignInRequest
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_AuthService_SignIn_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.SignIn(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
+var (
+	filter_AuthService_SignInWithSSO_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
+
+func request_AuthService_SignInWithSSO_0(ctx context.Context, marshaler runtime.Marshaler, client AuthServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq SignInWithSSORequest
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_AuthService_SignInWithSSO_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.SignInWithSSO(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_AuthService_SignInWithSSO_0(ctx context.Context, marshaler runtime.Marshaler, server AuthServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq SignInWithSSORequest
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_AuthService_SignInWithSSO_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.SignInWithSSO(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
+var (
+	filter_AuthService_SignUp_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
+
+func request_AuthService_SignUp_0(ctx context.Context, marshaler runtime.Marshaler, client AuthServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq SignUpRequest
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_AuthService_SignUp_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.SignUp(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_AuthService_SignUp_0(ctx context.Context, marshaler runtime.Marshaler, server AuthServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq SignUpRequest
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_AuthService_SignUp_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.SignUp(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
+func request_AuthService_SignOut_0(ctx context.Context, marshaler runtime.Marshaler, client AuthServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq SignOutRequest
+	var metadata runtime.ServerMetadata
+
+	msg, err := client.SignOut(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_AuthService_SignOut_0(ctx context.Context, marshaler runtime.Marshaler, server AuthServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq SignOutRequest
+	var metadata runtime.ServerMetadata
+
+	msg, err := server.SignOut(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 // RegisterAuthServiceHandlerServer registers the http handlers for service AuthService to "mux".
 // UnaryRPC     :call AuthServiceServer directly.
 // StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906.
@@ -80,6 +206,106 @@ func RegisterAuthServiceHandlerServer(ctx context.Context, mux *runtime.ServeMux
 
 	})
 
+	mux.Handle("POST", pattern_AuthService_SignIn_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		var err error
+		var annotatedContext context.Context
+		annotatedContext, err = runtime.AnnotateIncomingContext(ctx, mux, req, "/memos.api.v2.AuthService/SignIn", runtime.WithHTTPPathPattern("/api/v2/auth/signin"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_AuthService_SignIn_0(annotatedContext, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_SignIn_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AuthService_SignInWithSSO_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		var err error
+		var annotatedContext context.Context
+		annotatedContext, err = runtime.AnnotateIncomingContext(ctx, mux, req, "/memos.api.v2.AuthService/SignInWithSSO", runtime.WithHTTPPathPattern("/api/v2/auth/signin/sso"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_AuthService_SignInWithSSO_0(annotatedContext, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_SignInWithSSO_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AuthService_SignUp_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		var err error
+		var annotatedContext context.Context
+		annotatedContext, err = runtime.AnnotateIncomingContext(ctx, mux, req, "/memos.api.v2.AuthService/SignUp", runtime.WithHTTPPathPattern("/api/v2/auth/signup"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_AuthService_SignUp_0(annotatedContext, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_SignUp_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AuthService_SignOut_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		var err error
+		var annotatedContext context.Context
+		annotatedContext, err = runtime.AnnotateIncomingContext(ctx, mux, req, "/memos.api.v2.AuthService/SignOut", runtime.WithHTTPPathPattern("/api/v2/auth/signout"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_AuthService_SignOut_0(annotatedContext, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_SignOut_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	return nil
 }
 
@@ -143,13 +369,117 @@ func RegisterAuthServiceHandlerClient(ctx context.Context, mux *runtime.ServeMux
 
 	})
 
+	mux.Handle("POST", pattern_AuthService_SignIn_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		var err error
+		var annotatedContext context.Context
+		annotatedContext, err = runtime.AnnotateContext(ctx, mux, req, "/memos.api.v2.AuthService/SignIn", runtime.WithHTTPPathPattern("/api/v2/auth/signin"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AuthService_SignIn_0(annotatedContext, inboundMarshaler, client, req, pathParams)
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_SignIn_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AuthService_SignInWithSSO_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		var err error
+		var annotatedContext context.Context
+		annotatedContext, err = runtime.AnnotateContext(ctx, mux, req, "/memos.api.v2.AuthService/SignInWithSSO", runtime.WithHTTPPathPattern("/api/v2/auth/signin/sso"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AuthService_SignInWithSSO_0(annotatedContext, inboundMarshaler, client, req, pathParams)
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_SignInWithSSO_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AuthService_SignUp_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		var err error
+		var annotatedContext context.Context
+		annotatedContext, err = runtime.AnnotateContext(ctx, mux, req, "/memos.api.v2.AuthService/SignUp", runtime.WithHTTPPathPattern("/api/v2/auth/signup"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AuthService_SignUp_0(annotatedContext, inboundMarshaler, client, req, pathParams)
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_SignUp_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AuthService_SignOut_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		var err error
+		var annotatedContext context.Context
+		annotatedContext, err = runtime.AnnotateContext(ctx, mux, req, "/memos.api.v2.AuthService/SignOut", runtime.WithHTTPPathPattern("/api/v2/auth/signout"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AuthService_SignOut_0(annotatedContext, inboundMarshaler, client, req, pathParams)
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_SignOut_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	return nil
 }
 
 var (
 	pattern_AuthService_GetAuthStatus_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"api", "v2", "auth", "status"}, ""))
+
+	pattern_AuthService_SignIn_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"api", "v2", "auth", "signin"}, ""))
+
+	pattern_AuthService_SignInWithSSO_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3, 2, 4}, []string{"api", "v2", "auth", "signin", "sso"}, ""))
+
+	pattern_AuthService_SignUp_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"api", "v2", "auth", "signup"}, ""))
+
+	pattern_AuthService_SignOut_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"api", "v2", "auth", "signout"}, ""))
 )
 
 var (
 	forward_AuthService_GetAuthStatus_0 = runtime.ForwardResponseMessage
+
+	forward_AuthService_SignIn_0 = runtime.ForwardResponseMessage
+
+	forward_AuthService_SignInWithSSO_0 = runtime.ForwardResponseMessage
+
+	forward_AuthService_SignUp_0 = runtime.ForwardResponseMessage
+
+	forward_AuthService_SignOut_0 = runtime.ForwardResponseMessage
 )
diff --git a/proto/gen/api/v2/auth_service_grpc.pb.go b/proto/gen/api/v2/auth_service_grpc.pb.go
index 7b89669b..5ffe9e7e 100644
--- a/proto/gen/api/v2/auth_service_grpc.pb.go
+++ b/proto/gen/api/v2/auth_service_grpc.pb.go
@@ -20,13 +20,26 @@ const _ = grpc.SupportPackageIsVersion7
 
 const (
 	AuthService_GetAuthStatus_FullMethodName = "/memos.api.v2.AuthService/GetAuthStatus"
+	AuthService_SignIn_FullMethodName        = "/memos.api.v2.AuthService/SignIn"
+	AuthService_SignInWithSSO_FullMethodName = "/memos.api.v2.AuthService/SignInWithSSO"
+	AuthService_SignUp_FullMethodName        = "/memos.api.v2.AuthService/SignUp"
+	AuthService_SignOut_FullMethodName       = "/memos.api.v2.AuthService/SignOut"
 )
 
 // AuthServiceClient is the client API for AuthService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type AuthServiceClient interface {
+	// GetAuthStatus returns the current auth status of the user.
 	GetAuthStatus(ctx context.Context, in *GetAuthStatusRequest, opts ...grpc.CallOption) (*GetAuthStatusResponse, error)
+	// SignIn signs in the user with the given username and password.
+	SignIn(ctx context.Context, in *SignInRequest, opts ...grpc.CallOption) (*SignInResponse, error)
+	// SignInWithSSO signs in the user with the given SSO code.
+	SignInWithSSO(ctx context.Context, in *SignInWithSSORequest, opts ...grpc.CallOption) (*SignInWithSSOResponse, error)
+	// SignUp signs up the user with the given username and password.
+	SignUp(ctx context.Context, in *SignUpRequest, opts ...grpc.CallOption) (*SignUpResponse, error)
+	// SignOut signs out the user.
+	SignOut(ctx context.Context, in *SignOutRequest, opts ...grpc.CallOption) (*SignOutResponse, error)
 }
 
 type authServiceClient struct {
@@ -46,11 +59,56 @@ func (c *authServiceClient) GetAuthStatus(ctx context.Context, in *GetAuthStatus
 	return out, nil
 }
 
+func (c *authServiceClient) SignIn(ctx context.Context, in *SignInRequest, opts ...grpc.CallOption) (*SignInResponse, error) {
+	out := new(SignInResponse)
+	err := c.cc.Invoke(ctx, AuthService_SignIn_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *authServiceClient) SignInWithSSO(ctx context.Context, in *SignInWithSSORequest, opts ...grpc.CallOption) (*SignInWithSSOResponse, error) {
+	out := new(SignInWithSSOResponse)
+	err := c.cc.Invoke(ctx, AuthService_SignInWithSSO_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *authServiceClient) SignUp(ctx context.Context, in *SignUpRequest, opts ...grpc.CallOption) (*SignUpResponse, error) {
+	out := new(SignUpResponse)
+	err := c.cc.Invoke(ctx, AuthService_SignUp_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *authServiceClient) SignOut(ctx context.Context, in *SignOutRequest, opts ...grpc.CallOption) (*SignOutResponse, error) {
+	out := new(SignOutResponse)
+	err := c.cc.Invoke(ctx, AuthService_SignOut_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // AuthServiceServer is the server API for AuthService service.
 // All implementations must embed UnimplementedAuthServiceServer
 // for forward compatibility
 type AuthServiceServer interface {
+	// GetAuthStatus returns the current auth status of the user.
 	GetAuthStatus(context.Context, *GetAuthStatusRequest) (*GetAuthStatusResponse, error)
+	// SignIn signs in the user with the given username and password.
+	SignIn(context.Context, *SignInRequest) (*SignInResponse, error)
+	// SignInWithSSO signs in the user with the given SSO code.
+	SignInWithSSO(context.Context, *SignInWithSSORequest) (*SignInWithSSOResponse, error)
+	// SignUp signs up the user with the given username and password.
+	SignUp(context.Context, *SignUpRequest) (*SignUpResponse, error)
+	// SignOut signs out the user.
+	SignOut(context.Context, *SignOutRequest) (*SignOutResponse, error)
 	mustEmbedUnimplementedAuthServiceServer()
 }
 
@@ -61,6 +119,18 @@ type UnimplementedAuthServiceServer struct {
 func (UnimplementedAuthServiceServer) GetAuthStatus(context.Context, *GetAuthStatusRequest) (*GetAuthStatusResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetAuthStatus not implemented")
 }
+func (UnimplementedAuthServiceServer) SignIn(context.Context, *SignInRequest) (*SignInResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SignIn not implemented")
+}
+func (UnimplementedAuthServiceServer) SignInWithSSO(context.Context, *SignInWithSSORequest) (*SignInWithSSOResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SignInWithSSO not implemented")
+}
+func (UnimplementedAuthServiceServer) SignUp(context.Context, *SignUpRequest) (*SignUpResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SignUp not implemented")
+}
+func (UnimplementedAuthServiceServer) SignOut(context.Context, *SignOutRequest) (*SignOutResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SignOut not implemented")
+}
 func (UnimplementedAuthServiceServer) mustEmbedUnimplementedAuthServiceServer() {}
 
 // UnsafeAuthServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -92,6 +162,78 @@ func _AuthService_GetAuthStatus_Handler(srv interface{}, ctx context.Context, de
 	return interceptor(ctx, in, info, handler)
 }
 
+func _AuthService_SignIn_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SignInRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServiceServer).SignIn(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: AuthService_SignIn_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServiceServer).SignIn(ctx, req.(*SignInRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _AuthService_SignInWithSSO_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SignInWithSSORequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServiceServer).SignInWithSSO(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: AuthService_SignInWithSSO_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServiceServer).SignInWithSSO(ctx, req.(*SignInWithSSORequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _AuthService_SignUp_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SignUpRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServiceServer).SignUp(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: AuthService_SignUp_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServiceServer).SignUp(ctx, req.(*SignUpRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _AuthService_SignOut_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SignOutRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServiceServer).SignOut(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: AuthService_SignOut_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServiceServer).SignOut(ctx, req.(*SignOutRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // AuthService_ServiceDesc is the grpc.ServiceDesc for AuthService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -103,6 +245,22 @@ var AuthService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetAuthStatus",
 			Handler:    _AuthService_GetAuthStatus_Handler,
 		},
+		{
+			MethodName: "SignIn",
+			Handler:    _AuthService_SignIn_Handler,
+		},
+		{
+			MethodName: "SignInWithSSO",
+			Handler:    _AuthService_SignInWithSSO_Handler,
+		},
+		{
+			MethodName: "SignUp",
+			Handler:    _AuthService_SignUp_Handler,
+		},
+		{
+			MethodName: "SignOut",
+			Handler:    _AuthService_SignOut_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "api/v2/auth_service.proto",
diff --git a/proto/gen/store/README.md b/proto/gen/store/README.md
index 90536cd7..035873c8 100644
--- a/proto/gen/store/README.md
+++ b/proto/gen/store/README.md
@@ -27,7 +27,7 @@
     - [Webhook](#memos-store-Webhook)
   
 - [store/workspace_setting.proto](#store_workspace_setting-proto)
-    - [WorkspaceProfileSetting](#memos-store-WorkspaceProfileSetting)
+    - [WorkspaceGeneralSetting](#memos-store-WorkspaceGeneralSetting)
   
     - [WorkspaceSettingKey](#memos-store-WorkspaceSettingKey)
   
@@ -300,9 +300,9 @@
 
 
 
-<a name="memos-store-WorkspaceProfileSetting"></a>
+<a name="memos-store-WorkspaceGeneralSetting"></a>
 
-### WorkspaceProfileSetting
+### WorkspaceGeneralSetting
 
 
 
@@ -310,6 +310,7 @@
 | ----- | ---- | ----- | ----------- |
 | instance_url | [string](#string) |  |  |
 | disallow_signup | [bool](#bool) |  |  |
+| disallow_password_login | [bool](#bool) |  |  |
 
 
 
@@ -326,7 +327,7 @@
 | Name | Number | Description |
 | ---- | ------ | ----------- |
 | WORKSPACE_SETTING_KEY_UNSPECIFIED | 0 |  |
-| WORKSPACE_SETTING_PROFILE | 1 |  |
+| WORKSPACE_SETTING_GENERAL | 1 |  |
 
 
  
diff --git a/proto/gen/store/workspace_setting.pb.go b/proto/gen/store/workspace_setting.pb.go
index 5496a2b3..1ae1feb2 100644
--- a/proto/gen/store/workspace_setting.pb.go
+++ b/proto/gen/store/workspace_setting.pb.go
@@ -24,18 +24,18 @@ type WorkspaceSettingKey int32
 
 const (
 	WorkspaceSettingKey_WORKSPACE_SETTING_KEY_UNSPECIFIED WorkspaceSettingKey = 0
-	WorkspaceSettingKey_WORKSPACE_SETTING_PROFILE         WorkspaceSettingKey = 1
+	WorkspaceSettingKey_WORKSPACE_SETTING_GENERAL         WorkspaceSettingKey = 1
 )
 
 // Enum value maps for WorkspaceSettingKey.
 var (
 	WorkspaceSettingKey_name = map[int32]string{
 		0: "WORKSPACE_SETTING_KEY_UNSPECIFIED",
-		1: "WORKSPACE_SETTING_PROFILE",
+		1: "WORKSPACE_SETTING_GENERAL",
 	}
 	WorkspaceSettingKey_value = map[string]int32{
 		"WORKSPACE_SETTING_KEY_UNSPECIFIED": 0,
-		"WORKSPACE_SETTING_PROFILE":         1,
+		"WORKSPACE_SETTING_GENERAL":         1,
 	}
 )
 
@@ -66,17 +66,18 @@ func (WorkspaceSettingKey) EnumDescriptor() ([]byte, []int) {
 	return file_store_workspace_setting_proto_rawDescGZIP(), []int{0}
 }
 
-type WorkspaceProfileSetting struct {
+type WorkspaceGeneralSetting struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	InstanceUrl    string `protobuf:"bytes,1,opt,name=instance_url,json=instanceUrl,proto3" json:"instance_url,omitempty"`
-	DisallowSignup bool   `protobuf:"varint,2,opt,name=disallow_signup,json=disallowSignup,proto3" json:"disallow_signup,omitempty"`
+	InstanceUrl           string `protobuf:"bytes,1,opt,name=instance_url,json=instanceUrl,proto3" json:"instance_url,omitempty"`
+	DisallowSignup        bool   `protobuf:"varint,2,opt,name=disallow_signup,json=disallowSignup,proto3" json:"disallow_signup,omitempty"`
+	DisallowPasswordLogin bool   `protobuf:"varint,3,opt,name=disallow_password_login,json=disallowPasswordLogin,proto3" json:"disallow_password_login,omitempty"`
 }
 
-func (x *WorkspaceProfileSetting) Reset() {
-	*x = WorkspaceProfileSetting{}
+func (x *WorkspaceGeneralSetting) Reset() {
+	*x = WorkspaceGeneralSetting{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_store_workspace_setting_proto_msgTypes[0]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -84,13 +85,13 @@ func (x *WorkspaceProfileSetting) Reset() {
 	}
 }
 
-func (x *WorkspaceProfileSetting) String() string {
+func (x *WorkspaceGeneralSetting) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*WorkspaceProfileSetting) ProtoMessage() {}
+func (*WorkspaceGeneralSetting) ProtoMessage() {}
 
-func (x *WorkspaceProfileSetting) ProtoReflect() protoreflect.Message {
+func (x *WorkspaceGeneralSetting) ProtoReflect() protoreflect.Message {
 	mi := &file_store_workspace_setting_proto_msgTypes[0]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -102,54 +103,65 @@ func (x *WorkspaceProfileSetting) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use WorkspaceProfileSetting.ProtoReflect.Descriptor instead.
-func (*WorkspaceProfileSetting) Descriptor() ([]byte, []int) {
+// Deprecated: Use WorkspaceGeneralSetting.ProtoReflect.Descriptor instead.
+func (*WorkspaceGeneralSetting) Descriptor() ([]byte, []int) {
 	return file_store_workspace_setting_proto_rawDescGZIP(), []int{0}
 }
 
-func (x *WorkspaceProfileSetting) GetInstanceUrl() string {
+func (x *WorkspaceGeneralSetting) GetInstanceUrl() string {
 	if x != nil {
 		return x.InstanceUrl
 	}
 	return ""
 }
 
-func (x *WorkspaceProfileSetting) GetDisallowSignup() bool {
+func (x *WorkspaceGeneralSetting) GetDisallowSignup() bool {
 	if x != nil {
 		return x.DisallowSignup
 	}
 	return false
 }
 
+func (x *WorkspaceGeneralSetting) GetDisallowPasswordLogin() bool {
+	if x != nil {
+		return x.DisallowPasswordLogin
+	}
+	return false
+}
+
 var File_store_workspace_setting_proto protoreflect.FileDescriptor
 
 var file_store_workspace_setting_proto_rawDesc = []byte{
 	0x0a, 0x1d, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63,
 	0x65, 0x5f, 0x73, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
-	0x0b, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x22, 0x65, 0x0a, 0x17,
-	0x57, 0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65,
-	0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x12, 0x21, 0x0a, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61,
-	0x6e, 0x63, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69,
-	0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x55, 0x72, 0x6c, 0x12, 0x27, 0x0a, 0x0f, 0x64, 0x69,
-	0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x75, 0x70, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x08, 0x52, 0x0e, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x53, 0x69, 0x67,
-	0x6e, 0x75, 0x70, 0x2a, 0x5b, 0x0a, 0x13, 0x57, 0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65,
-	0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x0a, 0x21, 0x57, 0x4f,
+	0x0b, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x22, 0x9d, 0x01, 0x0a,
+	0x17, 0x57, 0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61,
+	0x6c, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x12, 0x21, 0x0a, 0x0c, 0x69, 0x6e, 0x73, 0x74,
+	0x61, 0x6e, 0x63, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b,
+	0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x55, 0x72, 0x6c, 0x12, 0x27, 0x0a, 0x0f, 0x64,
+	0x69, 0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x75, 0x70, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x53, 0x69,
+	0x67, 0x6e, 0x75, 0x70, 0x12, 0x36, 0x0a, 0x17, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77,
+	0x5f, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x5f, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x15, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x50,
+	0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x2a, 0x5b, 0x0a, 0x13,
+	0x57, 0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67,
+	0x4b, 0x65, 0x79, 0x12, 0x25, 0x0a, 0x21, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x50, 0x41, 0x43, 0x45,
+	0x5f, 0x53, 0x45, 0x54, 0x54, 0x49, 0x4e, 0x47, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x55, 0x4e, 0x53,
+	0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x57, 0x4f,
 	0x52, 0x4b, 0x53, 0x50, 0x41, 0x43, 0x45, 0x5f, 0x53, 0x45, 0x54, 0x54, 0x49, 0x4e, 0x47, 0x5f,
-	0x4b, 0x45, 0x59, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10,
-	0x00, 0x12, 0x1d, 0x0a, 0x19, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x50, 0x41, 0x43, 0x45, 0x5f, 0x53,
-	0x45, 0x54, 0x54, 0x49, 0x4e, 0x47, 0x5f, 0x50, 0x52, 0x4f, 0x46, 0x49, 0x4c, 0x45, 0x10, 0x01,
-	0x42, 0xa0, 0x01, 0x0a, 0x0f, 0x63, 0x6f, 0x6d, 0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x73,
-	0x74, 0x6f, 0x72, 0x65, 0x42, 0x15, 0x57, 0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65, 0x53,
-	0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x29, 0x67,
-	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x75, 0x73, 0x65, 0x6d, 0x65, 0x6d,
-	0x6f, 0x73, 0x2f, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67,
-	0x65, 0x6e, 0x2f, 0x73, 0x74, 0x6f, 0x72, 0x65, 0xa2, 0x02, 0x03, 0x4d, 0x53, 0x58, 0xaa, 0x02,
-	0x0b, 0x4d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x53, 0x74, 0x6f, 0x72, 0x65, 0xca, 0x02, 0x0b, 0x4d,
-	0x65, 0x6d, 0x6f, 0x73, 0x5c, 0x53, 0x74, 0x6f, 0x72, 0x65, 0xe2, 0x02, 0x17, 0x4d, 0x65, 0x6d,
-	0x6f, 0x73, 0x5c, 0x53, 0x74, 0x6f, 0x72, 0x65, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61,
-	0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x0c, 0x4d, 0x65, 0x6d, 0x6f, 0x73, 0x3a, 0x3a, 0x53, 0x74,
-	0x6f, 0x72, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x47, 0x45, 0x4e, 0x45, 0x52, 0x41, 0x4c, 0x10, 0x01, 0x42, 0xa0, 0x01, 0x0a, 0x0f, 0x63, 0x6f,
+	0x6d, 0x2e, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2e, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x42, 0x15, 0x57,
+	0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x50,
+	0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x29, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
+	0x6f, 0x6d, 0x2f, 0x75, 0x73, 0x65, 0x6d, 0x65, 0x6d, 0x6f, 0x73, 0x2f, 0x6d, 0x65, 0x6d, 0x6f,
+	0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x73, 0x74, 0x6f, 0x72,
+	0x65, 0xa2, 0x02, 0x03, 0x4d, 0x53, 0x58, 0xaa, 0x02, 0x0b, 0x4d, 0x65, 0x6d, 0x6f, 0x73, 0x2e,
+	0x53, 0x74, 0x6f, 0x72, 0x65, 0xca, 0x02, 0x0b, 0x4d, 0x65, 0x6d, 0x6f, 0x73, 0x5c, 0x53, 0x74,
+	0x6f, 0x72, 0x65, 0xe2, 0x02, 0x17, 0x4d, 0x65, 0x6d, 0x6f, 0x73, 0x5c, 0x53, 0x74, 0x6f, 0x72,
+	0x65, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x0c,
+	0x4d, 0x65, 0x6d, 0x6f, 0x73, 0x3a, 0x3a, 0x53, 0x74, 0x6f, 0x72, 0x65, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -168,7 +180,7 @@ var file_store_workspace_setting_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
 var file_store_workspace_setting_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
 var file_store_workspace_setting_proto_goTypes = []interface{}{
 	(WorkspaceSettingKey)(0),        // 0: memos.store.WorkspaceSettingKey
-	(*WorkspaceProfileSetting)(nil), // 1: memos.store.WorkspaceProfileSetting
+	(*WorkspaceGeneralSetting)(nil), // 1: memos.store.WorkspaceGeneralSetting
 }
 var file_store_workspace_setting_proto_depIdxs = []int32{
 	0, // [0:0] is the sub-list for method output_type
@@ -185,7 +197,7 @@ func file_store_workspace_setting_proto_init() {
 	}
 	if !protoimpl.UnsafeEnabled {
 		file_store_workspace_setting_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*WorkspaceProfileSetting); i {
+			switch v := v.(*WorkspaceGeneralSetting); i {
 			case 0:
 				return &v.state
 			case 1:
diff --git a/proto/store/workspace_setting.proto b/proto/store/workspace_setting.proto
index 3f19b427..2051c62f 100644
--- a/proto/store/workspace_setting.proto
+++ b/proto/store/workspace_setting.proto
@@ -6,11 +6,13 @@ option go_package = "gen/store";
 
 enum WorkspaceSettingKey {
   WORKSPACE_SETTING_KEY_UNSPECIFIED = 0;
-  WORKSPACE_SETTING_PROFILE = 1;
+  WORKSPACE_SETTING_GENERAL = 1;
 }
 
-message WorkspaceProfileSetting {
+message WorkspaceGeneralSetting {
   string instance_url = 1;
 
   bool disallow_signup = 2;
+
+  bool disallow_password_login = 3;
 }
diff --git a/server/frontend/frontend.go b/server/frontend/frontend.go
index cb04bc8f..22e0ff7a 100644
--- a/server/frontend/frontend.go
+++ b/server/frontend/frontend.go
@@ -81,7 +81,7 @@ func (s *FrontendService) registerRoutes(e *echo.Echo) {
 }
 
 func (s *FrontendService) registerFileRoutes(ctx context.Context, e *echo.Echo) {
-	instanceURLSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+	instanceURLSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 		Name: apiv1.SystemSettingInstanceURLName.String(),
 	})
 	if err != nil || instanceURLSetting == nil {
diff --git a/server/integration/telegram.go b/server/integration/telegram.go
index 3e365068..a1226eee 100644
--- a/server/integration/telegram.go
+++ b/server/integration/telegram.go
@@ -26,7 +26,7 @@ func NewTelegramHandler(store *store.Store) *TelegramHandler {
 }
 
 func (t *TelegramHandler) BotToken(ctx context.Context) string {
-	return t.store.GetSystemSettingValueWithDefault(ctx, apiv1.SystemSettingTelegramBotTokenName.String(), "")
+	return t.store.GetWorkspaceSettingWithDefaultValue(ctx, apiv1.SystemSettingTelegramBotTokenName.String(), "")
 }
 
 const (
diff --git a/server/server.go b/server/server.go
index 5d7ced4f..29acb502 100644
--- a/server/server.go
+++ b/server/server.go
@@ -135,14 +135,14 @@ func (s *Server) GetEcho() *echo.Echo {
 }
 
 func (s *Server) getSystemServerID(ctx context.Context) (string, error) {
-	serverIDSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+	serverIDSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 		Name: apiv1.SystemSettingServerIDName.String(),
 	})
 	if err != nil {
 		return "", err
 	}
 	if serverIDSetting == nil || serverIDSetting.Value == "" {
-		serverIDSetting, err = s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+		serverIDSetting, err = s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 			Name:  apiv1.SystemSettingServerIDName.String(),
 			Value: uuid.NewString(),
 		})
@@ -154,14 +154,14 @@ func (s *Server) getSystemServerID(ctx context.Context) (string, error) {
 }
 
 func (s *Server) getSystemSecretSessionName(ctx context.Context) (string, error) {
-	secretSessionNameValue, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+	secretSessionNameValue, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
 		Name: apiv1.SystemSettingSecretSessionName.String(),
 	})
 	if err != nil {
 		return "", err
 	}
 	if secretSessionNameValue == nil || secretSessionNameValue.Value == "" {
-		secretSessionNameValue, err = s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+		secretSessionNameValue, err = s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 			Name:  apiv1.SystemSettingSecretSessionName.String(),
 			Value: uuid.NewString(),
 		})
diff --git a/store/db/mysql/system_setting.go b/store/db/mysql/workspace_setting.go
similarity index 76%
rename from store/db/mysql/system_setting.go
rename to store/db/mysql/workspace_setting.go
index 08285bff..1f46fea9 100644
--- a/store/db/mysql/system_setting.go
+++ b/store/db/mysql/workspace_setting.go
@@ -7,7 +7,7 @@ import (
 	"github.com/usememos/memos/store"
 )
 
-func (d *DB) UpsertSystemSetting(ctx context.Context, upsert *store.SystemSetting) (*store.SystemSetting, error) {
+func (d *DB) UpsertWorkspaceSetting(ctx context.Context, upsert *store.WorkspaceSetting) (*store.WorkspaceSetting, error) {
 	stmt := "INSERT INTO `system_setting` (`name`, `value`, `description`) VALUES (?, ?, ?) ON DUPLICATE KEY UPDATE `value` = ?, `description` = ?"
 	_, err := d.db.ExecContext(
 		ctx,
@@ -25,7 +25,7 @@ func (d *DB) UpsertSystemSetting(ctx context.Context, upsert *store.SystemSettin
 	return upsert, nil
 }
 
-func (d *DB) ListSystemSettings(ctx context.Context, find *store.FindSystemSetting) ([]*store.SystemSetting, error) {
+func (d *DB) ListWorkspaceSettings(ctx context.Context, find *store.FindWorkspaceSetting) ([]*store.WorkspaceSetting, error) {
 	where, args := []string{"1 = 1"}, []any{}
 	if find.Name != "" {
 		where, args = append(where, "`name` = ?"), append(args, find.Name)
@@ -38,9 +38,9 @@ func (d *DB) ListSystemSettings(ctx context.Context, find *store.FindSystemSetti
 	}
 	defer rows.Close()
 
-	list := []*store.SystemSetting{}
+	list := []*store.WorkspaceSetting{}
 	for rows.Next() {
-		systemSettingMessage := &store.SystemSetting{}
+		systemSettingMessage := &store.WorkspaceSetting{}
 		if err := rows.Scan(
 			&systemSettingMessage.Name,
 			&systemSettingMessage.Value,
diff --git a/store/db/postgres/system_setting.go b/store/db/postgres/workspace_setting.go
similarity index 76%
rename from store/db/postgres/system_setting.go
rename to store/db/postgres/workspace_setting.go
index 8b4281f7..061f30e5 100644
--- a/store/db/postgres/system_setting.go
+++ b/store/db/postgres/workspace_setting.go
@@ -7,7 +7,7 @@ import (
 	"github.com/usememos/memos/store"
 )
 
-func (d *DB) UpsertSystemSetting(ctx context.Context, upsert *store.SystemSetting) (*store.SystemSetting, error) {
+func (d *DB) UpsertWorkspaceSetting(ctx context.Context, upsert *store.WorkspaceSetting) (*store.WorkspaceSetting, error) {
 	stmt := `
 		INSERT INTO system_setting (
 			name, value, description
@@ -25,7 +25,7 @@ func (d *DB) UpsertSystemSetting(ctx context.Context, upsert *store.SystemSettin
 	return upsert, nil
 }
 
-func (d *DB) ListSystemSettings(ctx context.Context, find *store.FindSystemSetting) ([]*store.SystemSetting, error) {
+func (d *DB) ListWorkspaceSettings(ctx context.Context, find *store.FindWorkspaceSetting) ([]*store.WorkspaceSetting, error) {
 	where, args := []string{"1 = 1"}, []any{}
 	if find.Name != "" {
 		where, args = append(where, "name = "+placeholder(len(args)+1)), append(args, find.Name)
@@ -45,9 +45,9 @@ func (d *DB) ListSystemSettings(ctx context.Context, find *store.FindSystemSetti
 	}
 	defer rows.Close()
 
-	list := []*store.SystemSetting{}
+	list := []*store.WorkspaceSetting{}
 	for rows.Next() {
-		systemSettingMessage := &store.SystemSetting{}
+		systemSettingMessage := &store.WorkspaceSetting{}
 		if err := rows.Scan(
 			&systemSettingMessage.Name,
 			&systemSettingMessage.Value,
diff --git a/store/db/sqlite/system_setting.go b/store/db/sqlite/workspace_setting.go
similarity index 76%
rename from store/db/sqlite/system_setting.go
rename to store/db/sqlite/workspace_setting.go
index 95474fa0..f485f1b9 100644
--- a/store/db/sqlite/system_setting.go
+++ b/store/db/sqlite/workspace_setting.go
@@ -7,7 +7,7 @@ import (
 	"github.com/usememos/memos/store"
 )
 
-func (d *DB) UpsertSystemSetting(ctx context.Context, upsert *store.SystemSetting) (*store.SystemSetting, error) {
+func (d *DB) UpsertWorkspaceSetting(ctx context.Context, upsert *store.WorkspaceSetting) (*store.WorkspaceSetting, error) {
 	stmt := `
 		INSERT INTO system_setting (
 			name, value, description
@@ -25,7 +25,7 @@ func (d *DB) UpsertSystemSetting(ctx context.Context, upsert *store.SystemSettin
 	return upsert, nil
 }
 
-func (d *DB) ListSystemSettings(ctx context.Context, find *store.FindSystemSetting) ([]*store.SystemSetting, error) {
+func (d *DB) ListWorkspaceSettings(ctx context.Context, find *store.FindWorkspaceSetting) ([]*store.WorkspaceSetting, error) {
 	where, args := []string{"1 = 1"}, []any{}
 	if find.Name != "" {
 		where, args = append(where, "name = ?"), append(args, find.Name)
@@ -45,9 +45,9 @@ func (d *DB) ListSystemSettings(ctx context.Context, find *store.FindSystemSetti
 	}
 	defer rows.Close()
 
-	list := []*store.SystemSetting{}
+	list := []*store.WorkspaceSetting{}
 	for rows.Next() {
-		systemSettingMessage := &store.SystemSetting{}
+		systemSettingMessage := &store.WorkspaceSetting{}
 		if err := rows.Scan(
 			&systemSettingMessage.Name,
 			&systemSettingMessage.Value,
diff --git a/store/driver.go b/store/driver.go
index 1257f695..ad86a66b 100644
--- a/store/driver.go
+++ b/store/driver.go
@@ -49,9 +49,9 @@ type Driver interface {
 	ListMemoOrganizer(ctx context.Context, find *FindMemoOrganizer) ([]*MemoOrganizer, error)
 	DeleteMemoOrganizer(ctx context.Context, delete *DeleteMemoOrganizer) error
 
-	// SystemSetting model related methods.
-	UpsertSystemSetting(ctx context.Context, upsert *SystemSetting) (*SystemSetting, error)
-	ListSystemSettings(ctx context.Context, find *FindSystemSetting) ([]*SystemSetting, error)
+	// WorkspaceSetting model related methods.
+	UpsertWorkspaceSetting(ctx context.Context, upsert *WorkspaceSetting) (*WorkspaceSetting, error)
+	ListWorkspaceSettings(ctx context.Context, find *FindWorkspaceSetting) ([]*WorkspaceSetting, error)
 
 	// User model related methods.
 	CreateUser(ctx context.Context, create *User) (*User, error)
diff --git a/store/system_setting.go b/store/system_setting.go
deleted file mode 100644
index 9ae3232c..00000000
--- a/store/system_setting.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package store
-
-import (
-	"context"
-)
-
-type SystemSetting struct {
-	Name        string
-	Value       string
-	Description string
-}
-
-type FindSystemSetting struct {
-	Name string
-}
-
-func (s *Store) UpsertSystemSetting(ctx context.Context, upsert *SystemSetting) (*SystemSetting, error) {
-	return s.driver.UpsertSystemSetting(ctx, upsert)
-}
-
-func (s *Store) ListSystemSettings(ctx context.Context, find *FindSystemSetting) ([]*SystemSetting, error) {
-	list, err := s.driver.ListSystemSettings(ctx, find)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, systemSettingMessage := range list {
-		s.systemSettingCache.Store(systemSettingMessage.Name, systemSettingMessage)
-	}
-	return list, nil
-}
-
-func (s *Store) GetSystemSetting(ctx context.Context, find *FindSystemSetting) (*SystemSetting, error) {
-	if find.Name != "" {
-		if cache, ok := s.systemSettingCache.Load(find.Name); ok {
-			return cache.(*SystemSetting), nil
-		}
-	}
-
-	list, err := s.ListSystemSettings(ctx, find)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(list) == 0 {
-		return nil, nil
-	}
-
-	systemSettingMessage := list[0]
-	s.systemSettingCache.Store(systemSettingMessage.Name, systemSettingMessage)
-	return systemSettingMessage, nil
-}
-
-func (s *Store) GetSystemSettingValueWithDefault(ctx context.Context, settingName string, defaultValue string) string {
-	if setting, err := s.GetSystemSetting(ctx, &FindSystemSetting{
-		Name: settingName,
-	}); err == nil && setting != nil {
-		return setting.Value
-	}
-	return defaultValue
-}
diff --git a/store/workspace_setting.go b/store/workspace_setting.go
new file mode 100644
index 00000000..bea19052
--- /dev/null
+++ b/store/workspace_setting.go
@@ -0,0 +1,61 @@
+package store
+
+import (
+	"context"
+)
+
+type WorkspaceSetting struct {
+	Name        string
+	Value       string
+	Description string
+}
+
+type FindWorkspaceSetting struct {
+	Name string
+}
+
+func (s *Store) UpsertWorkspaceSetting(ctx context.Context, upsert *WorkspaceSetting) (*WorkspaceSetting, error) {
+	return s.driver.UpsertWorkspaceSetting(ctx, upsert)
+}
+
+func (s *Store) ListWorkspaceSettings(ctx context.Context, find *FindWorkspaceSetting) ([]*WorkspaceSetting, error) {
+	list, err := s.driver.ListWorkspaceSettings(ctx, find)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, systemSettingMessage := range list {
+		s.systemSettingCache.Store(systemSettingMessage.Name, systemSettingMessage)
+	}
+	return list, nil
+}
+
+func (s *Store) GetWorkspaceSetting(ctx context.Context, find *FindWorkspaceSetting) (*WorkspaceSetting, error) {
+	if find.Name != "" {
+		if cache, ok := s.systemSettingCache.Load(find.Name); ok {
+			return cache.(*WorkspaceSetting), nil
+		}
+	}
+
+	list, err := s.ListWorkspaceSettings(ctx, find)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(list) == 0 {
+		return nil, nil
+	}
+
+	systemSettingMessage := list[0]
+	s.systemSettingCache.Store(systemSettingMessage.Name, systemSettingMessage)
+	return systemSettingMessage, nil
+}
+
+func (s *Store) GetWorkspaceSettingWithDefaultValue(ctx context.Context, settingName string, defaultValue string) string {
+	if setting, err := s.GetWorkspaceSetting(ctx, &FindWorkspaceSetting{
+		Name: settingName,
+	}); err == nil && setting != nil {
+		return setting.Value
+	}
+	return defaultValue
+}
diff --git a/test/store/system_setting_test.go b/test/store/workspace_setting_test.go
similarity index 65%
rename from test/store/system_setting_test.go
rename to test/store/workspace_setting_test.go
index 7f6d18f4..f032ce90 100644
--- a/test/store/system_setting_test.go
+++ b/test/store/workspace_setting_test.go
@@ -10,30 +10,30 @@ import (
 	"github.com/usememos/memos/store"
 )
 
-func TestSystemSettingStore(t *testing.T) {
+func TestWorkspaceSettingStore(t *testing.T) {
 	ctx := context.Background()
 	ts := NewTestingStore(ctx, t)
-	_, err := ts.UpsertSystemSetting(ctx, &store.SystemSetting{
+	_, err := ts.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 		Name:  apiv1.SystemSettingServerIDName.String(),
 		Value: "test_server_id",
 	})
 	require.NoError(t, err)
-	_, err = ts.UpsertSystemSetting(ctx, &store.SystemSetting{
+	_, err = ts.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 		Name:  apiv1.SystemSettingSecretSessionName.String(),
 		Value: "test_secret_session_name",
 	})
 	require.NoError(t, err)
-	_, err = ts.UpsertSystemSetting(ctx, &store.SystemSetting{
+	_, err = ts.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 		Name:  apiv1.SystemSettingAllowSignUpName.String(),
 		Value: "true",
 	})
 	require.NoError(t, err)
-	_, err = ts.UpsertSystemSetting(ctx, &store.SystemSetting{
+	_, err = ts.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
 		Name:  apiv1.SystemSettingLocalStoragePathName.String(),
 		Value: "/tmp/memos",
 	})
 	require.NoError(t, err)
-	list, err := ts.ListSystemSettings(ctx, &store.FindSystemSetting{})
+	list, err := ts.ListWorkspaceSettings(ctx, &store.FindWorkspaceSetting{})
 	require.NoError(t, err)
 	require.Equal(t, 4, len(list))
 	ts.Close()