AUTH Permissions

AUTH Permissions #

The Permissions section of the AUTH tab controls authentication permissions as they relate to the devloper’s application.


Allow App Invitation #

In tandem with the sign-up process, the CoSync Auth authentication system boasts support for invitations as an alternative mechanism for user onboarding. Within this invitation scenario, users can only join the application when invited by another user or even an application server. Such a feature proves invaluable when the need arises to restrict and regulate which users are permitted to board the application.

To effectuate this, the invitation mechanism operates by dispatching a distinctive 6-digit code to the invited user’s designated handle, typically an email address. Armed with this code, the user gains the means to successfully onboard onto the application, thereby fostering a controlled and secure user onboarding process.

Similar to the onboard signup process, the invitation onboarding process allows for the inclusion of attached metadata. Users or servers generating the invite can create this metadata, which proves highly versatile in its applications. It could be utilized to append expiration data, coupon details, or any other pertinent information, enhancing the richness and functionality of the invitation-based onboarding experience.


The functionality of the app invitation mechanism is governed by the Allow App Invitation toggle. Enabling or disabling this toggle dictates whether users can extend invitations to others or not.

Invitations can be issued directly by the developper from the AUTH USERS tab within the Invitation sub-tab.

Allow User Name Login #

Within the CoSync Auth authentication system, email stands as the default handle mechanism, serving as the primary means for user identity verification even when using external onboarding mechanisms. Nonetheless, this system goes beyond email support and embraces the option for unique user names to identify users.

Once a user name is associated with a user, it can also serve as their handle for logging in. User names offer the advantage of being more memorable compared to emails, but more importantly, they aid in preserving user privacy concerning other users. Instead of sharing the email address of a user, connections can be established using their user names, safeguarding their identity and promoting a more discreet user interaction experience.

Allow Apple Login #


Beyond traditional email/username authentication, the CoSync Auth authentication system also supports Apple Id Sign In. This feature streamlines the onboarding process for iOS applications, minimizing user sign-up hurdles. This functionality is fully integrated into the CoSync Auth authentication REST API (similar to anonymous login), offering a unified JWT interface for this social login feature.

Should a developer choose to enable Apple Login, they will need to supply the Apple Bundle ID for the iOS Application. If the application needs to support both login from an iOS device and a web page, the developer may need to provide a list of Apple Bundle IDs that are comma seperated.

Note: Apple Id Sign In is operational only in release mode, and not in development mode.

Allow Google Login #


CoSync Auth also facilitates the Google Login social protocol. This is akin to Apple Id Sign In but utilizes a GMAIL account rather than an Apple Id. You can find a comprehensive description of the Google Authentication protocol here. To activate Google Login within the client application, the developer must furnish the Google Client ID for the application. Like the Apple Bundle ID, Cosync Auth supports multiple Google Client IDs that are comma seperated.

Just like Apple Id Sign In, the Google Login social protocol operates solely in release mode, not in development mode.

Allow Anonymous Login #

The CoSync Auth authentication system extends its support to encompass anonymous login functionality. This proves immensely advantageous when onboarding users into an application without burdening them with the need to enter user-specific data. This approach allows an application to offer a minimal set of functionality initially, without necessitating formal sign-up. Subsequently, users can upgrade to fully qualified users with verified emails and/or user names at their discretion.

For anonymous users, the handle consistently follows the format ANON_ (e.g., ANON_209CAE69-102F-418D-9EFC-F096621F1188). Moreover, developers can conveniently track anonymous users through the JWT USERS tab found within the Application Settings.

To activate the Anonymous Login feature, developers need only enable the Allow Anonymous Login switch, providing an effortless means to empower this functionality.


Allow App Signup #

Developers retain the ability to exercise control over user onboarding through a signup process via the Allow App Signup switch. By default, users are allowed to sign up, but there are scenarios where the developer might choose to disable this functionality. For instance, during the beta testing phase of the app, restricting the pool of eligible users might be desirable. Alternatively, the developer may prefer to allow onboarding exclusively through an invitation process, without user discretion.

In case signup is enabled, users will be required to provide a valid email, which may undergo verification depending on the signup flow. Once the email has been verified, users also have the option to assign a unique user name to their identity if the application supports User Name login. This flexibility empowers developers to fine-tune their onboarding procedures to align with their specific application’s requirements and objectives.

Set your app sign up flow #

Within the CoSync Auth authentication system, the sign-up process provides three email verification options: None, Code, or Link - with the default being Code. Opting for None in the sign-up flow, though possible, is not recommended. By selecting None, the email will remain unverified, lacking genuine confirmation of belonging to the user. Consequently, users may input any email address, including those not associated with them, as a valid handle. This approach undermines the integrity of the email verification process and is not advisable for maintaining secure user identities.


The prevalent Code email verification method in the CoSync Auth authentication system involves the authentication server sending a distinctive six-digit code to the user’s provided email address. Upon receiving this code, the user enters it into the system, allowing it to be cross-referenced with the code linked to the specified email. A successful match indicates the validation of the user’s identity, confirming the genuine connection between the user and the associated email address.


The final signup flow available is Link. When the developer opts for this method, the server dispatches an email containing a clickable link that the user can use to validate their email for the application. This approach offers the benefit of reducing the number of keystrokes required for email validation, streamlining the process for the user.

However, utilizing the Link flow introduces a challenge for the developer in terms of tracking when the user clicks the link. This poses a difficulty in determining the appropriate moment to progress to the next screen in the signup flow, such as automatically logging the user in. Despite the added complexity for the developer, the Link flow provides a more user-friendly experience in terms of email verification.