Email/password authentication

Email/password authentication is WeWeb's native authentication provider. It handles user registration, sign in, password management, and email verification without requiring third-party services. Once enabled, you can use the full range of authentication workflows to build complete sign-up and sign-in flows.

What this provider supports

• Email and password sign up — Register new users with email, password, and optional profile fields
• Email and password sign in — Authenticate users with their credentials
• Magic links — Passwordless authentication via email link
• One-time passwords (OTP) — Code-based authentication via email for sign in, email verification, and password reset
• Password management — Reset forgotten passwords and update existing passwords
• Email verification — Require users to verify their email address before accessing your app
• Session management — Remember user sessions with configurable expiration (7 days by default)

Setup in WeWeb

Unlike third-party providers, email/password authentication doesn't require external credentials or API keys. You simply enable it and configure verification settings.

1. Enable email/password authentication

1. In the WeWeb editor, open Data & API → Auth → Integrating providers.
2. Find the Email provider section and expand it.
3. Set Enable Email provider to Enable.
4. Choose whether to enable email verification:
   • Enable email verification — Users must verify their email address before they can sign in (recommended for production apps)
   • Disable email verification — Users can sign in immediately after sign up (useful for development and testing)
5. Click Save.

Behind the scenes, WeWeb stores these values as environment variables (PROVIDER_EMAIL_ENABLED and PROVIDER_EMAIL_VERIFICATION) and configures your authentication backend.

TIP

Email verification is optional but recommended for production apps to prevent fake accounts and ensure you can contact users.

2. Configure email templates (optional)

When users request password resets, magic links, or email verification, WeWeb fires Event Triggers that you can customize to send emails via your preferred service (Resend, SendGrid, etc.):

• On password reset requested — Triggered when a user requests a password reset
• On email verification requested — Triggered when email verification is required
• On magic link requested — Triggered when a user requests a magic link
• On OTP requested — Triggered when a user requests a one-time password

To customize these emails, go to Data & API → Workflows → Event triggers and configure the corresponding Event Trigger with your email integration.

Authentication workflows

Email/password authentication provides multiple workflow actions in the Interface tab. Use these to build your sign-up, sign-in, and password management flows.

Sign up with email

Creates a new user account with email and password.

Action: Sign up with email

Fields:

• Email (Required) — User's email address
• Password (Required) — User's password (securely hashed on the backend)
• Display Name (Optional) — User's display name
• Image (Optional) — URL to user's profile image
• Callback Page (Optional) — Page to redirect after successful sign up

Example flow:

1. Add a form with email, password, and name inputs
2. Add a "Sign up" button
3. Create a workflow on the button click
4. Add the Sign up with email action and bind the form fields
5. Configure success and error handling (for example, redirect to dashboard or show error message)

Sign in with email

Authenticates an existing user with email and password.

Action: Sign in with email

Fields:

• Email (Required) — User's email address
• Password (Required) — User's password
• Remember Me (Optional) — Whether to persist the session (default: false)

Example flow:

1. Add a form with email and password inputs
2. Add a "Sign in" button
3. Create a workflow on the button click
4. Add the Sign in with email action and bind the form fields
5. Configure navigation after successful sign in

Request magic link

Sends a passwordless authentication link to the user's email.

Action: Request magic link

Fields:

• Email (Required) — User's email address
• Name (Optional) — User's display name (for new users)
• Redirect Page (Optional) — Page to redirect after magic link authentication
• New User Redirect Page (Optional) — Page to redirect for first-time users
• Error Redirect Page (Optional) — Page to redirect if error occurs

Example flow:

1. Add an email input
2. Add a "Send magic link" button
3. Create a workflow that calls Request magic link
4. Show a success message telling the user to check their email
5. Configure the On magic link requested Event Trigger to send the email with the magic link URL

Request password reset

Sends a password reset link or OTP to the user's email.

Action: Request password reset

Fields:

• Email (Required) — User's email address
• Redirect Page (Optional) — Page to redirect after password reset

Example flow:

1. Create a "Forgot password?" page with an email input
2. Add a workflow that calls Request password reset
3. Show a message confirming the email was sent
4. Configure the On password reset requested Event Trigger to send the reset email
5. Create a reset password page that accepts the reset token and calls Update password or Reset password with OTP

Update password

Updates the password for the currently signed-in user.

Action: Update password

Fields:

• Current Password (Required) — User's current password (for verification)
• New Password (Required) — User's new password
• Confirm New Password (Optional) — Confirmation of the new password (validate in your workflow)

Example flow:

1. Create a password change form in your user settings
2. Add current password, new password, and confirm password inputs
3. Add a workflow that validates the passwords match
4. Call Update password with the validated inputs
5. Show success or error feedback

One-time passwords (OTP)

Email/password authentication supports OTP codes for multiple flows. The OTP system works in two steps: request a code, then verify the code.

Request code

Sends a one-time password to the user's email.

Action: Request code

Fields:

• Email (Required) — User's email address
• OTP Type (Required) — Type of OTP to send:
  • Sign In — For passwordless sign in
  • Email Verification — For verifying email addresses
  • Forget Password — For password reset

Check code validity

Verifies that an OTP code is valid without taking action.

Action: Check code validity

Fields:

• Email (Required) — User's email address
• OTP Code (Required) — The code to verify
• OTP Type (Required) — Must match the type used when requesting the code

Sign in with OTP

Authenticates a user with an OTP code.

Action: Sign in (OTP category)

Fields:

• Email (Required) — User's email address
• OTP Code (Required) — The code the user received
• Disable Sign Up (Optional) — If enabled, prevents automatic registration if the user doesn't exist (default: false)

Verify email with OTP

Verifies a user's email address using an OTP code.

Action: Verify email (OTP category)

Fields:

• Email (Required) — User's email address
• OTP Code (Required) — The verification code

Reset password with OTP

Resets a user's password using an OTP code.

Action: Reset password (OTP category)

Fields:

• Email (Required) — User's email address
• OTP Code (Required) — The reset code
• New Password (Required) — The new password

Example OTP flow (password reset):

1. User enters email on "Forgot password" page
2. Call Request code with OTP Type set to Forget Password
3. User receives email with OTP code
4. Show a form for entering the code and new password
5. Call Reset password with OTP with the code and new password
6. Redirect to sign-in page

Send verify email

Sends an email verification link to the user.

Action: Send verify email

Fields:

• Email (Required) — User's email address
• Redirect Page (Optional) — Page to redirect after email verification

Example flow:

1. After sign up, check if email verification is required
2. Call Send verify email with the user's email
3. Show a message asking the user to check their email
4. Configure the On email verification requested Event Trigger to send the verification email

Sign out

Signs out the currently authenticated user.

Action: Sign out

Fields: None

Example flow:

1. Add a "Sign out" button to your navigation
2. Create a workflow that calls Sign out
3. Redirect to your landing or sign-in page

Event triggers

Email/password authentication fires Event Triggers at key points in the authentication lifecycle. You can use these to send emails, update external systems, or perform custom logic.

Available triggers (in Data & API → Workflows → Event triggers):

Trigger	When it fires	Payload
On before sign up	Before a new user is created	payload — Sign-up data (email, password, name, etc.)
On after sign up	After a new user is created	user — The newly created user object
On after sign in	After a user signs in	user — The signed-in user object
On password reset requested	When a user requests a password reset	user, url (reset link), token (reset token)
On email verification requested	When email verification is required	user, url (verification link), token (verification token)
On magic link requested	When a user requests a magic link	email, url (magic link), token (magic link token)
On OTP requested	When a user requests an OTP	email, otp (the code), type (sign-in, email-verification, or forget-password)
On password updated	After a user's password is changed	user — The user whose password was updated

Use these triggers to send customized emails via Resend, SendGrid, or other integrations.

Common pitfalls

Email verification not working

If users aren't receiving verification emails:

• Confirm that email verification is enabled in Data & API → Auth → Integrating providers.
• Check that you have configured the On email verification requested Event Trigger in Data & API → Workflows → Event triggers.
• Verify that your email integration (Resend, SendGrid, etc.) is properly configured and has the correct API keys.
• Test the Event Trigger manually by signing up with a test account and checking your email integration logs.

Password reset emails not sending

If password reset emails aren't being sent:

• Check that the On password reset requested Event Trigger is configured with your email integration.
• Verify that the email integration has permission to send emails and is not in sandbox mode.
• Test by triggering a password reset and checking the Event Trigger logs in Data & API → Workflows → Event triggers.

Users can't sign in after sign up

If users are unable to sign in immediately after creating an account:

• Check if email verification is enabled. If so, users must verify their email before signing in.
• Verify that the sign-in form is sending the correct email and password values.
• Check the browser console and backend logs for authentication errors.
• Confirm that the email/password provider is enabled in all environments (staging and production).

OTP codes not working

If OTP codes are failing to verify:

• Confirm that the OTP Type used in Request code matches the type used in the verification action.
• Check that the OTP code hasn't expired (codes typically expire after a few minutes).
• Verify that the email address used to request the code exactly matches the one used to verify it.
• Test by sending a code to yourself and verifying it immediately.

Session not persisting

If users are being signed out unexpectedly:

• Check that the Remember Me option is enabled in the sign-in action if you want persistent sessions.
• Verify that your domain supports secure cookies (HTTPS is required in production).
• Confirm that users aren't clearing cookies or using private browsing mode.
• Check the session expiration settings (default is 7 days).

Reference

WeWeb settings

Setting	Description	Notes
Enable Email provider	Enables email/password authentication	Must be enabled for all email/password workflows to work
Enable email verification	Requires users to verify their email before signing in	Recommended for production apps; requires configuring the email verification trigger

Authentication actions

All actions are available in Interface → Workflows → Authentication category.

Action	Purpose	Key fields
Sign up with email	Register new users	Email, Password, Display Name (optional), Image (optional)
Sign in with email	Authenticate users	Email, Password, Remember Me (optional)
Sign out	End user session	None
Request magic link	Passwordless authentication	Email, Redirect pages
Request password reset	Initiate password reset	Email, Redirect page
Update password	Change password for signed-in user	Current Password, New Password
Send verify email	Send email verification	Email, Redirect page
Request code	Send OTP code	Email, OTP Type
Check code validity	Verify OTP without action	Email, OTP Code, OTP Type
Sign in (OTP)	Sign in with OTP	Email, OTP Code
Verify email (OTP)	Verify email with OTP	Email, OTP Code
Reset password (OTP)	Reset password with OTP	Email, OTP Code, New Password

Event Triggers

All Event Triggers are available in Data & API → Workflows → Event triggers.

Trigger	Use case
On before sign up	Validate or transform sign-up data before creating the user
On after sign up	Send welcome emails, create related records, or update external systems
On after sign in	Log sign-in events or update last-login timestamps
On password reset requested	Send password reset email with link or OTP
On email verification requested	Send email verification link or OTP
On magic link requested	Send magic link email for passwordless sign-in
On OTP requested	Send OTP code via email
On password updated	Notify users that their password was changed

User object

Once authenticated, users are accessible via the currentUser variable and stored in the auth.users table with these fields:

Field	Type	Description
id	string	Unique user identifier (UUID)
email	string	User's email address
name	string	User's display name
image	string	URL to user's profile image
emailVerified	boolean	Whether the email has been verified
createdAt	timestamp	When the user was created
roles	array	Array of role IDs assigned to this user

FAQs

How do I require email verification for new users?

Enable email verification in Data & API → Auth → Integrating providers. Then configure the On email verification requested Event Trigger in Data & API → Workflows → Event triggers to send verification emails via Resend, SendGrid, or another email integration. Users won't be able to sign in until they click the verification link.

Can I use email/password and social providers together?

Yes. Users can sign up with email/password or sign in with Google, GitHub, or any other enabled provider on the same project. Behind the scenes, both methods work with the same user and session system.

What's the difference between magic links and OTP?

Both provide passwordless authentication. Magic links send a clickable URL that signs the user in, while OTP sends a code that the user must enter manually. Magic links are easier for users but require opening email in the same browser. OTP codes work across devices and are more flexible for complex flows like password reset.

Can I customize password requirements?

Password validation happens in your interface workflows before calling the sign-up or update password actions. Add custom validation logic (minimum length, special characters, etc.) using formulas or workflow conditions before submitting to the authentication backend.

How do I handle "forgot password" flows?

Create a page with an email input. When submitted, call Request password reset with the user's email. Configure the On password reset requested Event Trigger to send an email with the reset link or OTP. Create a reset page that accepts the token/code and calls Reset password with OTP or updates the password via a secure link.

Can I prevent users from signing in without verifying their email?

Yes. Enable email verification in the provider settings. The authentication backend will automatically block sign-in attempts from unverified users and return an error. You can handle this error in your workflow to show a "Please verify your email" message and offer to resend the verification email.