Skip to main content

Email & Password

Built-in email/password authentication with no MAU charges.

Captcha Protection

When captcha is enabled, the Sign Up, Sign In, and Password Reset endpoints are automatically protected by Cloudflare Turnstile. All client SDKs handle token acquisition transparently — no code changes needed.

Sign Up

const { user, accessToken, refreshToken } = await client.auth.signUp({
  email: 'user@example.com',
  password: 'securePassword123',
  data: {
    displayName: 'Jane Doe',
    avatarUrl: 'https://example.com/avatar.jpg',
  },
});

Sign In

const { user, accessToken, refreshToken } = await client.auth.signIn({
  email: 'user@example.com',
  password: 'securePassword123',
});

Sign Out

await client.auth.signOut();

Auth State Listener

React to authentication state changes:

client.auth.onAuthStateChange((event, user) => {
  if (event === 'SIGNED_IN') {
    console.log('User signed in:', user.email);
  } else if (event === 'SIGNED_OUT') {
    console.log('User signed out');
  } else if (event === 'TOKEN_REFRESHED') {
    console.log('Token refreshed');
  }
});

Current User

const user = client.auth.currentUser;
// { id, email, displayName, avatarUrl, role, isAnonymous, ... }

Update Profile

await client.auth.updateProfile({
  displayName: 'New Name',
  avatarUrl: 'https://example.com/new-avatar.jpg',
  emailVisibility: 'public',  // 'public' | 'private'
});

Change Password

Change the password for the currently signed-in user. Requires the current password for verification. All existing sessions are revoked and new tokens are issued.

const { user, accessToken, refreshToken } = await client.auth.changePassword({
  currentPassword: 'oldPassword123',
  newPassword: 'newSecurePassword456',
});
Session Revocation

After a successful password change, all existing sessions are revoked (other devices are signed out). The SDK automatically updates its stored tokens with the new ones returned in the response.

Requirements:

  • New password must meet password policy requirements (default: at least 8 characters)
  • Current password must be correct
  • User must be signed in with email/password (OAuth-only and anonymous accounts cannot use this method)

Error Responses:

StatusCondition
400Missing currentPassword or newPassword, or new password shorter than 8 characters
401Not authenticated, or current password is incorrect
403Account is OAuth-only or anonymous (no password set)

Email Verification

After sign-up, a verification email is sent. The token expires in 24 hours.

await client.auth.verifyEmail(token);

Password Reset

Request Reset Email

Send a password reset email. The token expires in 1 hour.

await client.auth.requestPasswordReset('user@example.com', {
  redirectUrl: `${window.location.origin}/auth/reset-password`,
  state: 'billing',
});

On the Web SDK, requestPasswordReset() also accepts redirectUrl or redirectTo plus optional state. The clicked email link includes:

  • token
  • type=password-reset
  • state if provided

If you do not pass a request-specific redirect, EdgeBase falls back to email.resetUrl.

If your project sets auth.allowedRedirectUrls, the redirect must match that allowlist.

Reset Password with Token

await client.auth.resetPassword(token, 'newSecurePassword456');

Token Management

EdgeBase SDKs handle token refresh automatically:

  • Access Token — Short-lived (15 min default), sent with every request
  • Refresh Token — Long-lived (28 days default), used to get new access tokens
  • Auto-refresh — SDK automatically refreshes expired access tokens
  • Tab sync — Browser SDK uses BroadcastChannel to prevent multiple tabs from refreshing simultaneously