Navigation

Authenticate a User

On this page

  • Overview
  • Log In
  • Anonymous
  • Email/Password
  • API Key
  • Custom Function
  • Custom JWT
  • Facebook Authentication
  • Google Authentication
  • Apple Authentication
  • Log Out

The Web SDK provides developers with a unified API to authenticate application users for any authentication provider. Users log in by providing authentication credentials for a given authentication provider and the SDK automatically manages authentication tokens and refreshes data for logged in users.

The Anonymous provider allows users to log in to your application with ephemeral accounts that have no associated information.

To log in, create an anonymous credential and pass it to App.logIn():

The email/password authentication provider allows users to log in to your application with an email address and a password.

To log in, create an email/password credential with the user's email address and password and pass it to App.logIn():

The API key authentication provider allows server processes to access your app directly or on behalf of a user.

To log in with an API key, create an API Key credential with a server or user API key and pass it to App.logIn():

The Custom Function authentication provider allows you to handle user authentication by running a function that receives a payload of arbitrary information about a user.

To log in with the custom function provider, create a Custom Function credential with a payload object and pass it to App.logIn():

The Custom JWT authentication provider allows you to handle user authentication with any authentication system that returns a JSON web token.

To log in, create a Custom JWT credential with a JWT from the external system and pass it to App.logIn():

The Facebook authentication provider allows you to authenticate users through a Facebook app using their existing Facebook account. You can use the built-in authentication flow or authenticate with the Facebook SDK.

Important
Enable the Facebook Auth Provider

To log a user in with their existing Facebook account, you must configure and enable the Facebook authentication provider for your application.

Important
Do Not Store Facebook Profile Picture URLs

Facebook profile picture URLs include the user's access token to grant permission to the image. To ensure security, do not store a URL that includes a user's access token. Instead, access the URL directly from the user's metadata fields when you need to fetch the image.

The Realm Web SDK includes methods to handle the OAuth 2.0 process and does not require you to install the Facebook SDK. The built in flow follows three main steps:

  1. You call app.logIn() with a Facebook credential. The credential must specify a URL for your app that is also listed as a redirect URI in the provider configuration.
  2. A new window opens to a Facebook authentication screen and the user authenticates and authorizes your app in that window. Once complete, the new window redirects to the URL specified in the credential.
  3. You call handleAuthRedirect() on the redirected page, which stores the user's Realm access token and closes the window. Your original app window will automatically detect the access token and finish logging the user in.

You can use the official Facebook SDK to handle the user authentication and redirect flow. Once authenticated, the Facebook SDK returns an access token that you can use to finish logging the user in to your app.

The Google authentication provider allows you to authenticate users through a Google project using their existing Google account.

Note
Enable the Google Auth Provider

To authenticate a Google user, you must configure the Google authentication provider.

Logging a Google user in to your Realm app is a two step process:

  1. First, you authenticate the user with Google. You can use a library like Google One Tap for a streamlined experience.
  2. Second, you log the user in to your Realm app with an authentication token returned by Google upon successful user authentication.
Note
Requires OpenID Connect

Google One Tap only supports user authentication through OpenID Connect. To log Google users in to your web app, you must enable OpenID Connect in the authentication provider configuration.

The Realm Web SDK includes methods to handle the OAuth 2.0 process and does not require you to install a Google SDK. The built-in flow follows three main steps:

  1. You call app.logIn() with a Google credential. The credential must specify a URL for your app that is also listed as a redirect URI in the provider configuration.
  2. A new window opens to a Google authentication screen and the user authenticates and authorizes your app in that window. Once complete, the new window redirects to the URL specified in the credential.
  3. You call handleAuthRedirect() on the redirected page, which stores the user's Realm access token and closes the window. Your original app window will automatically detect the access token and finish logging the user in.
Important
Built-In OAuth 2.0 Redirect Limitations for Google

Due to changes in OAuth application verification requirements, the built-in OAuth 2.0 process faces limitations when authenticating Google users. If you use the Google login redirect flow using Realm's redirect flow, a maximum of 100 Google users may authenticate while the app is in development/testing/staging and all users will see an unverified application notification before they authenticate.

To avoid these limitations, we advise that you use an official Google SDK to get a user access token as described above.

The Apple authentication provider allows you to authenticate users through Sign-in With Apple. You can use the built-in authentication flow or authenticate with the Apple SDK.

Note
Enable the Apple Auth Provider

To authenticate an Apple user, you must configure the Apple authentication provider.

The Realm Web SDK includes methods to handle the OAuth 2.0 process and does not require you to install the Apple JS SDK. The built in flow follows three main steps:

  1. You call app.logIn() with an Apple credential. The credential must specify a URL for your app that is also listed as a redirect URI in the provider configuration.
  2. A new window opens to an Apple authentication screen and the user authenticates and authorizes your app in that window. Once complete, the new window redirects to the URL specified in the credential.
  3. You call handleAuthRedirect() on the redirected page, which stores the user's Realm access token and closes the window. Your original app window will automatically detect the access token and finish logging the user in.

You can use the official Sign in with Apple JS SDK to handle the user authentication and redirect flow. Once authenticated, the Apple JS SDK returns an ID token that you can use to finish logging the user in to your app.

Tip

If you get a Login failed error saying that the token contains an invalid number of segments, verify that you're passing a UTF-8-encoded string version of the JWT.

To log any user out, call the User.logOut() on their user instance.

Give Feedback

On this page

  • Overview
  • Log In
  • Anonymous
  • Email/Password
  • API Key
  • Custom Function
  • Custom JWT
  • Facebook Authentication
  • Google Authentication
  • Apple Authentication
  • Log Out