Introducing Replit Auth: add secure login to your app

Ryan Mulligan

Ryan Mulligan

User login, social sign-in, and user management — all from a single prompt with Replit Auth

We’ve heard from users that user login can be one of the hardest features to add. There are many places you can get stuck: configuring external services, managing callbacks, integrating new login providers, and storing user information. Even if you get through all of that, you might be left wondering: is my app actually secure?

That’s why today we’re excited to announce Replit Auth.

With just a simple modification to your prompt, adding “use Replit Auth”, you’ll get:

  • Reliable user authentication
  • Multiple social login providers to choose from
  • Enterprise grade security
  • User information stored in your app’s database
  • User management and administration

Here’s what some of our early beta users have had to say after trying Replit Auth:

Simplest solution for adding log in to your app”
"I spent three weeks building auth for my last project. With Replit Auth, it took minutes."
"The social logins just worked. No API keys, no callback URLs, no headaches."

Let’s dive in and see how it works.

How your users will experience Replit Auth

First, there are many reasons you might want to add user authentication to your app. Auth unlocks a more rich product experience in your Agent generated applications:

  • User accounts: profiles, saved progress, tailored experiences, and social features
  • Data storage: let users save and access their content securely.
  • Security and scalability: move from prototype to fully functional production app
  • Monetization: User profiles are necessary to enable subscriptions and payments

If any of those apply to you, this is where you’ll want to tell Replit Agent to “use Replit Auth” as part of your prompt. When you do that, Replit Agent will configure Replit Auth and your users will get a seamless login experience.

Here’s how it will work for your users:

  • When users visit your app, they'll see a “Log in” button.
  • Clicking this button redirects them to Replit.com for authentication. They can log in or create accounts with a social provider of their choice (or use email/password). (When creating a new account, your users skip Replit onboarding and are opted out of Replit emails.)
  • After successful authentication and consent to share Replit.com profile information, users are redirected back to your app automatically.

The entire authentication flow is automatically configured by Replit Agent, making the process completely seamless for both you and your users.

Enterprise Grade Security

Security is one of the most important considerations for picking a user authentication system. That’s why we built Replit Auth off our own battle-hardened, continuously monitored, and security tested login system.

By leveraging Replit user identities you get the benefit of:

  • Firebase for the core user authentication
  • Email verification for all users
  • reCAPTCHA for bot protection
  • Stytch device fingerprinting for fraud protection
  • HackerOne for bug bounty programs and pen testing
  • Clearout for email validation
  • and more

Follow our security checklist to keep your app as safe as possible, and please see our security documentation for more details.

All of this at no extra effort or cost to you. By protecting Replit every day, we’ll also be protecting your app.

Managing Replit Auth in your app

There are two ways to manage these accounts in your app:

First, our built-in database will automatically have a users table configured. This will store user information that your app can reference in order to power profiles, preferences, payments, and more. You can view this information to see how it looks behind the scenes with our Database tool:

Second, you now have access to a new Auth tool in the Replit Workspace. It allows you to manage users and configure how Replit Auth works in your application.

In the Users tab of the tool, you can view all of your users. From here you can see user details like creation or login time, as well as ban malicious or abusive users from your app.

In the Configure tab of the tool, you can choose how your app appears to users. You can customize the name, logo, and most importantly which log in providers you want to be prominent.

You can choose from:

  • Google
  • GitHub
  • X
  • Apple
  • Email

Let us know what other management options or log in providers you need, we’re always working to improve.

How We Built Replit Auth

Why did we choose to use existing Replit accounts for Replit Auth?

We set out to develop the first configuration-free auth integration. With other auth providers, you need to make accounts, provision API keys, configure log in flows. With many options, you have to visit each social log in provider and provision a client id and configure callback URLs. By choosing to use existing Replit accounts, we’ve accomplished true zero-setup authentication. Since Replit has already configured the social log in providers to work with Replit accounts, you do not need to.

Additionally, using Replit accounts means your app gets a lower-friction log in experience for the millions of users that already have Replit accounts.

Users who sign up for a Replit account through your app will not receive emails from Replit, unless they separately start using Replit.

OpenID Connect

With our previous “Repl Auth” (note not Replit Auth) log in system we chose to make libraries for Python and Node.js. We’ve found that since we are now in a world of large language models, these libraries were “out of distribution” and hard for the models to implement. That’s why with Replit Auth, we set out to make replit.com into an OpenID connect-compliant log in provider. This allows us to use popular (“in distribution”) client libraries and opens the door for integrations across more languages.

Your app can request three scopes of user data: “openid”, “email”, and “profile”. By default, we prompt the agent to ask for all three. The “openid” scope grants access to a unique user identification number. The “email” scope grants access to the user’s email address. The “profile” scope grants access to the user’s first name, last name, and a profile image URL. Additional scopes, like access to posts on X or pull requests on GitHub are not provided as part of Replit Auth, and would require a separate OAuth application implementation and user authorization.

Interested in solving complex problems and empowering the next billion software creators? See our open positions!

More