diff --git a/docs/cli/models.md b/docs/cli/models.md
index dd2eaae05..5c4f59a87 100644
--- a/docs/cli/models.md
+++ b/docs/cli/models.md
@@ -37,6 +37,9 @@ clawdbot models fallbacks list
 
 ```bash
 clawdbot models auth add
+clawdbot models auth login --provider <id>
 clawdbot models auth setup-token
 clawdbot models auth paste-token
 ```
+`models auth login` runs a provider plugin’s auth flow (OAuth/API key). Use
+`clawdbot plugins list` to see which providers are installed.
diff --git a/docs/concepts/oauth.md b/docs/concepts/oauth.md
index ab89b159f..8b2f54d1d 100644
--- a/docs/concepts/oauth.md
+++ b/docs/concepts/oauth.md
@@ -15,6 +15,13 @@ Clawdbot supports “subscription auth” via OAuth for providers that offer it
 - how we **reuse external CLI tokens** (Claude Code / Codex CLI)
 - how to handle **multiple accounts** (profiles + per-session overrides)
 
+Clawdbot also supports **provider plugins** that ship their own OAuth or API‑key
+flows. Run them via:
+
+```bash
+clawdbot models auth login --provider <id>
+```
+
 ## The token sink (why it exists)
 
 OAuth providers commonly mint a **new refresh token** during login/refresh flows. Some providers (or OAuth clients) can invalidate older refresh tokens when a new one is issued for the same user/app.
diff --git a/docs/plugin.md b/docs/plugin.md
index 4be535625..a137c6b28 100644
--- a/docs/plugin.md
+++ b/docs/plugin.md
@@ -172,6 +172,56 @@ Plugins export either:
 - A function: `(api) => { ... }`
 - An object: `{ id, name, configSchema, register(api) { ... } }`
 
+## Provider plugins (model auth)
+
+Plugins can register **model provider auth** flows so users can run OAuth or
+API-key setup inside Clawdbot (no external scripts needed).
+
+Register a provider via `api.registerProvider(...)`. Each provider exposes one
+or more auth methods (OAuth, API key, device code, etc.). These methods power:
+
+- `clawdbot models auth login --provider <id> [--method <id>]`
+
+Example:
+
+```ts
+api.registerProvider({
+  id: "acme",
+  label: "AcmeAI",
+  auth: [
+    {
+      id: "oauth",
+      label: "OAuth",
+      kind: "oauth",
+      run: async (ctx) => {
+        // Run OAuth flow and return auth profiles.
+        return {
+          profiles: [
+            {
+              profileId: "acme:default",
+              credential: {
+                type: "oauth",
+                provider: "acme",
+                access: "...",
+                refresh: "...",
+                expires: Date.now() + 3600 * 1000,
+              },
+            },
+          ],
+          defaultModel: "acme/opus-1",
+        };
+      },
+    },
+  ],
+});
+```
+
+Notes:
+- `run` receives a `ProviderAuthContext` with `prompter`, `runtime`,
+  `openUrl`, and `oauth.createVpsAwareHandlers` helpers.
+- Return `configPatch` when you need to add default models or provider config.
+- Return `defaultModel` so `--set-default` can update agent defaults.
+
 ### Register a messaging channel
 
 Plugins can register **channel plugins** that behave like built‑in channels