diff --git a/_includes/doc/admin-guide/options/cloud-auth.md b/_includes/doc/admin-guide/options/cloud-auth.md
new file mode 100644
index 00000000..f1854e1e
--- /dev/null
+++ b/_includes/doc/admin-guide/options/cloud-auth.md
@@ -0,0 +1,41 @@
+## cloud-auth()
+
+*Description:* Configures the cloud authentication module for gRPC- and HTTP-based destinations, enabling OAuth2 authentication using the {{ site.product.short_name }} cloud authentication framework.
+
+The following authentication methods are available:
+
+### azure()
+
+The `azure()` option supports the following parameters:
+- `app_id`
+- `app_secret`
+- `monitor`
+- `tenant_id`
+
+### gcp()
+
+The `gcp()` option supports the following parameters:
+- `service_account`
+  - `audience`
+  - `key`
+  - `scope`
+  - `token_validity_duration`
+- `user_managed_service_account`
+  - `metadata_url`
+  - `name`
+
+### oauth2()
+
+Configures OAuth2 authentication for gRPC-based and http destinations. Tokens are automatically injected into gRPC metadata and HTTP headers for each request.
+
+The `oauth2()` option supports the following parameters:
+- `client_id`
+- `client_secret`
+- `token_url`
+- `scope`
+- `auth_method`
+  - `basic`
+  - `post_body`
+- `authorization_details`
+- `refresh_offset`
+- `resource`
diff --git a/doc/_admin-guide/070_Destinations/045_Google_bigQuery/000_bigquery_dest_options.md b/doc/_admin-guide/070_Destinations/045_Google_bigQuery/000_bigquery_dest_options.md
index 7db4de4b..b04aa7e3 100644
--- a/doc/_admin-guide/070_Destinations/045_Google_bigQuery/000_bigquery_dest_options.md
+++ b/doc/_admin-guide/070_Destinations/045_Google_bigQuery/000_bigquery_dest_options.md
@@ -20,6 +20,8 @@ Available in {{ site.product.short_name }} 4.5 and later versions.
 
 *Description:* This option enables compression in gRPC requests. Currently only deflate-type (similar to gzip) compression is supported.
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 ## dataset()
 
 |  Type:|     string|
diff --git a/doc/_admin-guide/070_Destinations/045_Google_bigQuery/README.md b/doc/_admin-guide/070_Destinations/045_Google_bigQuery/README.md
index 96fc40c9..516613e7 100644
--- a/doc/_admin-guide/070_Destinations/045_Google_bigQuery/README.md
+++ b/doc/_admin-guide/070_Destinations/045_Google_bigQuery/README.md
@@ -17,7 +17,11 @@ description: >-
 
 To configure {{ site.product.short_name }}, the name of the project, the dataset, the name and schema of the used table are necessary.
 
-The authentication is done through Application Default Credentials.
+Authentication can be configured using either Google Application Default Credentials (ADC) or OAuth2 via the `cloud-auth()` framework.
+
+By default, the destination uses Google Application Default Credentials (GoogleDefaultCredentials). In production environments, a service account with Workload Identity is recommended.
+
+Alternatively, OAuth2 authentication can be configured explicitly using `cloud-auth(oauth2())`, which injects OAuth2 tokens into gRPC requests.
 
 The destination uses `GoogleDefaultCredentials` for authentication, which covers everything listed in as ADC. Within a production environment, use a service account and Workload Identity.
 
@@ -45,4 +49,32 @@ destination d_bigquery {
 
 ```
 
+### Example: BigQuery destination configuration with OAuth2 authentication
+
+```config
+destination d_bigquery_oauth2 {
+    bigquery(
+        project("test-project")
+        dataset("test-dataset")
+        table("test-table")
+
+        cloud-auth(
+            oauth2(
+                client_id("client-id")
+                client_secret("client-secret")
+                token_url("https://auth.example.com/token")
+                scope("https://www.googleapis.com/auth/bigquery")
+            )
+        )
+
+        schema(
+            "message" => "${MESSAGE}"
+            "app" STRING => "${PROGRAM}"
+            "host" STRING => "${HOST}"
+            "time" DATETIME => "${ISODATE}"
+        )
+    );
+}
+```
+
 If not specified, the messages are sent with one worker, one message per batch, and without compression.
diff --git a/doc/_admin-guide/070_Destinations/081_http/000_http_options.md b/doc/_admin-guide/070_Destinations/081_http/000_http_options.md
index 1afa4a1f..01606dcb 100644
--- a/doc/_admin-guide/070_Destinations/081_http/000_http_options.md
+++ b/doc/_admin-guide/070_Destinations/081_http/000_http_options.md
@@ -29,6 +29,9 @@ destination d_http_compressed{
   accept-encoding("all"));
 };
 ```
+## azure-auth-header()
+
+See The Azure auth header plugin.
 
 {% include doc/admin-guide/options/batch-bytes.md %}
 
@@ -79,6 +82,8 @@ version 3.18 and later.
 
 {% include doc/admin-guide/options/cert-file.md %}
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 ## content-compression()
 
 |  Type:|      string|
diff --git a/doc/_admin-guide/070_Destinations/125_Loki/001_Loki_options.md b/doc/_admin-guide/070_Destinations/125_Loki/001_Loki_options.md
index 6b77435a..956ae861 100644
--- a/doc/_admin-guide/070_Destinations/125_Loki/001_Loki_options.md
+++ b/doc/_admin-guide/070_Destinations/125_Loki/001_Loki_options.md
@@ -68,6 +68,8 @@ destination {
 
 {% include doc/admin-guide/options/channel-args.md %}
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 {% include doc/admin-guide/options/headers-gRPC.md %}
 
 {% include doc/admin-guide/options/gRPC-keep-alive.md %}
diff --git a/doc/_admin-guide/070_Destinations/125_Loki/README.md b/doc/_admin-guide/070_Destinations/125_Loki/README.md
index c2574d33..2c0e897b 100644
--- a/doc/_admin-guide/070_Destinations/125_Loki/README.md
+++ b/doc/_admin-guide/070_Destinations/125_Loki/README.md
@@ -8,7 +8,13 @@ description: >-
     For more information on the message format, see Grafna Loki HTTP endpoint.
 ---
 
-### Example: loki() destination configuration
+## Authentication
+
+The `loki()` destination supports OAuth2 authentication using the `cloud-auth()` framework for gRPC-based communication.
+
+When configured, OAuth2 access tokens are automatically injected into gRPC requests. This follows the same authentication model used by other cloud-enabled destinations.
+
+## Example: loki() destination configuration
 
 ```config
 loki(
@@ -23,3 +29,28 @@ loki(
     batch-lines(1000)
 );
 ```
+
+## Example: loki() destination configuration with OAuth2 authentication
+
+```config
+loki(
+    url("loki.example.com:443")
+
+    cloud-auth(
+        oauth2(
+            client_id("client-id")
+            client_secret("client-secret")
+            token_url("https://auth.example.com/token")
+            scope("loki.write")
+        )
+    )
+
+    labels(
+        "app" => "$PROGRAM",
+        "host" => "$HOST",
+    )
+
+    workers(16)
+    batch-lines(1000)
+);
+```
diff --git a/doc/_admin-guide/070_Destinations/315_syslog-otlp/000_otlp-destination-options.md b/doc/_admin-guide/070_Destinations/315_syslog-otlp/000_otlp-destination-options.md
index e0697f0f..9d12f370 100644
--- a/doc/_admin-guide/070_Destinations/315_syslog-otlp/000_otlp-destination-options.md
+++ b/doc/_admin-guide/070_Destinations/315_syslog-otlp/000_otlp-destination-options.md
@@ -66,6 +66,8 @@ destination {
 
 {% include doc/admin-guide/options/channel-args.md %}
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 ## compression()
 
 |   Type:|       boolean|