Features Locations Pricing FAQ Docs Blog
Log in Get Started →

User Authentication

PocketBase ships with a complete authentication system out of the box: email/password login, OAuth2 providers (Google, GitHub, and more), email verification, and password reset — no extra services required.

Auth collections

Users live in auth collections. Every instance starts with a built-in users collection, and you can create additional ones (e.g., staff) if you need separate user types.

Email / password auth

Register a user

await pb.collection("users").create({
  email: "[email protected]",
  password: "s3cr3t-password",
  passwordConfirm: "s3cr3t-password",
});

Log in

const authData = await pb
  .collection("users")
  .authWithPassword("[email protected]", "s3cr3t-password");

console.log(pb.authStore.isValid); // true
console.log(pb.authStore.token);   // JWT
console.log(pb.authStore.record);  // the user record

The SDK stores the token in pb.authStore (backed by localStorage in the browser) and automatically sends it with every subsequent request.

Log out

pb.authStore.clear();

OAuth2 login (Google, GitHub, …)

  1. Open your instance’s admin panel at https://<instance-name>.pocketbasecloud.com/_/
  2. Go to Collections → users → Options → OAuth2
  3. Enable a provider and paste in its client ID and secret

Then in your app the whole flow is one call:

const authData = await pb
  .collection("users")
  .authWithOAuth2({ provider: "google" });

PocketBase opens the provider’s consent screen, handles the redirect, and creates the user record on first login.

Tip: when registering the OAuth app with the provider, use https://<instance-name>.pocketbasecloud.com/api/oauth2-redirect as the redirect URL.

Email verification and password reset

PocketBase generates the verification and reset flows for you:

// send a verification email
await pb.collection("users").requestVerification("[email protected]");

// send a password reset email
await pb.collection("users").requestPasswordReset("[email protected]");

Email templates and the sender address can be customized in the admin panel under Settings → Mail settings.

Protecting data per user

Combine auth with API rules to scope records to their owner. A common pattern is an owner relation field on the collection with rules like:

@request.auth.id != "" && owner = @request.auth.id

Next steps