diff --git a/_includes/doc/admin-guide/options/cloud-auth.md b/_includes/doc/admin-guide/options/cloud-auth.md
new file mode 100644
index 00000000..5426ae95
--- /dev/null
+++ b/_includes/doc/admin-guide/options/cloud-auth.md
@@ -0,0 +1,15 @@
+## cloud-auth()
+
+*Description:* Configures cloud-based authentication for the syslog-ng-otlp() destination. This option enables OAuth2 authentication for gRPC connections using the syslog-ng cloud authentication framework.
+
+The following authentication methods are available:
+
+### oauth2()
+
+Configures OAuth2 authentication for gRPC-based destinations. Tokens are automatically injected into gRPC metadata for each request.
+
+The `oauth2()` option supports the following parameters:
+- client_id()
+- client_secret()
+- token_url()
+- scope()
\ No newline at end of file
diff --git a/doc/_admin-guide/070_Destinations/045_Google_bigQuery/000_bigquery_dest_options.md b/doc/_admin-guide/070_Destinations/045_Google_bigQuery/000_bigquery_dest_options.md
index 7db4de4b..b04aa7e3 100644
--- a/doc/_admin-guide/070_Destinations/045_Google_bigQuery/000_bigquery_dest_options.md
+++ b/doc/_admin-guide/070_Destinations/045_Google_bigQuery/000_bigquery_dest_options.md
@@ -20,6 +20,8 @@ Available in {{ site.product.short_name }} 4.5 and later versions.
 
 *Description:* This option enables compression in gRPC requests. Currently only deflate-type (similar to gzip) compression is supported.
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 ## dataset()
 
 |  Type:|     string|
diff --git a/doc/_admin-guide/070_Destinations/045_Google_bigQuery/README.md b/doc/_admin-guide/070_Destinations/045_Google_bigQuery/README.md
index 96fc40c9..516613e7 100644
--- a/doc/_admin-guide/070_Destinations/045_Google_bigQuery/README.md
+++ b/doc/_admin-guide/070_Destinations/045_Google_bigQuery/README.md
@@ -17,7 +17,11 @@ description: >-
 
 To configure {{ site.product.short_name }}, the name of the project, the dataset, the name and schema of the used table are necessary.
 
-The authentication is done through Application Default Credentials.
+Authentication can be configured using either Google Application Default Credentials (ADC) or OAuth2 via the `cloud-auth()` framework.
+
+By default, the destination uses Google Application Default Credentials (GoogleDefaultCredentials). In production environments, a service account with Workload Identity is recommended.
+
+Alternatively, OAuth2 authentication can be configured explicitly using `cloud-auth(oauth2())`, which injects OAuth2 tokens into gRPC requests.
 
 The destination uses `GoogleDefaultCredentials` for authentication, which covers everything listed in as ADC. Within a production environment, use a service account and Workload Identity.
 
@@ -45,4 +49,32 @@ destination d_bigquery {
 
 ```
 
+### Example: BigQuery destination configuration with OAuth2 authentication
+
+```config
+destination d_bigquery_oauth2 {
+    bigquery(
+        project("test-project")
+        dataset("test-dataset")
+        table("test-table")
+
+        cloud-auth(
+            oauth2(
+                client_id("client-id")
+                client_secret("client-secret")
+                token_url("https://auth.example.com/token")
+                scope("https://www.googleapis.com/auth/bigquery")
+            )
+        )
+
+        schema(
+            "message" => "${MESSAGE}"
+            "app" STRING => "${PROGRAM}"
+            "host" STRING => "${HOST}"
+            "time" DATETIME => "${ISODATE}"
+        )
+    );
+}
+```
+
 If not specified, the messages are sent with one worker, one message per batch, and without compression.
diff --git a/doc/_admin-guide/070_Destinations/081_http/000_http_options.md b/doc/_admin-guide/070_Destinations/081_http/000_http_options.md
index 1afa4a1f..94e5af2e 100644
--- a/doc/_admin-guide/070_Destinations/081_http/000_http_options.md
+++ b/doc/_admin-guide/070_Destinations/081_http/000_http_options.md
@@ -79,6 +79,8 @@ version 3.18 and later.
 
 {% include doc/admin-guide/options/cert-file.md %}
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 ## content-compression()
 
 |  Type:|      string|
diff --git a/doc/_admin-guide/070_Destinations/125_Loki/001_Loki_options.md b/doc/_admin-guide/070_Destinations/125_Loki/001_Loki_options.md
index 6b77435a..956ae861 100644
--- a/doc/_admin-guide/070_Destinations/125_Loki/001_Loki_options.md
+++ b/doc/_admin-guide/070_Destinations/125_Loki/001_Loki_options.md
@@ -68,6 +68,8 @@ destination {
 
 {% include doc/admin-guide/options/channel-args.md %}
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 {% include doc/admin-guide/options/headers-gRPC.md %}
 
 {% include doc/admin-guide/options/gRPC-keep-alive.md %}
diff --git a/doc/_admin-guide/070_Destinations/125_Loki/README.md b/doc/_admin-guide/070_Destinations/125_Loki/README.md
index c2574d33..2c0e897b 100644
--- a/doc/_admin-guide/070_Destinations/125_Loki/README.md
+++ b/doc/_admin-guide/070_Destinations/125_Loki/README.md
@@ -8,7 +8,13 @@ description: >-
     For more information on the message format, see Grafna Loki HTTP endpoint.
 ---
 
-### Example: loki() destination configuration
+## Authentication
+
+The `loki()` destination supports OAuth2 authentication using the `cloud-auth()` framework for gRPC-based communication.
+
+When configured, OAuth2 access tokens are automatically injected into gRPC requests. This follows the same authentication model used by other cloud-enabled destinations.
+
+## Example: loki() destination configuration
 
 ```config
 loki(
@@ -23,3 +29,28 @@ loki(
     batch-lines(1000)
 );
 ```
+
+## Example: loki() destination configuration with OAuth2 authentication
+
+```config
+loki(
+    url("loki.example.com:443")
+
+    cloud-auth(
+        oauth2(
+            client_id("client-id")
+            client_secret("client-secret")
+            token_url("https://auth.example.com/token")
+            scope("loki.write")
+        )
+    )
+
+    labels(
+        "app" => "$PROGRAM",
+        "host" => "$HOST",
+    )
+
+    workers(16)
+    batch-lines(1000)
+);
+```
diff --git a/doc/_admin-guide/070_Destinations/315_syslog-otlp/000_otlp-destination-options.md b/doc/_admin-guide/070_Destinations/315_syslog-otlp/000_otlp-destination-options.md
index e0697f0f..9d12f370 100644
--- a/doc/_admin-guide/070_Destinations/315_syslog-otlp/000_otlp-destination-options.md
+++ b/doc/_admin-guide/070_Destinations/315_syslog-otlp/000_otlp-destination-options.md
@@ -66,6 +66,8 @@ destination {
 
 {% include doc/admin-guide/options/channel-args.md %}
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 ## compression()
 
 |   Type:|       boolean|
diff --git a/doc/_admin-guide/070_Destinations/315_syslog-otlp/README.md b/doc/_admin-guide/070_Destinations/315_syslog-otlp/README.md
index be97670d..cfa7d2ef 100644
--- a/doc/_admin-guide/070_Destinations/315_syslog-otlp/README.md
+++ b/doc/_admin-guide/070_Destinations/315_syslog-otlp/README.md
@@ -10,6 +10,7 @@ Advantages of using `syslog-ng-otlp()`:
 * The `workers()` option makes the scaling of the driver flexible.
 * An integrated application layer acknowledgement is available.
 * Google service authentication (ADC or ALTS), and improved load balancing are supported.
+* The syslog-ng-otlp() destination supports OAuth2 authentication via cloud-auth(oauth2()).
 
 ### Example: Configure syslog-ng-otlp() destination on the sender node
 
@@ -18,3 +19,21 @@ destination d_syslog_ng_otlp {
   syslog-ng-otlp(url("your-receiver-syslog-ng-instance:4317"));
 };
 ```
+
+### Example: Configure syslog-ng-otlp() destination using OAuth2
+
+```config
+destination d_syslog_ng_otlp {
+  syslog-ng-otlp(
+    url("example.com:443")
+    cloud-auth(
+      oauth2(
+        client_id("client-id")
+        client_secret("client-secret")
+        token_url("https://auth.example.com/token")
+        scope("api-scope")
+      )
+    )
+  );
+};
+```