Skip to main content

Authentication

Nhost Authentication is a ready-to-use authentication service that is integrated with the GraphQL API and its permission system from Hasura. This allows you to easily add user authentication to your application without having to build and maintain your own authentication system.

Nhost Authentication lets you authenticate users using different sign-in methods:

Client URL

Client URL is the URL of your frontend application. The Client URL is used to redirect the user after interacting with any authentication operation, like signing in or resetting their password.

Allowed Redirect URLs

Allowed Redirect URLs are the URLs of your frontend application that are allowed to redirect the user after interacting with any authentication operation, like signing in or resetting their password. This is useful if you have multiple frontend applications that are using the same Nhost backend or if you want to redirect the user to a specific URL after interacting with an authentication operation.

As an example, for a staging project, you can set the Client URL to https://staging.example.com and Allowed Redirect URLs to https://*.vercel.app. This way, the user can be redirected to any Vercel deployment of your frontend application.

Allowed Emails and Domains

Allowed Emails and Domains are used to restrict the sign-up an sign-in process to specific email addresses and domains.

If both allowed emails and allowed domains are set a user can only sign up if their email address matches one of the allowed emails or one of the allowed domains.

Blocked Emails and Domains

Blocked Emails and Domains are used to block specific email addresses and domains from signing up and singin in.

Note that even if a user's email address matches any allowed email or domain, they will still be blocked if their email address matches any blocked email or domain.

Multi-factor Authentication

By enabling Multi-factor Authentication (MFA), you can allow users to verify their identity using a second factor during the sign-in process. We currently support Authenticator Apps (TOTP) for MFA.

Once MFA is enabled, a user can enable MFA for their account by scanning a QR code with their Authenticator App. After that, they will be prompted to enter a code generated by their Authenticator App during the sign-in process.

We'll be adding more support in our SDKs and documentation around MFA soon.

Gravatar

If Gravatar is enabled, Nhost Auth will use the user's email address to fetch their Gravatar profile picture. If the user doesn't have a Gravatar profile picture, a default image will be used.

There are two options for Gravatars:

Default Image

If the user doesn't have a Gravatar profile picture, a default image will be used. You can choose between the following options:

  • 404: Do not load any image if none is associated with the email hash, instead return an HTTP 404 (File Not Found) response.
  • mp: (mystery-person) a simple, cartoon-style silhouetted outline of a person (does not vary by email hash).
  • identicon: a geometric pattern based on an email hash.
  • monsterid: a generated 'monster' with different colors, faces, etc.
  • wavatar: generated faces with differing features and backgrounds.
  • retro: awesome generated, 8-bit arcade-style pixelated faces.
  • robohash: a generated robot with different colors, faces, etc.
  • blank: a transparent PNG image.

Rating

Gravatar images are rated by default. You can choose between the following options:

  • g: suitable for display on all websites with any audience type.
  • pg: may contain rude gestures, provocatively dressed individuals, lesser swear words or mild violence.
  • r: may contain such things as harsh profanity, intense violence, nudity, or hard drug use.
  • x: may contain hardcore sexual imagery or extremely disturbing violence.

Disable New Users

If set, newly registered users are disabled and won't be able to sign in. This is useful if you want to manually approve new users before they can sign in.