diff --git a/Gemfile b/Gemfile
index 85521327..26b0403a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -27,6 +27,7 @@ gem 'devise', '~> 4.9', '>= 4.9.2'
 gem 'devise-encryptable', '~> 0.2.0'
 gem 'omniauth', '~> 2.1'
 gem 'omniauth-rails_csrf_protection', '~> 1.0'
+gem 'omniauth-oauth2', '~> 1.8'
 
 # For pagination UI.
 gem 'will_paginate', '~> 4.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 30025cdc..d369969f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -155,6 +155,10 @@ GEM
       process-metrics (~> 0.2.0)
       protocol-rack (~> 0.1)
       samovar (~> 2.1)
+    faraday (2.9.0)
+      faraday-net_http (>= 2.0, < 3.2)
+    faraday-net_http (3.1.0)
+      net-http
     ffi (1.16.3)
     fiber-annotation (0.2.0)
     fiber-local (1.0.0)
@@ -179,6 +183,8 @@ GEM
     jsbundling-rails (1.3.0)
       railties (>= 6.0.0)
     json (2.7.1)
+    jwt (2.8.1)
+      base64
     launchy (2.5.2)
       addressable (~> 2.8)
     letter_opener (1.9.0)
@@ -202,6 +208,8 @@ GEM
     multi_xml (0.6.0)
     mutex_m (0.2.0)
     mysql2 (0.5.6)
+    net-http (0.4.1)
+      uri
     net-imap (0.4.10)
       date
       net-protocol
@@ -215,10 +223,20 @@ GEM
     nokogiri (1.16.2)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
+    oauth2 (2.0.9)
+      faraday (>= 0.17.3, < 3.0)
+      jwt (>= 1.0, < 3.0)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0)
+      version_gem (~> 1.1)
     omniauth (2.1.2)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
       rack-protection
+    omniauth-oauth2 (1.8.0)
+      oauth2 (>= 1.4, < 3)
+      omniauth (~> 2.0)
     omniauth-rails_csrf_protection (1.0.1)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
@@ -331,6 +349,9 @@ GEM
     shell (0.8.1)
       e2mmap
       sync
+    snaky_hash (2.0.1)
+      hashie
+      version_gem (~> 1.1, >= 1.1.1)
     sprockets (4.2.1)
       concurrent-ruby (~> 1.0)
       rack (>= 2.2.4, < 4)
@@ -358,6 +379,8 @@ GEM
       railties (>= 6.0.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
+    uri (0.13.0)
+    version_gem (1.1.3)
     warden (1.2.9)
       rack (>= 2.0.9)
     web-console (4.2.1)
@@ -394,6 +417,7 @@ DEPENDENCIES
   mysql2 (~> 0.5.5)
   nokogiri (~> 1.15, >= 1.15.3)
   omniauth (~> 2.1)
+  omniauth-oauth2 (~> 1.8)
   omniauth-rails_csrf_protection (~> 1.0)
   parallel (~> 1.23)
   rack-attack (~> 6.7)
diff --git a/app/controllers/devise/omniauth_callbacks_controller.rb b/app/controllers/devise/omniauth_callbacks_controller.rb
index 4cc05da7..7192c138 100644
--- a/app/controllers/devise/omniauth_callbacks_controller.rb
+++ b/app/controllers/devise/omniauth_callbacks_controller.rb
@@ -1,8 +1,9 @@
 class Devise::OmniauthCallbacksController < ApplicationController
-	# See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
-	skip_before_action :verify_authenticity_token, only: :developer
-
-	def developer
+	def neopass
 		render plain: "Success!"
 	end
+
+	def failure
+		render plain: "Failure"
+	end
 end
diff --git a/app/models/auth_user.rb b/app/models/auth_user.rb
index b68266ea..0dacacfe 100644
--- a/app/models/auth_user.rb
+++ b/app/models/auth_user.rb
@@ -3,7 +3,7 @@ class AuthUser < AuthRecord
 
   devise :database_authenticatable, :encryptable, :registerable, :validatable,
     :rememberable, :trackable, :recoverable, :omniauthable,
-    omniauth_providers: [:developer]
+    omniauth_providers: [:neopass]
 
   validates :name, presence: true, uniqueness: {case_sensitive: false},
     length: {maximum: 20}
diff --git a/app/views/devise/sessions/new.html.erb b/app/views/devise/sessions/new.html.erb
index b36b3f1f..e7d04911 100644
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -2,8 +2,8 @@
 
 <% if @can_use_neopass %>
   <%= button_to "Log in with NeoPass",
-                auth_user_developer_omniauth_authorize_path,
-                data: {turbo: false} # important for developer strategy
+                auth_user_neopass_omniauth_authorize_path,
+                data: {turbo: false} # Turbo can't handle this redirect!
   %>
 <% end %>
 
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 11162255..59545ee8 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -119,4 +119,7 @@ Rails.application.configure do
 
   # To see NeoPass features, add ?neopass=1 to relevant pages.
   config.neopass_access_secret = "1"
+
+  # Use the local NeoPass development server.
+  config.neopass_origin = "http://localhost:8585"
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index be3a6aff..eb8dc9ca 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -137,4 +137,7 @@ Rails.application.configure do
 
   # To see NeoPass features, add ?neopass=<SECRET> to relevant pages.
   config.neopass_access_secret = Rails.credentials.neopass.access_secret
+
+  # Use the live NeoPass production server.
+  config.neopass_origin = "https://oidc.neopets.com"
 end
diff --git a/config/environments/test.rb b/config/environments/test.rb
index e1aac422..c43da225 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -74,4 +74,7 @@ Rails.application.configure do
 
   # To see NeoPass features, add ?neopass=1 to relevant pages.
   config.neopass_access_secret = "1"
+
+  # Use the local NeoPass development server.
+  config.neopass_origin = "http://localhost:8585"
 end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 6306b365..19378677 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+require "strategies/neopass"
 
 # Assuming you have not yet modified this file, each configuration option below
 # is set to its default value. Note that some are commented out while others
@@ -273,7 +274,7 @@ Devise.setup do |config|
   # ==> OmniAuth
   # Add a new OmniAuth provider. Check the wiki for more information on setting
   # up on your models and hooks.
-  config.omniauth :developer
+  config.omniauth :neopass, strategy_class: Strategies::NeoPass
 
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or
diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb
index 7c1c0c50..0be78463 100644
--- a/config/initializers/inflections.rb
+++ b/config/initializers/inflections.rb
@@ -15,7 +15,10 @@
 #   inflect.acronym "RESTful"
 # end
 
-# Teach Zeitwerk that `RocketAMF` is what to expect in `lib/rocketamf`.
 ActiveSupport::Inflector.inflections(:en) do |inflect|
+  # Teach Zeitwerk that `RocketAMF` is what to expect in `lib/rocketamf`.
   inflect.acronym "RocketAMF"
+
+  # Teach Zeitwerk that "NeoPass" is what to expect in `neopass.rb`.
+  inflect.acronym "NeoPass"
 end
diff --git a/lib/strategies/neopass.rb b/lib/strategies/neopass.rb
new file mode 100644
index 00000000..91cebfbc
--- /dev/null
+++ b/lib/strategies/neopass.rb
@@ -0,0 +1,13 @@
+require "omniauth-oauth2"
+
+module Strategies
+	class NeoPass < OmniAuth::Strategies::OAuth2
+		option :name, "neopass"
+
+		option :client_options, {
+			site: Rails.configuration.neopass_origin,
+			authorize_url: "/oauth2/auth",
+			token_url: "/oauth2/token",
+		}
+	end
+end
diff --git a/vendor/cache/faraday-2.9.0.gem b/vendor/cache/faraday-2.9.0.gem
new file mode 100644
index 00000000..101f5083
Binary files /dev/null and b/vendor/cache/faraday-2.9.0.gem differ
diff --git a/vendor/cache/faraday-net_http-3.1.0.gem b/vendor/cache/faraday-net_http-3.1.0.gem
new file mode 100644
index 00000000..5719f4b1
Binary files /dev/null and b/vendor/cache/faraday-net_http-3.1.0.gem differ
diff --git a/vendor/cache/jwt-2.8.1.gem b/vendor/cache/jwt-2.8.1.gem
new file mode 100644
index 00000000..e41a6cd6
Binary files /dev/null and b/vendor/cache/jwt-2.8.1.gem differ
diff --git a/vendor/cache/net-http-0.4.1.gem b/vendor/cache/net-http-0.4.1.gem
new file mode 100644
index 00000000..90a5a592
Binary files /dev/null and b/vendor/cache/net-http-0.4.1.gem differ
diff --git a/vendor/cache/oauth2-2.0.9.gem b/vendor/cache/oauth2-2.0.9.gem
new file mode 100644
index 00000000..f875e11d
Binary files /dev/null and b/vendor/cache/oauth2-2.0.9.gem differ
diff --git a/vendor/cache/omniauth-oauth2-1.8.0.gem b/vendor/cache/omniauth-oauth2-1.8.0.gem
new file mode 100644
index 00000000..3e58a53b
Binary files /dev/null and b/vendor/cache/omniauth-oauth2-1.8.0.gem differ
diff --git a/vendor/cache/snaky_hash-2.0.1.gem b/vendor/cache/snaky_hash-2.0.1.gem
new file mode 100644
index 00000000..7f75a853
Binary files /dev/null and b/vendor/cache/snaky_hash-2.0.1.gem differ
diff --git a/vendor/cache/uri-0.13.0.gem b/vendor/cache/uri-0.13.0.gem
new file mode 100644
index 00000000..511d128a
Binary files /dev/null and b/vendor/cache/uri-0.13.0.gem differ
diff --git a/vendor/cache/version_gem-1.1.3.gem b/vendor/cache/version_gem-1.1.3.gem
new file mode 100644
index 00000000..d11edfb4
Binary files /dev/null and b/vendor/cache/version_gem-1.1.3.gem differ