How to Handle Password While Creating Accounts for Users
A guide on recommended practices for setting password for a user account created by an admin
Last updated
A guide on recommended practices for setting password for a user account created by an admin
Last updated
In some use cases, you (the admin) may need to create an account on behalf of a user. In such cases, the admin can do this either from the Portal or using the Admin API. A common question that arises when admins create accounts for users is how to handle the process of setting a password for the user.
In this post, we'll cover a few options and describe examples of automating the process of sending passwords to new users using Authgear Portal or webhooks.
Some of the options are:
Use the "Automatically create a password and send to the user" feature so that Authgear can auto-generate a secure password and send it to the user.
Set your own unique and secure password for the new user and let Authgear send it in an email to the user so they can log in with it.
To improve security, enable the "Ask user to change password on login" feature so that users are required to change the password set by an admin.
You can create accounts for users using Authgear Portal or Admin API and the password you set or a random auto-generated password will be sent to the user's email address. In addition, you can also configure the new accounts such that users are required to set a new password on login.
First, log in to Authgear Portal, select your project, then navigate to User Management > Users. From the Users page, click on the Create User button on the top right corner to open the Create User page.
On the Create User page, enter the user's email (only email
supports auto-sending of password from Authgear currently).
Next, enter a secure password you wish to set for the user in the Password field.
Check the "Send the password to user's email" box to enable Authgear to send the password entered in the Password field to the user.
If you're using a phone number instead of email for user identity, you need to use your own means to send the password to the user as Authgear only sends passwords to email at this time. For example, you can set up a webhook to send the password to a phone number as shown below.
Creating a new account on behalf of a user from either the Authgear Portal or using the Admin API will trigger the user.created
event.
Note: Creating a user via the batch user import API does not trigger user.created
. Also, you need to set up your webhook before you start creating new users.
To set up a webhook, navigate to Advanced > Hooks in the Authgear Portal. Next, click on the Add button under Non-blocking Events to add a new webhook.
Select Webhook under the Event dropdown and enter the URL for the webhook endpoint that will be listening for webhook events from Authgear. Or select TypeScript to run everything on Authgear. Click Save when you're done.
Here is an example of an event log entry for a user.created
event when a new user is created from the Portal:
You can use the value of context.triggered_by
to determine how the new user account was created then, only send a message when the account was created by an admin (admin_api
). You can extract the new user's phone number from payload.user.standard_attributes.phone_number
.
The following code shows what a TypeScript hook that listens for the user.created
event looks like:
The message you send to new users from your webhook after creating an account for them can look like this:
You can skip the step of creating a random secure password for your new user by selecting the "Automatically create a password and send to the user" radio button on the Create User page.
To do this, on the Create User page, click on the "Automatically create a password and send to the user" radio button.
In the Create User page, just below the "Send the password to user's email" checkbox, you'll find a "Ask user to change password on login" checkbox which should be checked by default.
If you wish to force users to change their password after they login using the password that was set for them in Authgear Portal either by an admin or automatically, make sure the "Ask user to change password on login" box is checked. Otherwise, uncheck it if you wish to allow users to continue using the password you set for them.
When you're done with the above steps, click on the Add User button on the top left corner of the Create User page to create the new account.
Users can still log in to their new account if they lose or can't find the password you set for them. To log in, they can click the Forgot Password button from the login page. A Verification code or link will be sent to the user via email or text message. Next, the user can then set a new password that they can continue using to log in to their account.
Alternative to the above steps, you can create a new user account from the Admin API and have Authgear send them their password using the following Admin API mutation:
The input parameter of the createUser
mutation includes the following objects and fields:
definition
: The value of this field is loginID
. In loginID, you define the identity type using the key
field and the actual value of the identity (eg. the user's email address) in the value
field.
password
: Enter the value for the password you wish to set for the user here.
sendPassword
: Use this field by setting the value to true
or false
to enable or disable the automatic sending of password to users.
setPasswordExpired
: Set to true
to force users to change their password on login.
The resetPassword
Admin API mutation also supports sendPassword
and setPasswordExpired
inputs. Hence, you can use it to set a password for a user you've already created and want to send them a new password and require them to change their password on their next log-in.
Example:
The steps described in this post, show how you can customize the post account creation experience for accounts created for a user by an admin.
For the particular case we considered, we described how to use webhooks to notify a user about their new account and what they should do next. Even if you use other tools to notify users about their new account, it's worth noting that Authgear's user.created
event can help you to know when a new account has been created.