User Accounts
Let users sign up and sign in to your app
User Accounts add authentication and users to your app. They handle sign-up, sign-in, logout, and storing users.
Overview
Every Create project can add User Accounts. As you chat with Create, it manages adding the authentication details - from setting up secure login flows to writing the code that only shows your app’s content to logged in users.
Use User Accounts to:
-
Let users sign up and sign in
-
Protect private content and features
-
Store data per user
-
Personalize experiences
-
Build apps with many users
Chat
Create updates your app to add User Accounts if you chat about adding users.
Try a prompt like: ‘Let users sign up’ or ‘Store data per user’
When Create recognizes you want to add user accounts, it:
-
Enables User Accounts in your project
-
Adds special pages for Sign up, Sign in, and Logout
-
Creates special tables in your app’s database to store user information (auth_users, auth_accounts, etc.)
-
Adds checks to your pages and functions to protect content that needs to be signed in to view
-
Updates everything to make sure your pages and functions work with the new users tables and signed in user
You will know it’s working when you see the sign up, sign in, and logout pages in your app on the Canvas or Project Selector, or if you see the special user tables in your database viewer.
Finding the sign up, sign in and log out pages in Project Selector. Checking the auth tables in the database.
Adding Manually
If Create isn’t recognizing when to add User Accounts, you can also trigger it manually.
-
Enable for Project:
-
Open Create logo menu
-
Choose “Enable User Accounts”
-
Signup, Signin, Logout pages and the right tables gets created
-
-
Protect Content:
-
Open page/function settings (3-dot menu > Settings > “Require sign in to view”)
-
Enable “Require sign in to view”
-
Publish to apply changes
-
How It Works - In the App
When you enable User Accounts, Create adds:
Authentication Pages
-
Sign In Page -
/account/signin
-
Sign Up Page -
/account/signup
-
Logout Page -
/account/logout
You can customize the look and feel of these pages by prompting Create to change them.
Once User Accounts is enabled, you can also create components for the sign in, sign up, and logout functionality. This lets you embed this functionality anywhere. Under the hood, it uses the same auth routes as the pages.
These pages contain special code to update the user in the database when they sign up/in and handle common errors.
User Tables
Create makes 4 special tables:
-
auth_users
: Tracks users in your app -
auth_accounts
: Tracks auth methods (email/password, Google, etc.) -
auth_sessions
: Database-backed user sessions -
auth_verification_token
: 2FA verification tokens
Most used: auth_users
(core profiles) and auth_accounts
(login methods)
Most of the time, you won’t need to worry about these implementation details. Create handles storing and managing user data automatically. However, understanding the underlying structure can help build more complex features or debug authentication flows.
Built-in fields in auth_users
:
-
id
: Unique identifier for each user -
name
: User’s display name (optional) -
email
: User’s email address -
emailVerified
: Tracks if email has been verified -
image
: Profile image URL (optional) -
auth_accounts
: Links to the auth methods for the user
Built-in fields in auth_accounts
:
-
id
: Unique identifier for each auth method -
userId
: Links to the user in auth_users -
type
: Authentication type (e.g. “credentials” for email/password) -
provider
: Auth provider (e.g. “credentials”, “google”) -
providerAccountId
: ID from the provider -
refresh_token
: OAuth refresh token -
access_token
: OAuth access token -
expires_at
: Token expiration -
token_type
: Type of token (e.g. “bearer”) -
scope
: OAuth scopes -
id_token
: OAuth ID token -
session_state
: Session state -
password
: Hashed password (for credentials provider)
Storing Additional User Information: You can prompt Create to store additional profile information per user, like “Store the user’s bio, location, and phone number”. Create will either add these fields directly to the auth_users
table or create a linked profile table with these fields that connects to auth_users
via the user’s ID. This keeps your user data organized while maintaining the core authentication tables.
Linking Data to Users: When you prompt Create to store data per user (like posts, preferences, or settings), Create automatically adds a user_id
field to those database tables. This user_id
connects each piece of data to the specific user in the auth_users
table who owns it. That lets your app later grab the data for a specific user.
Signed In User
When you prompt Create to protect a page or show content per user on a page, e.g. “When user is signed in, show their profile in top right” or “If the user isn’t signed in, don’t show the notification settings”, Create can now add code to grab the current signed in user’s info and change the behavior of the app based on it.
Pages, Functions, and Components can now all check the current signed in user, grab their information from the database, and use it to show/hide info, or change their behavior.
Create automatically handles auth redirects. You can link pages as normal. If a user needs to be signed in to view a page, Create will check if they are. If they’re not, it will redirect them to the Sign In page, and once signed in, redirect them back to the original page. Just prompt Create on which pages should be protected with sign in vs. public.
How It Works - For your Users
Create uses Next Auth and JWT (JSON Web Token) authentication to manage user sessions:
-
When users sign up or sign in, Create saves the user’s information in the database and stores a secure cookie in their browser
-
This cookie keeps users logged in as they browse your app
-
When users visit a protected page or use a protected function, Create checks this cookie
-
If no valid cookie exists, Create redirects them to the sign-in page
-
To let users log out, add a link to
/account/logout
in your app’s signed-in experience -
When users visit the logout route, Create removes the cookie and ends their session
Real World Example
Let’s say you have an AI app with:
-
Landing page (at
/
) -
AI homework creator (at
/app
)
To add user accounts:
-
Prompt “Add users to the app. They should sign up and sign in to view the homework creator”
-
Protect access to the homework creator page by either:
-
Prompting: “Only let signed in users view the homework creator”
-
Manually: Go to
/app
page > 3-dot menu > Settings > “Require account to view”
-
-
Publish changes
-
Now:
-
/
remains public -
/app
redirects to sign-in -
After sign-in, users access
/app
-
Add personalization: “When user is logged in, show their profile in top right and store their AI generations”
-
Add special behavior: “If this is the users first time, show them an onboarding flow where they can fill out their profile”
-
Customizing Auth Pages
Modify the built-in authentication pages through chat:
Create will:
-
Update the look and feel of your pages
-
Add your logo
-
Maintain they key sign in / sign up code that stores the user
Common customizations:
-
Adding branding elements
-
Adding additional auth methods (Google, Facebook, etc.)
-
Modifying form fields
-
Changing styles
-
Adding terms of service / privacy policy
-
Adding testimonials or other social proof
Flows and Redirects
Prompt Create on how you want the flow to work.
Create handles authentication flows automatically:
-
Sign Up:
-
User submits signup form
-
Create validates and stores account
-
Sets auth cookie
-
Redirects to page you prompt
-
-
Sign In:
-
User visits page that requires sign in
-
Create checks for auth cookie
-
If no cookie, redirects to sign in page you prompt
-
User enters credentials
-
Create verifies account
-
Sets auth cookie
-
Returns to original page
-
-
Sign Out:
-
User clicks logout
-
Create clears auth cookie with the route
/account/logout
-
Redirects to public page you prompt
-
Storing User Data
By default, Create stores the following information about users:
-
Email (required) - Used for login and account recovery
-
Password (hashed) - Securely stored using industry best practices
-
User ID - Unique identifier to link user data across tables
-
Created Date - When the account was created
-
Last Login - Most recent sign in
You can prompt Create to store additional information per user. Create will update your database to make sure that each piece of user specific information is stored with a user_id that links back to the user in your auth_users table.
Example prompts:
Create will:
-
Add the new fields to your database schema
-
Update queries to store/retrieve the data
-
Link everything to the correct user using their user_id
-
Add UI elements to display and edit the information
Using User Data
You can use the information you store about each user in your app. Just prompt Create. Some examples:
-
“Show the logged in user’s tasks in the main feed”
-
“Show a feed with all users posts”
-
“If the user is logged in, show a profile image in the top right. Otherwise, show the sign up / sign in buttons”
Create will update your Pages, Functions, and Components to use the user data.
You can also manually access and change user information from the Database Viewer.
Profiles
Build user profiles by:
-
Adding Profile Fields:
-
Prompt Create to add profile fields
-
Add avatar, bio, social links
-
Create will update the database to add the fields and update the queries to use them
-
-
Creating Profile Pages:
-
Prompt Create to create profile pages
-
Create will update the pages to grab the user’s profile data and display it
-
-
Handling Updates:
-
Prompt Create to create profile edit forms
-
Create will update the pages/functions to update a user in the database
-
Roles and Permissions
Add custom roles to control access:
-
Add Role Field:
-
Prompt Create to add “role” or similar field for each user
-
Describe the values you want to use like “admin”, “member” and how you want behavior to change
-
Create will update the database to add the field and update the queries to use it
-
-
Check Roles:
-
Reference roles in prompts
-
Example: “If signed in user is admin, show settings”
-
Create handles the logic
-
Auth Methods
Create supports multiple auth methods. Choose the ones that fit your app’s needs.
You can turn on or off each auth method in the Project Settings.
Finding the Project Settings
Email/Password
-
Default authentication method
-
Secure password hashing
-
No additional setup required
-
You can turn it off in Project Settings
-
Social login using Google accounts
-
You’ll need to get a Google Client ID and Secret from Google
-
Social login using Facebook accounts
-
You’ll need to get a Facebook App ID and Secret from Facebook
X
-
Social login using X/Twitter accounts
-
You’ll need to get a Twitter Client ID and Secret from X
Testing
Verify your User Accounts setup:
-
Enable auth on a test page
-
Publish changes
-
Open an incognito window
-
Verify redirect to sign-in
-
Create test account
-
Confirm access after auth
Troubleshooting
If authentication isn’t working:
- Verify User Accounts is enabled for project. Do you see the sign up, sign in, and logout pages in the Project Selector? Do you see the auth tables in the database?
- Check page/function auth settings
- Review the database - check the auth_users table to make sure the user was created
- Test with a fresh account
- Join our Discord for help
Error Codes
If one of your users runs into an error while signing in / signing up, or you do while testing, check the URL for ?error=[code]
.
It can give you a hint on what might be wrong.
Finding the error code in the URL
Common error codes and fixes:
-
OAuthSignin/Callback: OAuth configuration issue
- Check provider settings and keys
- Verify redirect URLs
-
OAuthAccountNotLinked: Email already used with different auth method
- User should sign in with original method (e.g. Google instead of email)
-
CredentialsSignin: Wrong email/password
- Double-check credentials
- Reset password if needed
-
EmailCreateAccount: Email already registered
- Use sign in instead
- Reset password if needed
-
AccessDenied: Permission issue
- Check access settings
- Verify allowed domains
-
Configuration: System setup issue
- Check auth configuration
- Verify environment variables
FAQs
See Also
-
Databases - Store user data and content
-
Functions - Add backend logic that grabs the right data per user from the database
-
Pages - Create protected routes
-
Publishing - Go live with your authenticated app
Was this page helpful?