diff --git a/backend/files/misc/workflows/actions/security/authenticate.hl b/backend/files/misc/workflows/actions/security/authenticate.hl
new file mode 100644
index 0000000000..4a524df933
--- /dev/null
+++ b/backend/files/misc/workflows/actions/security/authenticate.hl
@@ -0,0 +1,28 @@
+
+/*
+ * Authenticates the user with the specified [username] and [password].
+ *
+ * Returns a JWT Bearer token that can be used for consecutive requests authorizing user according
+ * to his or her roles.
+ */
+.arguments
+   username
+      type:string
+      mandatory:bool:true
+   password
+      type:string
+      mandatory:bool:true
+.icon:shield
+
+// Sanity checking invocation.
+validators.mandatory:x:@.arguments/*/username
+validators.mandatory:x:@.arguments/*/password
+
+// Invokes slot responsible for authenticating caller.
+execute:magic.auth.authenticate
+   username:x:@.arguments/*/username
+   password:x:@.arguments/*/password
+
+// Returning resulting ticket/token to caller.
+yield
+   ticket:x:@execute/*/ticket