Skip to main content
Docs/App Auth (End-Users)
DocsApp Auth (End-Users)
Free

App Auth (End-Users)

How end-users sign in to your generated apps. Three first-class methods: Google Sign-In, email + password, and magic link. Same session model across all of them.

Auth Methods

Your generated app can authenticate end-users with any combination of:

Google Sign-In

Zero-config OAuth flow. Fastest for users who already have a Google account.

Email + Password

Classic signup / login with bcrypt-hashed passwords. OTP confirms email before account is created.

Magic Link

Passwordless. User receives an email with a one-time link that signs them in.

The AI auto-detects which methods your app needs from your prompt. You can toggle methods on or off in the Services panel and the SDKs re-inject on the next save.

Google Sign-In

GenMB hosts the OAuth client and callback. You do not need to register a project in Google Cloud or copy a client secret.

await window.genmb.auth.signIn()           // opens Google popup, returns when done
const user = window.genmb.auth.getUser()   // { id, email, name, avatarUrl } or null
await window.genmb.auth.signOut()

Email + Password

1

Sign up requested

User submits email + password. The platform validates password strength, stages a hash in Redis, and emails a 6-digit OTP.
2

OTP verified

User enters the code. The account is created in appUsers/{appId}~{email} and a session cookie is set.
3

Subsequent logins

POST email + password; on match, a fresh session cookie is set.
4

Forgot password

User requests reset; an OTP is emailed; user submits new password + OTP to update the hash.
Signup-enumeration is mitigated: reset-request and signup endpoints always return a generic 200 so an attacker cannot use them to discover registered emails.

The simplest UX. User enters an email and clicks the link in the message GenMB sends. The SDK auto-verifies the token on page load via ?magic_token=... and the user is signed in.

await window.genmb.auth.sendMagicLink({ email: 'user@example.com' })
// User clicks email link; redirected back signed in.

SDK Usage

All methods funnel into a unified window.genmb.auth object so your UI code does not need to branch on method:

window.genmb.auth.getUser()             // current user or null
window.genmb.auth.onChange(user => {})  // subscribe to sign-in / sign-out
await window.genmb.auth.signOut()       // works for any method

Combine with RBAC to gate features by role, and with app data to scope records to user.id.

Sessions

Sessions live server-side in appAuthSessions and are referenced from a genmb_auth_session cookie scoped to your app domain. The cookie is HttpOnly and Secure; you cannot read it from JavaScript.

Sessions are scoped per app. A user signed into one of your apps is NOT automatically signed into another, even if they used the same email. This is by design to keep per-app user lists independent.

Limits

  • Magic-link rate limit: 3 sends per email+app per 15-minute window, 10 per IP.
  • OTP TTL: 15 minutes.
  • Staged signup blob TTL: 15 minutes.
  • Origin validation: only your deployed app domain can call the auth endpoints (CORS preflight enforced).
  • Available on all plans, including Free.

FAQs

How is this different from the auth I use to sign into GenMB?
Two separate systems. Platform auth (Google OAuth on genmb.com) is for you, the GenMB user. App auth is for end-users of the apps you generate. App users live in a separate appUsers/{appId}~{email} collection so they never collide with platform users.
Which auth method should I pick?
Magic link is the easiest UX for end-users (no password to remember). Email + password is best when users expect to log in repeatedly from many devices and might re-use a password manager. Google Sign-In is fastest for users who already have a Google account. The AI picks what your prompt implies; you can override in the Services panel.
Can I use more than one method in the same app?
Yes. Methods are additive. An end-user can sign up with email + password and later use Google Sign-In for the same account if their Google email matches.
Where do sessions live?
In a server-side appAuthSessions collection, gated by the genmb_auth_session cookie. The cookie is scoped to your app's domain. Sessions expire automatically; refresh is handled by the SDK.
Are passwords stored safely?
Passwords are hashed with bcrypt before storage; the plaintext never lands in the database. Password validation requires minimum strength before signup is allowed.

Ready to build?

Create your first app for free, no credit card required.

WebhooksData Insights