Usermatic is the wrapper component for all Usermatic applications. Any
part of your application that uses Usermatic components or hooks must
be inside a <Usermatic> component.
Placing <Usermatic> in your _app.js file is usually the easiest way to
set up Usermatic.
The ID of the Usermatic Application.
The React components within which Usermatic will be used. (Typically your entire application).
Provide custom display components to use when rendering Usermatic components. See "Customizing Usermatic" for more information
If true, insert Usermatic diagnostics into your application. Defaults to false.
The URI of the Usermatic API endpoint. For development use only.
If true, add bootstrap class names to Usermatic components. Use this if your application uses bootstrap. Defaults to true.
If true, add class names begining with the um- prefix to Usermatic
HTML elements, so that you can style Usermatic with your own CSS.
Defaults to false.
// Using Usermatic in a NextJS app.// File: pages/_app.jsimport { Usermatic } from '@usermatic/client'function MyApp({ Component, pageProps }) {// Replace appId with your usermatic application id.return <Usermatic appId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"><Component {...pageProps} /></Usermatic>}
// Using Usermatic with Create React App.// File: src/index.jsimport React from 'react';import ReactDOM from 'react-dom';import './index.css';import App from './App';import { Usermatic } from '@usermatic/client'// Replace appId with your usermatic application id.ReactDOM.render(<React.StrictMode><Usermatic appId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"><App /></Usermatic></React.StrictMode>,document.getElementById('root'));
<LoginForm> allows users to log in to your application. It handles both
password and Oauth logins. Oauth login buttons are automatically displayed
for any Oauth provider that you have enabled for your Usermatic app.
Display components for LoginForm. See 'Customizing Usermatic' for more information.
onChangeMode is called when the LoginForm switches "modes". For instance,
if the user clicks the "Forgot Password" button, onChangeMode will be called with
the 'forgotpw' argument.
onLogin is called after the user successfully logs in.
<AccountCreationForm> allows users to create accounts on your site.
Display components for AccountCreationForm. See 'Customizing Usermatic' for more information.
If true, the user will be automatically logged in as soon as their account has been created. Note that if you have set the "Require verified email for login" setting to true in your application settings, this option will not work.
onLogin() is called after the user is successfully logged in.
If set, the strength of the user's password is displayed and automatically updated as they modify it.
<AddTotpForm> allows the user to configure time-based one time passwords
(e.g. Google Authenticator) for their account.
<AccountCreationForm> allows users to create accounts on your site.
Display components for AccountCreationForm. See 'Customizing Usermatic' for more information.
If true, the user will be automatically logged in as soon as their account has been created. Note that if you have set the "Require verified email for login" setting to true in your application settings, this option will not work.
onLogin() is called after the user is successfully logged in.
If set, the strength of the user's password is displayed and automatically updated as they modify it.
<RequestPasswordResetForm> allows the user to request a password reset email.
Normally, you do not need to embed this component directly, as <LoginForm>
will display it when the user clicks "Forgot Password"
Custom display components. See 'Customizing Usermatic' for more information.
Called when the user clicks the cancel button instead of submitting their email.
<ResetPasswordForm> allows the user to reset their password using a reset
token that they have obtained via email. This component should be placed
at the location pointed to by the Reset Password URI setting in your
Usermatic application settings.
Display components for ResetPasswordForm. See 'Customizing Usermatic' for more information.
If true, render the "login after reset" option. If the user checks this
box, it has the same effect as if the loginAfterReset property had been
set to true.
If true, the user will be automatically logged in after resetting their
password. Note: This will not work if the user has enabled MFA on their
account. In that case, they will have to log in via <LoginForm>
Called after the user is successfully logged in (which will only happen
if the loginAfterReset property is true.)
If true, the user will be automatically redirected to the URI that has been configured the Usermatic application settings after resetting their password.
The password-reset token, contained in the reset link that was sent to the user via email. If omitted, ResetPasswordForm attempts to find the token in window.location.href, in the 'token' query parameter.
ChangePasswordForm allows the user to change their password.
Display components for ChangePasswordForm. See 'Customizing Usermatic' for more information.
Function to be called after password is successfully changed.
<PasswordScore> estimates the strength of the user's password using zxcvbn
(https://github.com/dropbox/zxcvbn) and displays it using the
customizable <PasswordScoreComponent>
You generally shouldn't use this compoment directly. All the relevant
components (e.g. <AccountCreationForm>, <ChangePasswordForm>, etc) use it
automatically.
Both the username and password properties are debounced at a default interval of 300ms.
Custom display components. See 'Customizing Usermatic' for more information.
Debounce time in ms for both the password and username. Defaults to 300ms.
The user's prospective password.
The user's email address.
<EmailVerifier> uses a email verification token from the URL to
tell the Usermatic API server that the user's email address is now
verified.
This component should be placed on the page located at the "Verification Target URI" setting in your Usermatic application settings.
<ReauthenticateGuard> is used to hide some sensitive action behind a
reauthentication prompt. It first prompts the user for a password, and
uses that password to obtain a reauthentication token from Usermatic.
Once the token has been obtained, <ReauthenticateGuard> renders the child
components that you have passed to it, which presumably implement your
sensitive action.
Those child components can obtain the reauthentication token by calling
useReauthToken(). They should then send the token to your own application
backend, which can use it to verify that the user successfully re-authenticated
before performing the sensitive action.
<ReauthenticateGuard> automatically caches tokens that it obtains. The
maxTokenAge property determines how long they are cached.
See "Reauthenticating before Sensitive actions" for more information.
The components that are guarded by the ReauthenticateGuard. They will be
displayed after reauthentication has occurred, and can obtain the
resulting reauthentication token by called useReauthToken()
Display components for ReauthenticateGuard. See 'Customizing Usermatic' for more information.
maxTokenAge limits how long a token will be cached in your application. The format is anything supported by https://github.com/vercel/ms, e.g. "5m" or "60s" or "2h", etc.
This only controls caching. It has no effect on the expiration time of the token signed by Usermatic. Reauthentication tokens never have an expiration time set. Your application backend must enforce its own expiration time by passing 'maxAge' when verifying the token.
See "Reauthenticating before Sensitive actions" for more information.
onClose() can be used to hook ReauthenticateGuard up to a modal.
It is calledl when the user clicks the "Close" button displayed by
<ReauthenticateGuard>
A prompt to diplay above the password input.
The contents of the token you wish Usermatic to sign. Please remember that the contents of the token can be set to anything by any user, and therefore the security of your application should not rely on the contents of the token. The only thing that the reauthentication token proves is that the tokenContents and a valid password were presented to the Usermatic backend at a certain time.
The purpose of tokenContents is simply to require a user to perform separate reauthentications for differing sensitive actions. For instance, Usermatic itself requires separate reauthentications when you export application data and when you delete an application. It does this by requiring a token with a specific value of tokenContents for each operation.
The rule to bear in mind is that anyone who knows the password can obtain a reauthenticationToken token with any conceivable tokenContents, simply by asking the Usermatic backend.
See "Reauthenticating before Sensitive actions" for more information.
<GenRecoveryCodesForm> allows the user to generate or re-generate
MFA recovery codes.
<GenRecoveryCodesForm> is automatically guarded by <ReauthenticateGuard> which
will prompt the user for their password, as generating new recovery codes is
considered a sensitive action.
<ComponentProvider> allows you to override the default display components used
by Usermatic. For instance if you wish to use a custom text input component
in all Usermatic forms, you can use <ComponentProvider> to do so.
As a convenience, the <Usermatic> component also accepts all the properties
of <ComponentProvider>. If you wish to use the same custom components everywhere
in your app, you can simply pass them to <Usermatic>
<ComponentProvider> also allows you to enable or disable the use of bootstrap
classes or usermatic classes (semantic class names beginning
with um-) in default components. If you are using customized components,
these settings have no effect.
See 'Customizing Usermatic' for more information.
<UserAccountSettings> is essentially an auto-generated profile page
for your users. Simply include it on some page (perhaps /profile),
and your users will automatically have access to basic functionality
such as password changes, MFA configuration, etc.
To customize the appearance of <UserAccountSettings>, you can provide
overrides for the following components: UserAccountSettingsComponent,
SecurityInfoComponent, EmailStatusComponent, PersonalDetailComponent,
LoginMethodsComponent.
See 'Customizing Usermatic' for more information.
Gets the current application ID (as passed to the <Usermatic> component).
Returns the publicly visible configuration of the current app.
May briefly return a hard-coded default config while waiting to load the correct config from the Usermatic backend.
{
"appName": "",
"totpEnabled": false,
"fbLoginEnabled": false,
"fbLoginUrl": "https://usermatic.io/auth/facebook",
"googleLoginEnabled": false,
"googleLoginUrl": "https://usermatic.io/auth/google",
"githubLoginEnabled": false,
"githubLoginUrl": "https://usermatic.io/auth/github"
}Returns the logged-in user's user id, as well as their signed authentication token.
const { userJwt } = useToken()useEffect(() => {if (userJwt) {// Send a query to our backend and include the logged in user's authTokenfetch('/api/hello', {method: 'POST',headers: {'Content-Type': 'application/json','Accept': 'application/json','Authorization': userJwt},body: JSON.stringify({query: "{ hello }"})}).then((result) => {return result.json()}).then((json) => {console.log('got response', json)})}}, [userJwt])
Return the number of valid recovery codes remaining for the currently logged-in user.
useCreateRecoveryCodes is an Apollo mutation operation for generating new recovery codes for the logged in user.
Creating new codes invalidates all existing codes.
You should almost certainly use <GenRecoveryCodesForm> instead of using this
hook directly.
Returns the primary email of the currently logged in user.
If the user has an email/password credential, this will return that email.
Otherwise, if they have only OAuth credentials, this will return the first email from their first OAuth credential.
Return all credentials associated with the currently logged-in user.
Return the password credential, if any, associated with the currently logged-in user.
Return all Oauth credentials that are associated with the currently logged-in user.
Return the TOTP credential, if any, that is associated with the currently logged-in user.
Return all profile photos from all Oauth credentials associated with the currently logged-in user.
Apollo mutation hook for logging out.
In many cases, you can use <LogoutButton> instead of using this hook directly.
Apollo Mutation hook for resetting a user's password via a reset token delivered via email.
You should usually use <ResetPasswordForm> rather than calling this hook
directly.
Apollo Mutation hook for changing the user's password.
You should usually use <ChangePasswordForm> rather than calling this hook
directly.
Apollo Mutation hook for requesting a password reset email.
You should usually use <RequestPasswordResetForm> rather than calling this hook
directly.
Apollo Mutation hook for marking an email address as verified, using an email verification token that was delivered to the user's email address.
You should generally use the <EmailVerifier> component rather than
calling this hook directly.
Apollo Mutation hook for requesting a verification email.
The functionality exposed by this hook is also available via
the <UserAccountSettings> component.
Obtain the reauthentication token provided by <ReauthenticateGuard>.
This token can be sent to your application backend in order to guard sensitive actions, by proving that the user's password was entered within some recent period of time.
See the <ReauthenticateGuard> documentation for an example of how to use
this hook.
Return a cached reauthentication token, if one exists, which has the given
contents and is no older than maxAge.
You should usually use <ReauthenticateGuard> instead of using this hook directly.
<ReauthenticateGuard> will check for a cached token before prompting the user
for their password.
Apollo Mutation hook for obtaining a reauthentication token by submitting the user's password.
You should usually use <ReauthenticateGuard> instead of using this hook
directly.
Type guard function to check if a credential is a password credential
Type guard function to check if a credential is an Oauth credential
Type guard function to check if a credential is a TOTP credential
The id of the user to whom this token pertains
A JWT, signed with the application's secret key, which authenticates the bearer as the user with the id contained in the token.
The ID of the Usermatic Application.
The React components within which Usermatic will be used. (Typically your entire application).
Provide custom display components to use when rendering Usermatic components. See "Customizing Usermatic" for more information
If true, insert Usermatic diagnostics into your application. Defaults to false.
The URI of the Usermatic API endpoint. For development use only.
If true, add bootstrap class names to Usermatic components. Use this if your application uses bootstrap. Defaults to true.
If true, add class names begining with the um- prefix to Usermatic
HTML elements, so that you can style Usermatic with your own CSS.
Defaults to false.
The text input for the email address, as rendered by <EmailAddressInput>
or <InputComponent>
The error message, if any, as rendered via <ErrorMessageComponent>.
The message displayed while waiting for asynchronous actions (e.g. form
submission) to complete, as rendered by <LoadingMessageComponent>
An <img> element using a dataURI to display the QR code containing
the TOTP secret key.
Set to true if TOTP setup has been completed successfully.
The text version of the TOTP secret key, for manual entry
The form in which the user must enter a TOTP code to confirm successful setup of their authenticator app.
The error message, if any, as rendered via <ErrorMessageComponent>.
The input for the new password, as rendered via <PasswordInput> or
<InputComponent>
The password score display, as rendered via <PasswordScoreComponent>
The submit button, as rendered via <Button>
Exact name of button. Used to identify specific uses of <Button> throughout
usermatic so that special-cased styles can be applied, either by the default
Button component or by one supplied by the user.
Semantic role of button. Used by the default Button component to choose the button style.
The text input for the email address, as rendered by <PasswordInput>
or <InputComponent>
CreateAccountFormType controls the layout of the account creation form.
The button that submits the form and creates the account, as rendered
via <Button>
The text input for the email address, as rendered by <EmailAddressInput>
or <InputComponent>
The error message, if any, as rendered via <ErrorMessageComponent>.
The text input for the password, as rendered by <PasswordInput> or
<InputComponent>
The password score display, as rendered via <PasswordScoreComponent>
A checkbox as rendered by <CheckboxComponent>
The error message, if any, as rendered via <ErrorMessageComponent>.
The message displayed while waiting for asynchronous actions (e.g. form
submission) to complete, as rendered by <LoadingMessageComponent>
Component for rendering the new password form used by
<ChangePasswordForm> when it is used to add a password to an
account that doesn't have one.
Component used by <AddTotpForm> for rendering a QR code, and verifying
the authenticator app setup via code entry.
Component for rendering alert messages.
Button component.
Component for rendering the old/new password form used by
<ChangePasswordForm>
Default component for rendering checkboxes in forms.
Component used by <CreateAccountForm> to render the form and its inputs.
Component displayed after successful account creation
Component for rendering the email address input in <LoginForm> and
<AccountCreationForm>. Uses the InputComponent component by default.
Component used by <UserAccountSettings> for displaying a user's
email and its verification status, including a button for re-sending
the verification email.
Component used by <EmailVerifier> when users are verifying their email
via a link sent to that email address.
Component used to render specialized error messages for given application error codes.
Component used to render error messages.
Component to render a facebook login button.
Component for rendering the form show by <LoginForm> * after user
clicks 'forgot password'
Component to render a github login button.
Component to render a google login button.
Default component for rendering text inputs in forms.
Component to display when waiting for an asynchronous action to complete.
Component used by <UserAccountSettings> for displaying a user's
login methods (e.g. password, oauth providers, etc), as well as
allowing them to change their password, remove Oauth providers,
etc.
Component displayed after successful login
Component used by <LoginForm> for rendering the MFA stage of the login
process, including entry of a TOTP code and possible entry of a recovery
code.
Component for rendering Modal dialogs.
Component for rendering the email/password entry form used by <LoginForm>
Component for rendering the password input in <LoginForm> and
<AccountCreationForm>. Uses the InputComponent component by default.
Component used to display the strength of a prospective password to the user.
It is used by <AccountCreationForm>, <ChangePasswordForm>,
<ResetPasswordForm>, and any other components where a new password is entered.
Component used by <UserAccountSettings> for displaying a user's
personal details.
Component renderd by <LoginForm> after successful entry of the a recovery
code, which allows them to optionally disable MFA.
Component to render the re-authorization form used by <ReauthenticateGuard>,
to obtain a user's password before sensitive actions are performed.
Component used to display new recovery codes to the user, after they are
created. Used by <GenRecoveryCodesForm>
Component for rendering the text input for 2FA recovery codes.
Component used by <GenRecoveryCodesForm> to warn the user that their
pre-existing codes will be invalidated, and confirming that they wish
to proceed and generate new codes.
Component for rendering the new password form used by <ResetPasswordForm>
when resetting a password via a password-reset link delivered via email.
Component used by <UserAccountSettings> for displaying a user's 2FA
settings, including recovery code generation.
Component for rendering social login buttons, used by <LoginForm> and
<CreateAccountForm>
Component for rendering the "stay logged in" checkbox in <LoginForm> and
<AccountCreationForm>. Uses the CheckboxComponent component by default.
Component for rendering the text input for TOTP codes.
Component used by <UserAccountSettings> to render the user's profile page
and various account settings components.
The error message, if any, as rendered via <ErrorMessageComponent>.
The URI that the user will be redirected to now that verification is complete. It is passed here so that it can be displayed, e.g. "If you are not redirected, click here"
Set to true if verification has completed successfully.
The cancel button, as rendered via <Button>
The text input for the email address, as rendered by <EmailAddressInput>
or <InputComponent>
The error message, if any, as rendered via <ErrorMessageComponent>.
The submit button, as rendered via <Button>
The message displayed to the user after success.
The application name, as configured in the Usermatic dashboard.
The email of the newly-created user.
The button which allows the user to switch from TOTP code entry to
recovery code entry, as rendered by <Button>
The error message, if any, as rendered via <ErrorMessageComponent>.
The button which allows the user to switch back to TOTP code entry from
recovery code entry, as rendered by <Button>
The message displayed while waiting for asynchronous actions (e.g. form
submission) to complete, as rendered by <LoadingMessageComponent>
The text input for entering a recovery code, as rendered by
<RecoveryCodeInputComponent>
Set to true if the user has clicked "i need to enter a recovery code"
The text input for entering a TOTP code, as rendered by
<TotpInputComponent>
The body of the modal.
Text and other elements to display in the Modal's footer area.
If true, the modal will be rendered and the rest of the page content obscured.
Must be called whenever the user attempts to close the modal, e.g. by clicking outside of it, hitting esc, etc.
Text and other elements to display in the Modal's title area.
The text input for the email address, as rendered by <EmailAddressInput>
or <InputComponent>
The error message, if any, as rendered via <ErrorMessageComponent>.
The "forgot password?" button as rendered by <Button>
The text input for the password, as rendered by <PasswordInput> or
<InputComponent>
The signin/submit button as rendered by <Button>
A checkbox as rendered by <CheckboxComponent>
The minimum requried score set in the Usermatic application settings.
If passwordScore.score is less than minPasswordStrength, the password
will be rejected by Usermatic.
The current score of the password.
The error message, if any, as rendered via <ErrorMessageComponent>.
The message displayed while waiting for asynchronous actions (e.g. form
submission) to complete, as rendered by <LoadingMessageComponent>
Button which dismisses the post recovery code flow.
The button which, when pressed, dismisses the dialog without disabling MFA.
The error message, if any, as rendered via <ErrorMessageComponent>.
True if the user chose to disable MFA after entering their recovery code.
The number of valid recovery codes that the user still has.
The button which, when pressed, disables MFA.
ZXCVBNResult is defined at https://github.com/DefinitelyTyped/DefinitelyTyped/blob/master/types/zxcvbn/index.d.ts
The cancel button, as rendered via <Button>
The error message, if any, as rendered via <ErrorMessageComponent>.
The text input for the password, as rendered by <PasswordInput> or
<InputComponent>
The prompt which will be provided to the user, e.g. "Please enter your password to perform action X".
The submit button, as rendered via <Button>
The error message, if any, as rendered via <ErrorMessageComponent>.
The button which, when pressed, confirms regeneration of recovery codes and invalidation of all previously generated codes.
A checkbox as rendered by <CheckboxComponent>
A checkbox as rendered by <CheckboxComponent>
The message displayed to the user after success.
A component of UserAccountSettingsType is used to customize the user's account settings display.
The account security section, as rendered by <SecurityInfoComponent>
The login methods section, as rendered by <LoginMethodsComponent>
The personal details section, as rendered by <PersonalDetailComponent>
Display components for AccountCreationForm. See 'Customizing Usermatic' for more information.
If true, the user will be automatically logged in as soon as their account has been created. Note that if you have set the "Require verified email for login" setting to true in your application settings, this option will not work.
onLogin() is called after the user is successfully logged in.
If set, the strength of the user's password is displayed and automatically updated as they modify it.
Display components for LoginForm. See 'Customizing Usermatic' for more information.
onChangeMode is called when the LoginForm switches "modes". For instance,
if the user clicks the "Forgot Password" button, onChangeMode will be called with
the 'forgotpw' argument.
onLogin is called after the user successfully logs in.
Display components for ChangePasswordForm. See 'Customizing Usermatic' for more information.
Function to be called after password is successfully changed.
Custom display components. See 'Customizing Usermatic' for more information.
Debounce time in ms for both the password and username. Defaults to 300ms.
The user's prospective password.
The user's email address.
Custom display components. See 'Customizing Usermatic' for more information.
Called when the user clicks the cancel button instead of submitting their email.
Display components for ResetPasswordForm. See 'Customizing Usermatic' for more information.
If true, render the "login after reset" option. If the user checks this
box, it has the same effect as if the loginAfterReset property had been
set to true.
If true, the user will be automatically logged in after resetting their
password. Note: This will not work if the user has enabled MFA on their
account. In that case, they will have to log in via <LoginForm>
Called after the user is successfully logged in (which will only happen
if the loginAfterReset property is true.)
If true, the user will be automatically redirected to the URI that has been configured the Usermatic application settings after resetting their password.
The password-reset token, contained in the reset link that was sent to the user via email. If omitted, ResetPasswordForm attempts to find the token in window.location.href, in the 'token' query parameter.
The components that are guarded by the ReauthenticateGuard. They will be
displayed after reauthentication has occurred, and can obtain the
resulting reauthentication token by called useReauthToken()
Display components for ReauthenticateGuard. See 'Customizing Usermatic' for more information.
maxTokenAge limits how long a token will be cached in your application. The format is anything supported by https://github.com/vercel/ms, e.g. "5m" or "60s" or "2h", etc.
This only controls caching. It has no effect on the expiration time of the token signed by Usermatic. Reauthentication tokens never have an expiration time set. Your application backend must enforce its own expiration time by passing 'maxAge' when verifying the token.
See "Reauthenticating before Sensitive actions" for more information.
onClose() can be used to hook ReauthenticateGuard up to a modal.
It is calledl when the user clicks the "Close" button displayed by
<ReauthenticateGuard>
A prompt to diplay above the password input.
The contents of the token you wish Usermatic to sign. Please remember that the contents of the token can be set to anything by any user, and therefore the security of your application should not rely on the contents of the token. The only thing that the reauthentication token proves is that the tokenContents and a valid password were presented to the Usermatic backend at a certain time.
The purpose of tokenContents is simply to require a user to perform separate reauthentications for differing sensitive actions. For instance, Usermatic itself requires separate reauthentications when you export application data and when you delete an application. It does this by requiring a token with a specific value of tokenContents for each operation.
The rule to bear in mind is that anyone who knows the password can obtain a reauthenticationToken token with any conceivable tokenContents, simply by asking the Usermatic backend.
See "Reauthenticating before Sensitive actions" for more information.