Login Methods
By default, your project starts with password authentication. At any time, you can simply enable or disable password, passwordless, social login, or SSO options within your dashboard — no code modifications needed.
Passwords
A classic login method, passwords are the most common way for users to sign up and log in to your app.
By default, we add extra security for your users by disallowing them from using common passwords. We also protect you from brute force attacks by limiting the number of failed login attempts.
Our default password policy is that we require >= 8 characters and a password that hasn't been in a previous breach. This (and 2FA available to everyone) matches the NIST recommendation for passwords.
If a user forgets their password, no problem. We handle the password reset flow with hosted pages and transactional emails - both of which are customizable.
Customize Password Requirements
You can customize your password requirements by length as well as the minimum number of uppercase characters, lowercase characters, digits, and special characters. You can also disable our added security of disallowing common passwords.
To customize your password requirements, head to the Signup / Login page and click the cog next to Password Login.
Passwordless / Magic Links
Passwordless authentication allows users to log in without a password. This is done by sending a login link to the user's email address.
We can manage the entire process for you through our hosted login page, including sending the email and verifying the one-time password. By default, the link will expire in 30 minutes.
If you would rather handle it yourself, you can use our API to create a magic link that a user can use to log in. This allows you to customize the expiration and the location the user is redirected to after logging in. Note that this doesn't send the email to the user, it just generates and returns the URL.
If you'd like to send emails from your own domain, check out our transactional emails docs or email us at support@propelauth.com and we'll help get you set up.
Social login / SSO
Social login / SSO allows your users to login using their existing social network accounts (e.g. Google, Github, Microsoft). It makes signing up simpler for your users, as they don't have to remember a password.
Enabling social logins with PropelAuth is a breeze since the majority of the work is done by your hosted authentication pages.
Instructions for enabling Social login are dependent on the specific social network you want to integrate with. Click here for a full list of providers with instructions.
Account Linking
If a user signs up with a social provider after signing up with their email address, their accounts will automatically be linked.
Additionally, if a user creates an account with Google SSO and then later with Github, for example, those accounts will be linked if the emails tied to the two match.
2FA
The PropelAuth hosted account page has a 2FA enrollment UI that your users can use to enroll in 2FA, view their backup codes, and disable 2FA. You do not have to write any additional code to provide your users with 2FA. The hosted pages will take care of everything.
You can also allow org owners to require 2FA for their members. Click here for more details.
Enterprise SSO (SAML)
Enterprise SSO (SAML) allows your users to login using their existing enterprise accounts (e.g. Okta, OneLogin, Entra ID).
It's often a requirement for enterprise customers to use their existing enterprise accounts to login to your app.
We provide self-service UIs for your customers to set up their own SAML connections. You can read more about PropelAuth's SAML support here.
Restricting Login Methods
If you have multiple login methods enabled but want to show only specific login methods to some users, you can do so via the opt_hint
query parameter. For example, if you only want your users to login via email/password, you can send them to:
{AUTH_URL}?opt_hint=pw
If you want to offer them two login methods, simply add a comma between values:
{AUTH_URL}?opt_hint=pw,pwl
Here is a full list of possible values for the opt_hint
query parameter.
- Email/password =
pw
- Passwordless =
pwl
- SSO =
sso
- Google =
gl
- Github =
gh
- Microsoft =
ms
- Slack =
sl
- LinkedIn =
li
- Atlassian =
at
- Apple =
ap
- Quickbooks =
qb
- Salesforce =
sf
- Xero =
xr
- Salesloft =
slf
- Outreach =
ot
- OTP =
otp
User Login Duration
You can control how long users stay logged in for in your dashboard. You can choose between your users staying logged in for a fixed amount of time or having them stay logged in as long as they remain active.
Prefilling the Email Field
If you would like to prefill the email field when redirecting a user to your login page, you can do so by using the e
query parameter and base64 encoding the user's email address.
For example, you can redirect them to:
{AUTH_URL}/login?e=dGVzdEBleGFtcGxlLmNvbQ==
This will automatically populate the email field with "test@example.com".
Controlling Who Can Signup
PropelAuth offers multiple methods to control who can or cannot access your app. These settings can be found in the settings tab in your Signup / Login page.
Disable Public Signups
For each of your environments you have the ability to enable or disable public signups. If disabled, there will no longer be a signup page for that environment. However, users with the invite other users permission can still invite users to their org. You can also invite users manually to your application in the Users page.
Disable Personal Emails
You also have the option to enable or disable signups with personal emails. If disabled, users with common personal email domains (@gmail.com, @yahoo.com, etc.) will not be able to signup for your app.
Allow or Block Domains from Signup
If you want more control over who can signup for your app, the allowlist and blocklist feature allows you to create a list of domains to either allow access to or restrict from signing up for your project. The list of domains you provide must be pipe-delimited, for example:
example.com | example2.org | example3.gov