User Authentication
PocketBase ships with a complete authentication system out of the box: email/password login, OAuth2 providers (Google, GitHub, and more), email verification, and password reset — no extra services required.
Auth collections
Users live in auth collections. Every instance starts with a built-in
users collection, and you can create additional ones (e.g., staff) if you
need separate user types.
Email / password auth
Register a user
await pb.collection("users").create({
email: "[email protected]",
password: "s3cr3t-password",
passwordConfirm: "s3cr3t-password",
});
Log in
const authData = await pb
.collection("users")
.authWithPassword("[email protected]", "s3cr3t-password");
console.log(pb.authStore.isValid); // true
console.log(pb.authStore.token); // JWT
console.log(pb.authStore.record); // the user record
The SDK stores the token in pb.authStore (backed by localStorage in the
browser) and automatically sends it with every subsequent request.
Log out
pb.authStore.clear();
OAuth2 login (Google, GitHub, …)
- Open your instance’s admin panel at
https://<instance-name>.pocketbasecloud.com/_/ - Go to Collections → users → Options → OAuth2
- Enable a provider and paste in its client ID and secret
Then in your app the whole flow is one call:
const authData = await pb
.collection("users")
.authWithOAuth2({ provider: "google" });
PocketBase opens the provider’s consent screen, handles the redirect, and creates the user record on first login.
Tip: when registering the OAuth app with the provider, use
https://<instance-name>.pocketbasecloud.com/api/oauth2-redirectas the redirect URL.
Email verification and password reset
PocketBase generates the verification and reset flows for you:
// send a verification email
await pb.collection("users").requestVerification("[email protected]");
// send a password reset email
await pb.collection("users").requestPasswordReset("[email protected]");
Email templates and the sender address can be customized in the admin panel under Settings → Mail settings.
Protecting data per user
Combine auth with API rules to
scope records to their owner. A common pattern is an owner relation field on
the collection with rules like:
@request.auth.id != "" && owner = @request.auth.id