Managing User Accounts

On the Users page, you can manage user accounts. The Stitch console makes it easy to create test user accounts, delete user accounts, and revoke sessions.

Creating an Email/Password User

In most cases, you do not need to manually create MongoDB Stitch users. If, for example, the Email/Password authentication provider is enabled, users will be prompted to create their own accounts the first time they connect to your Stitch application. For all other authentication providers, the user object is created when an end user authenticates for the first time.

However, for testing and debugging with the Email/Password authentication provider, you can create new users from within the MongoDB Stitch admin console.

Use the following procedure to manually create a new user:

  1. Select Users from the left-side navigation.

  2. Click the Add New User button.

  3. Specify an email address and password for the new user.


    The Email/Password authentication provider requires passwords to be between 6 and 128 characters long.

  4. Click Create.


You can also create API keys that applications use to connect to your MongoDB Stitch application. While these are not associated with a single user, they are listed in the Users tab. To learn more about API keys, see API Key Authentication.

Deleting or Disabling a User

There may be a situation when you need to disable or completely remove a user from your MongoDB Stitch application. To do so, use the following procedure:

  1. Select Users from the left-hand navigation.
  2. Select either Confirmed or Pending, depending on the current state of the user you wish to delete.
  3. Under the Users tab, find a user in the list and click on the ellipsis (...).
  4. Choose either Disable User or Delete User. Both options invalidate all access tokens and refresh tokens for the user, and the user can no longer log in. Delete User also removes the account from your Stitch application. Users that have not yet been confirmed cannot be disabled, only deleted.


Deleting a user will not automatically delete any data in your MongoDB database that you have associated with that user. For example, if you have a todo_items collection with an "owner_id" field, deleting a user will not automatically delete all of their To-Do items. You will need to manually remove those documents from your database if you want to fully remove all traces of that user.

Confirming a User

You must confirm the email address of new Email/Password users before they are permitted to log into MongoDB Stitch. The exact method of confirmation depends upon your provider configuration, but typically involves a handshake process between the user and your application. You can read more about Email/Password user confirmation at Email/Password Confirmation.

Sometimes, however, users are unable to complete the confirmation process. For example:

  • an overzealous spam filter might block Stitch email confirmation emails
  • a proxy or web blocker could prevent a user from activating the confirmUser client SDK function via the client application
  • an implementation error could cause the client application’s user confirmation page to fail for specific use cases.

To help you work around cases like this, Stitch allows you to manually confirm users. To manually confirm a user from the Stitch UI:

  1. Select Users from the left-hand navigation.
  2. Under the Users tab, select the PENDING button.
  3. Find the user in the list and click on the ellipsis (...).
  4. Select the Confirm User option from the context menu that appears.
  5. If the operation succeeds, the banner at the top of the MongoDB Stitch admin console should display a confirmation message. The user’s User Status changes from Pending Confirmation to Pending User Login.

A manually confirmed user continues to appear in the PENDING user list until they log in to your application for the first time, at which point Stitch moves them into the list of confirmed users and transitions their User Status to confirmed.

Revoking User Sessions

Situations may arise where you need to log a particular user out of all of their sessions, and prevent them from making further requests until they reauthenticate. The MongoDB Stitch admin console makes this a straightforward process.

Use the following procedure to revoke all the sessions for a particular user:

  1. Select Users from the left-side navigation.
  2. Under the Users tab, find a user in the list and click on the ellipsis (...).
  3. Click Revoke all sessions. This invalidates all access tokens and refresh tokens for that user. This means that to perform any further requests in any of their sessions, they will need to reauthenticate.