- Stitch >
- Users & Authentication >
- User Management
Managing User Accounts¶
On this page
On the Users page, you can manage user accounts. The Stitch console makes it easy to create test user accounts, delete user accounts, and revoke sessions.
Creating an Email/Password User¶
In most cases, you do not need to manually create MongoDB Stitch users. If, for example, the Email/Password authentication provider is enabled, users will be prompted to create their own accounts the first time they connect to your Stitch application. For all other authentication providers, the user object is created when an end user authenticates for the first time.
However, for testing and debugging with the Email/Password authentication provider, you can create new users from within the MongoDB Stitch admin console.
Use the following procedure to manually create a new user:
Select Users from the left-side navigation.
Click the Add New User button.
Specify an email address and password for the new user.
Note
The Email/Password authentication provider requires passwords to be between 6 and 128 characters long.
Click Create.
Note
You can also create API keys that applications use to connect to your MongoDB Stitch application. While these are not associated with a single user, they are listed in the Users tab. To learn more about API keys, see API Key Authentication.
Deleting or Disabling a User¶
There may be a situation when you need to disable or completely remove a user from your MongoDB Stitch application. To do so, use the following procedure:
- Select Users from the left-hand navigation.
- Select either Confirmed or Pending, depending on the current state of the user you wish to delete.
- Under the Users tab, find a user in the list and click on
the ellipsis (
...
). - Choose either Disable User or Delete User. Both options invalidate all access tokens and refresh tokens for the user, and the user can no longer log in. Delete User also removes the account from your Stitch application. Users that have not yet been confirmed cannot be disabled, only deleted.
Note
Deleting a user will not automatically delete any data in your
MongoDB database that you have associated with that user. For
example, if you have a todo_items
collection with an
"owner_id"
field, deleting a user will not automatically delete
all of their To-Do items. You will need to manually remove those
documents from your database if you want to fully remove all traces
of that user.
Confirming a User¶
You must confirm the email address of new Email/Password users before they are permitted to log into MongoDB Stitch. The exact method of confirmation depends upon your provider configuration, but typically involves a handshake process between the user and your application. You can read more about Email/Password user confirmation at Email/Password Confirmation.
Sometimes, however, users are unable to complete the confirmation process. For example:
- an overzealous spam filter might block Stitch email confirmation emails
- a proxy or web blocker could prevent a user from activating the
confirmUser
client SDK function via the client application - an implementation error could cause the client application’s user confirmation page to fail for specific use cases.
To help you work around cases like this, Stitch allows you to manually confirm users. To manually confirm a user from the Stitch UI:
- Select Users from the left-hand navigation.
- Under the Users tab, select the PENDING button.
- Find the user in the list and click on the ellipsis (
...
). - Select the Confirm User option from the context menu that appears.
- If the operation succeeds, the banner at the top of the MongoDB Stitch admin console should display a confirmation message. The user’s User Status changes from Pending Confirmation to Pending User Login.
A manually confirmed user continues to appear in the PENDING
user list until they log in to your application for the first time, at
which point Stitch moves them into the list of confirmed users and
transitions their User Status to confirmed
.
Re-run User Confirmation Workflow¶
A few circumstances can lead to incomplete Email/Password user confirmation worflows:
- An email is caught by a spam filter, not delivered due to a bug, or accidentally deleted by a prospective Stitch user.
- A custom confirmation function is unable to communicate with an unconfirmed user due to a bug or oversight.
- An unconfirmed user forgot to visit their confirmation link within 30 minutes of receiving their login tokens and the tokens expired.
Users caught in this situation appear stuck in an unconfirmed state. They cannot create another account with their email address since it is registered to an existing account, but they cannot log into their existing account because it has not been confirmed.
Applications that use Stitch’s built-in email confirmation service can
use the resendConfirmationEmail
Client SDK method to send a new
email with a new confirmation link to the user, allowing them to confirm
their account and log in. Any application using a confirmation flow
other than send a confirmation email
will generate an error if this
method is called.
There is no such specific method to re-run a custom confirmation function. Instead, Stitch has a method to trigger a re-run of whatever the current Email/Password user confirmation workflow happens to be. You can manually re-run the currently selected user confirmation flow using the Stitch Admin API or via the Stitch UI:
To re-run the confirmation workflow for a user through the Stitch UI:
- Select Users from the left-hand navigation.
- Under the Users tab, select the PENDING button.
- Find the user in the list and click on the ellipsis (
...
). - Select the Run user confirmation option from the context menu that appears.
- Select the Run User Confirmation button in the dialogue box that appears.
- If the operation succeeds, the banner at the top of the MongoDB Stitch admin console should display a confirmation message. The user’s User Status changes from Pending Confirmation to Pending User Login. Once the user logs in, they will move into the active users list automatically.
If the re-run fails or the user’s tokens expire again, you can re-run the confirmation function as many times as necessary.
Revoking User Sessions¶
Situations may arise where you need to log a particular user out of all of their sessions, and prevent them from making further requests until they reauthenticate. The MongoDB Stitch admin console makes this a straightforward process.
Use the following procedure to revoke all the sessions for a particular user:
- Select Users from the left-side navigation.
- Under the Users tab, find a user in the list and click on the ellipsis (
...
). - Click Revoke all sessions. This invalidates all access tokens and refresh tokens for that user. This means that to perform any further requests in any of their sessions, they will need to reauthenticate.