Identity & End-User Authentication

FLXBL provides complete authentication infrastructure for your application's end users. By marking any entity as an Identity Entity, you enable registration, login, password reset, and JWT-based authentication - without writing any auth code.

Important Distinction: This page covers authentication for your application's end-users (customers, members, etc.), not for FLXBL tenant users. For API keys and team management, see API Keys and User Management.

Key Concept: An Identity Entity is any entity in your schema that you designate to represent your application's users. It must have a PASSWORD field and an identifier field (like email). FLXBL then provides all auth endpoints automatically.

How Identity Entities Work

When you create an entity with isIdentity: true and specify an identifierField, FLXBL automatically enables a complete authentication system for records of that entity type.

flowchart TB
    subgraph schema [Your Schema]
        direction TB
        Product[Product Entity]
        Order[Order Entity]
        Customer["Customer Entity
isIdentity: true
identifierField: email"]
    end
    
    subgraph flxbl [FLXBL Provides]
        direction TB
        Register["register endpoint"]
        Login["login endpoint"]
        Verify["verify endpoint"]
        Reset["reset-password endpoint"]
        Refresh["refresh endpoint"]
    end
    
    Customer --> Register
    Customer --> Login
    Customer --> Verify
    Customer --> Reset
    Customer --> Refresh

Marking an entity as Identity enables all authentication endpoints

What You Get

User Registration - End users can sign up with validated, hashed passwords
Email Verification - Optional email verification flow with customizable templates
Login with JWT - Secure authentication returning access and refresh tokens
Password Reset - Complete forgot/reset password flow via email
Token Refresh - Automatic token renewal without re-authentication
Profile Endpoint - Authenticated users can retrieve their own data

Dual Access Pattern

Identity entities have a unique property in FLXBL: they're accessible through two different APIs:

Access Method	Use Case	Authentication
Identity API `/api/v1/identity/:tenantId`	End-user self-service: register, login, reset password	None (public) or end-user JWT
Dynamic API `/api/v1/dynamic/Customer`	Admin operations: list users, bulk updates, reports	API key or tenant JWT

This dual access means your admin dashboard can manage users via Dynamic API while your end-users register and log in via Identity API — all from the same entity.

Learn more about building applications with these patterns in Integration Patterns.

Creating an Identity Entity

To enable end-user authentication, create an entity with a PASSWORD field and mark it as your identity provider. The entity can have any name (User, Customer, Member, etc.) and any additional fields you need.

// When creating your schema, mark an entity as Identity
// This enables end-user authentication for YOUR application's users

// Via MCP (AI Assistant)
"Create a Customer entity with email and password fields,
 and mark it as the identity entity using email as the identifier"

// The AI creates:
{
  "name": "Customer",
  "fields": [
    { "name": "email", "type": "STRING", "required": true, "unique": true },
    { "name": "password", "type": "PASSWORD", "required": true },
    { "name": "name", "type": "STRING" },
    { "name": "phone", "type": "STRING" }
  ],
  "isIdentity": true,           // This entity provides authentication
  "identifierField": "email"    // Users log in with their email
}

Requirements

Requirement	Description
`PASSWORD` field	At least one field with type `PASSWORD`. Automatically hashed with bcrypt.
`identifierField`	The field used for login (typically `email`). Should be unique.
`isIdentity: true`	Marks this entity as the authentication provider for your tenant.

End-User Authentication Flow

flowchart LR
    subgraph register [Registration]
        R1[End User] -->|POST register| R2[Create Node]
        R2 -->|success| R3[Send Verification Email]
        R3 -->|email sent| R4[User Verifies]
    end
    
    subgraph login [Authentication]
        L1[End User] -->|POST login| L2[Verify Password]
        L2 -->|Valid| L3[JWT Tokens]
        L2 -->|Invalid| L4[401 Error]
    end
    
    R4 -->|verified| L1

Registration and login flow for end users

Registration

End users register through the identity endpoints. FLXBL handles password hashing, validation, duplicate checking, and optional email verification.

// Your app's end users register via the identity endpoints
// FLXBL handles password hashing, validation, and email verification

POST /api/v1/identity/{tenantId}/register
{
  "email": "customer@example.com",
  "password": "SecurePassword123",
  "name": "Jane Customer",
  "phone": "+1-555-0123"
}

// Response
{
  "id": "node_abc123",
  "message": "Registration successful. Please check your email to verify your account."
}

Login

Authenticated users receive JWT access and refresh tokens. The access token is used for API requests; the refresh token is used to obtain new access tokens.

// End users authenticate and receive JWT tokens
POST /api/v1/identity/{tenantId}/login
{
  "identifier": "customer@example.com",
  "password": "SecurePassword123"
}

// Response
{
  "accessToken": "eyJhbGciOiJIUzI1NiIs...",
  "refreshToken": "rf_abc123def456...",
  "expiresIn": 900,  // 15 minutes in seconds
  "user": {
    "id": "node_abc123",
    "email": "customer@example.com",
    "name": "Jane Customer",
    "phone": "+1-555-0123"
    // Note: password field is automatically redacted
  }
}

Token Refresh

flowchart LR
    subgraph tokens [Token Lifecycle]
        AT["Access Token
15-60 min"] -->|Expires| RT["Refresh Token
7-30 days"]
        RT -->|Issues new| AT
        RT -->|Expired| Login[Re-login Required]
    end

Token lifecycle and refresh mechanism

// When access token expires, use refresh token to get a new one
POST /api/v1/identity/{tenantId}/refresh
{
  "refreshToken": "rf_abc123def456..."
}

// Response
{
  "accessToken": "eyJhbGciOiJIUzI1NiIs...",
  "expiresIn": 900
}

Get Profile

Authenticated end users can retrieve their own profile data. Password fields are automatically redacted from the response.

// Authenticated end users can retrieve their profile
GET /api/v1/identity/{tenantId}/me
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

// Response
{
  "id": "node_abc123",
  "email": "customer@example.com",
  "name": "Jane Customer",
  "phone": "+1-555-0123",
  "_isVerified": true
}

Password Reset

FLXBL provides a complete password reset flow with rate limiting and secure tokens.

// Step 1: Request password reset
POST /api/v1/identity/{tenantId}/forgot-password
{
  "identifier": "customer@example.com"
}
// Always returns success (prevents user enumeration)

// Step 2: User receives email with reset token
// Step 3: Reset password with token
POST /api/v1/identity/{tenantId}/reset-password
{
  "token": "reset_token_from_email",
  "password": "NewSecurePassword456"
}

Configuration Options

Customize token lifetimes, password requirements, and email verification settings for your tenant. These settings apply to all end-user authentication.

Viewing Configuration

// Get current identity configuration (admin only)
GET /api/v1/identity/config
Authorization: Bearer {admin_token}

// Response
{
  "accessTokenExpiryMinutes": 15,
  "refreshTokenExpiryDays": 7,
  "minPasswordLength": 8,
  "requireEmailVerification": true
}

Updating Configuration

// Update identity configuration (admin only)
PATCH /api/v1/identity/config
Authorization: Bearer {admin_token}
{
  "accessTokenExpiryMinutes": 30,
  "refreshTokenExpiryDays": 14,
  "minPasswordLength": 12,
  "requireEmailVerification": true
}

Via MCP (AI Assistant)

// Using the FLXBL MCP tool
// In Cursor/Windsurf, ask the AI:

"View my current identity configuration"
// AI uses configure_identity with action: "get"

"Update token expiry to 30 minutes access 
 and 14 days refresh"
// AI uses configure_identity with action: "update"

Available Settings

Option	Type	Default	Description
`accessTokenExpiryMinutes`	Number (1-1440)	15	How long access tokens are valid
`refreshTokenExpiryDays`	Number (1-365)	7	How long refresh tokens are valid
`minPasswordLength`	Number (6-128)	8	Minimum password length requirement
`requireEmailVerification`	Boolean	true	Whether users must verify email before login
`verificationEmailTemplate`	String (Handlebars)	Default template	Custom verification email HTML
`passwordResetEmailTemplate`	String (Handlebars)	Default template	Custom password reset email HTML

Email Templates

Customize the emails sent to users for verification and password reset. Templates use Handlebars syntax for variable substitution.

Verification Email

// Customize verification email template (Handlebars)
PATCH /api/v1/identity/config
{
  "verificationEmailTemplate": "
    <h1>Welcome to {{tenantName}}!</h1>
    <p>Hi there! Click below to verify your email:</p>
    <a href='{{verificationLink}}'>Verify Email</a>
    <p>This link expires in 24 hours.</p>
  "
}

// Available template variables:
// {{tenantName}} - Your tenant name
// {{verificationLink}} - The verification URL
// {{userEmail}} - User's email address

Password Reset Email

// Customize password reset email
PATCH /api/v1/identity/config
{
  "passwordResetEmailTemplate": "
    <h1>Reset Your Password</h1>
    <p>Click below to reset your password:</p>
    <a href='{{resetLink}}'>Reset Password</a>
    <p>If you didn't request this, ignore this email.</p>
  "
}

// Available template variables:
// {{resetLink}} - The password reset URL
// {{userEmail}} - User's email address
// {{tenantName}} - Your tenant name

Security Features

FLXBL enforces security best practices for all identity operations:

Bcrypt hashing - Passwords are securely hashed, never stored in plain text
Rate limiting - Login and registration attempts are rate-limited per IP
Timing-safe comparison - Prevents timing attacks on password verification
Enumeration prevention - Password reset always returns success (doesn't reveal if user exists)
Token expiration - Verification and reset tokens expire after 24h and 1h respectively
Automatic redaction - Password fields are never returned in API responses

Security Recommendations

High Security (Financial, Healthcare)

Setting	Value
Access token expiry	15 minutes
Refresh token expiry	1 day
Min password length	16 characters
Email verification	Required

Balanced (Most Applications)

Setting	Value
Access token expiry	30 minutes
Refresh token expiry	7 days
Min password length	10 characters
Email verification	Required

Convenience (Internal Tools)

Setting	Value
Access token expiry	60 minutes
Refresh token expiry	30 days
Min password length	8 characters
Email verification	Optional

API Endpoints Reference

All identity endpoints are scoped to your tenant:

Endpoint	Method	Auth	Description
`/api/v1/identity/{tenantId}/register`	POST	None	Register a new end user
`/api/v1/identity/{tenantId}/login`	POST	None	Authenticate and get tokens
`/api/v1/identity/{tenantId}/verify`	POST	None	Verify email with token
`/api/v1/identity/{tenantId}/forgot-password`	POST	None	Request password reset email
`/api/v1/identity/{tenantId}/reset-password`	POST	None	Reset password with token
`/api/v1/identity/{tenantId}/refresh`	POST	None	Refresh access token
`/api/v1/identity/{tenantId}/logout`	POST	None	Revoke refresh token
`/api/v1/identity/{tenantId}/me`	GET	End-User JWT	Get authenticated user's profile
`/api/v1/identity/config`	GET	Admin JWT	Get identity configuration
`/api/v1/identity/config`	PUT	Admin JWT	Update identity configuration

Next Steps

Schema Design - Learn about field types including PASSWORD
User Management - Manage admin users (different from end users)
Access Control - Configure roles and permissions
API Keys - Create keys for programmatic access