Built-in Authentication: Add User Login to Your Site

Add complete user authentication to your HeyBoss project without writing code. Built-in login, registration, password reset, and user management - no Firebase, Auth0, or external services needed.

Perfect for: Member sites, SaaS products, user dashboards, protected content, subscription sites, community platforms.

What is Built-in Authentication?

HeyBoss includes a complete authentication system out of the box. With simple prompts, you can add:

User registration - Email/password signup
User login - Secure authentication
Password reset - Forgot password flows
User profiles - Account management
Protected pages - Login-required content
Session management - Keep users logged in
Role-based access - Admin, user, guest permissions

No external services needed - authentication is built into HeyBoss and works automatically.

How to Add Authentication

Step 1: Enable Authentication

Tell the AI to add authentication to your project:

\"Add user login and registration to this site\"
\"I need user authentication with email and password\"
\"Create a members-only area that requires login\"

Step 2: Customize Login Pages

The AI will automatically create:

/login page - User login form
/register or /signup - New user registration
/forgot-password - Password reset request
/reset-password - Set new password
/profile - User account page

You can customize the design:

\"Make the login form minimal and centered\"
\"Add social login buttons (styling only)\"
\"Match login page to my brand colors\"

Step 3: Protect Pages

Make specific pages require login:

\"Make the dashboard page login-required\"
\"Protect all pages under /members/\"
\"Only logged-in users can access /premium-content\"

Authentication Features

User Registration

What users can do:

Sign up with email and password
Automatic email validation
Password strength requirements
Terms of service checkbox (optional)
Automatic login after registration

What you control:

Required fields (name, email, company, etc.)
Password complexity rules
Email verification (on/off)
Welcome email automation
Redirect after signup

User Login

Features:

Email + password authentication
\"Remember me\" checkbox
Session persistence
Automatic redirect to requested page
Failed login attempt tracking
Account lockout after X failed attempts (optional)

Password Reset

Flow:

User clicks \"Forgot Password\"
Enters email address
Receives reset link via email
Clicks link, enters new password
Password updated, can login

Security:

Reset tokens expire after 1 hour
One-time use tokens
Password strength validation
Email confirmation required

User Profiles

Standard features:

View account details
Update email address
Change password
Upload profile picture
Edit personal information
Delete account (optional)

Session Management

How it works:

Secure session cookies
Configurable session duration
\"Remember me\" extends session
Auto-logout on inactivity (optional)
Logout on all devices option

Advanced Authentication

Role-Based Access Control (RBAC)

Assign roles to users:

Admin - Full access to everything
User - Standard member access
Guest - Limited access
Custom roles - Define your own (Premium, VIP, etc.)

Protect pages by role:

\"Only admins can access /admin dashboard\"
\"Premium members can view /premium content\"
\"Free users see ads, paid users don't\"

Email Verification

Require users to verify email:

User registers
Receives verification email
Clicks verification link
Account activated
Can now login

Benefits:

Reduces spam accounts
Validates email addresses
Improves deliverability
Required for some features

Multi-Factor Authentication (2FA)

Add extra security:

Time-based one-time passwords (TOTP)
Authenticator app support (Google Authenticator, Authy)
Backup codes for recovery
Optional or required by role

Ask AI to enable 2FA: \"Add two-factor authentication with authenticator app support\"

Social Login Integration

Allow login with social accounts:

Google - \"Sign in with Google\"
Facebook - \"Continue with Facebook\"
Twitter/X - Twitter OAuth
GitHub - Developer-focused sites
LinkedIn - Professional networks

Tell the AI: \"Add Google and Facebook social login buttons\"

Common Use Cases

SaaS Product

User signup with email verification
Dashboard requires login
Different features for free vs paid users
Admin panel for managing users
API keys tied to user accounts

Membership Site

Member registration
Protected member-only content
Member directory (optional)
Profile pages for members
Membership levels (Basic, Premium, VIP)

E-commerce Store

Customer accounts
Order history
Saved addresses and payment methods
Wishlist and favorites
Guest checkout option

Community/Forum

User registration to post
User profiles with avatars
Follow/friend system
Private messaging
Moderation roles (Admin, Moderator, User)

Security Best Practices

Password Security

Enforce strong passwords - Minimum length, complexity requirements
Hash passwords - Never store plain text (HeyBoss does this automatically)
Use bcrypt/argon2 - Industry-standard hashing
Password history - Prevent reusing old passwords
Rate limiting - Prevent brute force attacks

Session Security

Secure cookies - HttpOnly, Secure, SameSite flags
HTTPS only - Never send credentials over HTTP
Session expiration - Auto-logout after inactivity
Token rotation - Refresh tokens periodically
IP validation - Detect session hijacking (optional)

General Security

Rate limiting - Limit login attempts
CAPTCHA - Prevent bots (optional)
Email verification - Validate user emails
Audit logs - Track authentication events
Security headers - CSP, X-Frame-Options, etc.

User Management

Admin Dashboard

Manage users from admin panel:

View all users
Search and filter users
Edit user details
Change user roles
Activate/deactivate accounts
Delete users
View user activity logs
Export user list

Request: \"Add an admin dashboard for managing users\"

User Data

Access user information:

Registration date
Last login time
Login count
User role
Email verification status
Account status (active/inactive)
Custom profile fields

Customization Options

Branding

Custom login page design
Your logo and colors
Custom email templates
Branded password reset
Custom success/error messages

Fields

Add custom registration fields:

Phone number
Company name
Job title
Country/region
Birthday
Custom checkboxes (newsletter, terms)
Any other fields you need

Example: \"Add company name and phone number to registration form\"

Redirects

After login → Dashboard or custom page
After registration → Welcome page or onboarding
After logout → Homepage or login page
Unauthorized access → Login page with return URL

Email Notifications

Automatic Emails

HeyBoss can send:

Welcome email - After registration
Email verification - Confirm email address
Password reset - Reset link
Password changed - Security notification
Login from new device - Security alert (optional)
Account deletion - Confirmation

Customize Email Content

Tell the AI what emails should say:

\"Welcome email should include quick start guide\"
\"Password reset email should mention support link\"
\"Use friendly, casual tone in all emails\"

Database Integration

User data is automatically stored in HeyBoss's built-in database:

User table created automatically
Secure password storage
Scalable for thousands of users
Fast queries for authentication
Backup and recovery included

Access user data in your code or via admin dashboard.

API Integration

Authentication API

For advanced use cases, access authentication via API:

POST /api/register - Create user
POST /api/login - Authenticate
POST /api/logout - End session
POST /api/forgot-password - Request reset
POST /api/reset-password - Set new password
GET /api/user - Get current user
PUT /api/user - Update profile

API documentation available in Code Mode - request it from the AI.

Troubleshooting

Users Can't Register

Check email validation is working
Verify password meets requirements
Check for JavaScript errors in console
Ensure registration is enabled
Check database connection

Users Can't Login

Verify email and password are correct
Check if account is activated
Ensure account isn't locked
Check session cookie settings
Clear browser cache and cookies

Password Reset Not Working

Check email is being sent (check spam folder)
Verify reset link hasn't expired (1 hour)
Ensure email matches registered account
Check email service is configured
Verify reset token is valid

Sessions Expiring Too Fast

Increase session duration in settings
Enable \"Remember me\" functionality
Check cookie expiration settings
Verify HTTPS is enabled
Check for cookie conflicts

Common Questions

Do I need an external authentication service?

No! HeyBoss has built-in authentication. You don't need Firebase, Auth0, or any other service. Everything works out of the box.

Is the built-in authentication secure?

Yes. HeyBoss uses industry-standard security: bcrypt password hashing, secure session management, HTTPS encryption, and follows OWASP best practices.

Can I migrate existing users?

Yes. You can import users from CSV or use the API to create accounts programmatically. Password migration requires users to reset passwords for security.

Does authentication work with custom domains?

Yes! Authentication works seamlessly with custom domains. Session cookies are automatically configured for your domain.

Can I customize the login page design?

Absolutely! You can fully customize login, registration, and all auth pages to match your brand using Chat Mode or Quick Edit.

What about GDPR compliance?

HeyBoss authentication includes GDPR-friendly features: user data export, account deletion, privacy policy links, and consent checkboxes. You're responsible for your privacy policy.