diff --git a/ms-auth/src/MSAuth.hs b/ms-auth/src/MSAuth.hs
new file mode 100644
index 0000000..d6cabab
--- /dev/null
+++ b/ms-auth/src/MSAuth.hs
@@ -0,0 +1,33 @@
+-- | Functions for implementing Azure AD-based authentication
+--
+-- Both @Auth Code Grant@ (i.e. with browser client interaction) and @App-only@ (i.e. Client Credentials) authentication flows are supported. The former is useful when a user needs to login and delegate some permissions to the application (i.e. accessing personal data), whereas the second is for server processes and automation accounts.
+module MSAuth (
+  applyDotEnv
+  -- * A App-only flow (server-to-server)
+  , Token
+  , newNoToken
+  , expireToken
+  , readToken
+  , fetchUpdateToken
+  -- ** Default Azure Credential
+  , defaultAzureCredential
+  -- * B Auth code grant flow (interactive)
+  -- ** OAuth endpoints
+  , loginEndpoint
+  , replyEndpoint
+  -- ** In-memory user session
+  , Tokens
+  , newTokens
+  , UserSub
+  , lookupUser
+  , expireUser
+  , tokensToList
+  -- * Scotty misc
+  -- ** Azure App Service
+  , withAADUser
+  , Scotty
+  , Action
+              ) where
+
+import Network.OAuth2.Session
+import DotEnv (applyDotEnv)