Appearance
WeWeb Auth (Authentication System)
WeWeb Auth is WeWeb’s ready-made Authentication System. It helps you add sign in to your app and manage Users and Roles directly in WeWeb.
What this system supports
- Email-based sign in (when enabled)
- Optional email verification
- Optional “prevent sign up” mode (only admins create users)
- Roles and user management inside WeWeb
- SSO Providers (for example Google or GitHub), configured in
Data & API → Authentication → SSO Providers
INTERFACE WORKFLOW ACTIONS
Flows like password reset, change password, magic links, OTP, and email verification are built with workflow actions in the Interface tab (same place as Sign up / Sign in), not inside Authentication settings. Jump to Interface workflow actions (WeWeb Auth) for direct links to each action’s documentation.
Set up WeWeb Auth
- Go to
Data & API → Authentication. - A) If this is your first time opening the
Authenticationarea, chooseWeWeb Authwhen prompted. - B) If this is not your first time, open
Configuration, clickSwitch authentication system, then selectWeWeb Auth.
- A) If this is your first time opening the
- Configure the setup options:
Enable email providerEnable email verification(Optional)Prevent sign up(Optional)Password minimum lengthReset password token expiration (seconds)
- Click
Continue.
To change your Authentication System later, go to Data & API → Authentication → Configuration, then click Switch authentication system.
Setup options (details)
Enable email provider
Controls whether users can sign in with email (and use email-based actions like sign up, sign in, reset password, and verification emails).
- When to enable: Keep this on if you want any email-based sign in.
- When to disable: Turn this off if you only want users to sign in through SSO Providers (for example Google) and you don’t want email/password or email-based flows.
- What it affects: When this is off, options like
Enable email verification,Prevent sign up, and password settings won’t apply.
Enable email verification
Requires users to verify their email address before they can sign in.
- Default: Off.
- When to enable: Use this when you want to reduce fake sign ups and make sure users own the email address they used.
- What you must set up: Create an Event Trigger workflow for
On email verification requestedto send the verification link. - Dependency: This option only applies when
Enable email provideris on.
Prevent sign up
Stops new users from creating their own account. Only admins (you) can create users.
- When to enable: Use this for internal tools, client portals, or invite-only apps.
- What changes for users: Your app should only show a sign-in experience (not a “create account” flow).
- UI behavior: When this is on,
Password minimum lengthis hidden because users can’t sign up themselves. - Dependency: This option only applies when
Enable email provideris on.
Password minimum length
Sets the minimum password length for email/password accounts.
- Default: 8.
- When to increase: If you want stronger passwords (for example 10–12).
- Note: This only matters for email/password sign up and password changes.
- Dependency: This option only applies when
Enable email provideris on, and it’s hidden whenPrevent sign upis enabled.
Reset password token expiration (seconds)
How long password reset links stay valid after being requested.
- Default: 3600 seconds (1 hour).
- When to increase: If your users may not open emails quickly (for example, set to 7200 for 2 hours).
- When to decrease: If you want tighter security (shorter time window).
- What you must set up: Create an Event Trigger workflow for
On password reset requestedto send the reset link. - Dependency: This option only applies when
Enable email provideris on.
Configure SSO Providers (optional)
If you want users to sign in with a third-party account (for example Google), enable the provider in:
Data & API → Authentication → SSO Providers
Each provider requires its own keys and allowed URLs in the provider dashboard. Use the provider’s setup guide to avoid redirect URL errors.
Important: set up the email/SMS workflows
WeWeb Auth can trigger events when it needs you to send a message to the user (for example a magic link or a one-time password). You should handle these with Event Triggers:
- Go to
Data & API → Workflows. - Create Event Trigger workflows for the WeWeb Auth events you use, such as:
On magic link requested(Send a magic link email)On OTP requested(Send the code by email or SMS)On email verification requestedOn password reset requested
Each event includes the data you need (for example email, otp, or a url). For the client-side steps (forgot-password form, logged-in password change), use the matching Interface actions—see Interface workflow actions (WeWeb Auth).
Test sign in
- In the
Interfacetab, add a login form or login button. - Use the
Authenticationworkflow actions—see Interface workflow actions (WeWeb Auth) below for every documented action (sign up / sign in, password reset and update password, OTP, verification, magic link, SSO, sign out). - Preview and confirm:
- Sign in works without errors.
- The user appears in
Data & API → Authentication → Users.
For page and API protection, see Users and roles →.
Interface workflow actions (WeWeb Auth)
Add these actions from Interface → Workflows, + Add action, Authentication. The same actions are listed in the documentation navigation under Workflows → Authentication actions (see Intro to workflows →).
Sign up / sign in
- Sign up with email →
- Sign in with email →
- Sign in with social provider →
- Request magic link →
- Sign out →
Password management
- Request password reset → — sends the user into the reset flow (pair with
On password reset requestedEvent Triggers when you send the actual email.) - Update password → — change password for user who already has an active session (for example profile or settings page).
Email verification
OTP (one-time passwords)
Reference
WeWeb Auth panels in Data & API
When WeWeb Auth is selected, you can manage:
UsersRolesSSO Providers