How does gRPC handle authentication?

gRPC supports multiple authentication mechanisms: (1) SSL/TLS — the default for production; encrypt all traffic and optionally authenticate the server using TLS certificates. Use credentials.NewClientTLSFromFile(certFile, "") in Go; (2) Token-based (JWT/OAuth2) — the client sends a token in metadata (authorization: Bearer xxx). gRPC provides a PerRPCCredentials interface that automatically attaches tokens to every call; (3) mTLS (Mutual TLS) — both client and server present certificates, providing bidirectional authentication suitable for service-to-service communication in zero-trust networks; (4) Google token-based — using service account credentials for Google Cloud APIs; (5) Interceptors — server-side unary/stream interceptors validate authentication metadata before passing to handler: func AuthInterceptor(ctx, req, info, handler) { token := metadata.ValueFromIncomingContext(ctx, "authorization"); verify(token); return handler(ctx, req) }.