• Stitch >
• Users & Authentication >
• User Management

Managing User Accounts

On the Users page, you can manage user accounts. The Stitch console makes it easy to create test user accounts, delete user accounts, and revoke sessions.

Creating an Email/Password User

In most cases, you do not need to manually create MongoDB Stitch users. If, for example, the Email/Password authentication provider is enabled, users will be prompted to create their own accounts the first time they connect to your Stitch application. For all other authentication providers, the user object is created when an end user authenticates for the first time.

However, for testing and debugging with the Email/Password authentication provider, you can create new users from within the MongoDB Stitch admin console.

Use the following procedure to manually create a new user:

1. Select Users from the left-side navigation.

2. Click the Add New User button.

3. Specify an email address and password for the new user.

   Note

   The Email/Password authentication provider requires passwords to be between 6 and 128 characters long.

4. Click Create.

Note

You can also create API keys that applications use to connect to your MongoDB Stitch application. While these are not associated with a single user, they are listed in the Users tab. To learn more about API keys, see API Key Authentication.

Deleting or Disabling a User

There may be a situation when you need to disable or completely remove a user from your MongoDB Stitch application. To do so, use the following procedure:

1. Select Users from the left-hand navigation.
2. Select either Confirmed or Pending, depending on the current state of the user you wish to delete.
3. Under the Users tab, find a user in the list and click on the ellipsis (...).
4. Choose either Disable User or Delete User. Both options invalidate all access tokens and refresh tokens for the user, and the user can no longer log in. Delete User also removes the account from your Stitch application. Users that have not yet been confirmed cannot be disabled, only deleted.

Note

Deleting a user will not automatically delete any data in your MongoDB database that you have associated with that user. For example, if you have a todo_items collection with an "owner_id" field, deleting a user will not automatically delete all of their To-Do items. You will need to manually remove those documents from your database if you want to fully remove all traces of that user.

Confirming a User

You must confirm the email address of new Email/Password users before they are permitted to log into MongoDB Stitch. The exact method of confirmation depends upon your provider configuration, but typically involves a handshake process between the user and your application. You can read more about Email/Password user confirmation at Email/Password Confirmation.

Sometimes, however, users are unable to complete the confirmation process. For example:

• an overzealous spam filter might block Stitch email confirmation emails
• a proxy or web blocker could prevent a user from activating the confirmUser client SDK function via the client application
• an implementation error could cause the client application’s user confirmation page to fail for specific use cases.

To help you work around cases like this, Stitch allows you to manually confirm users. To manually confirm a user from the Stitch UI:

1. Select Users from the left-hand navigation.
2. Under the Users tab, select the PENDING button.
3. Find the user in the list and click on the ellipsis (...).
4. Select the Confirm User option from the context menu that appears.
5. If the operation succeeds, the banner at the top of the MongoDB Stitch admin console should display a confirmation message. The user’s User Status changes from Pending Confirmation to Pending User Login.

A manually confirmed user continues to appear in the PENDING user list until they log in to your application for the first time, at which point Stitch moves them into the list of confirmed users and transitions their User Status to confirmed.

Re-run User Confirmation Workflow

A few circumstances can lead to incomplete Email/Password user confirmation worflows:

• An email is caught by a spam filter, not delivered due to a bug, or accidentally deleted by a prospective Stitch user.
• A custom confirmation function is unable to communicate with an unconfirmed user due to a bug or oversight.
• An unconfirmed user forgot to visit their confirmation link within 30 minutes of receiving their login tokens and the tokens expired.

Users caught in this situation appear stuck in an unconfirmed state. They cannot create another account with their email address since it is registered to an existing account, but they cannot log into their existing account because it has not been confirmed.

Applications that use Stitch’s built-in email confirmation service can use the resendConfirmationEmail Client SDK method to send a new email with a new confirmation link to the user, allowing them to confirm their account and log in. Any application using a confirmation flow other than send a confirmation email will generate an error if this method is called.

There is no such specific method to re-run a custom confirmation function. Instead, Stitch has a method to trigger a re-run of whatever the current Email/Password user confirmation workflow happens to be. You can manually re-run the currently selected user confirmation flow using the Stitch Admin API or via the Stitch UI:

To re-run the confirmation workflow for a user through the Stitch UI:

1. Select Users from the left-hand navigation.
2. Under the Users tab, select the PENDING button.
3. Find the user in the list and click on the ellipsis (...).
4. Select the Run user confirmation option from the context menu that appears.
5. Select the Run User Confirmation button in the dialogue box that appears.
6. If the operation succeeds, the banner at the top of the MongoDB Stitch admin console should display a confirmation message. The user’s User Status changes from Pending Confirmation to Pending User Login. Once the user logs in, they will move into the active users list automatically.

If the re-run fails or the user’s tokens expire again, you can re-run the confirmation function as many times as necessary.

Revoking User Sessions

Situations may arise where you need to log a particular user out of all of their sessions, and prevent them from making further requests until they reauthenticate. The MongoDB Stitch admin console makes this a straightforward process.

Use the following procedure to revoke all the sessions for a particular user:

1. Select Users from the left-side navigation.
2. Under the Users tab, find a user in the list and click on the ellipsis (...).
3. Click Revoke all sessions. This invalidates all access tokens and refresh tokens for that user. This means that to perform any further requests in any of their sessions, they will need to reauthenticate.

←   Viewing User Data Linking User Accounts  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.