Ways to authenticate
Auth and access
Top questions about authentication
Top questions about authentication
Link to this sectionFind answers to common questions about Kinde authentication.
General questions
Link to this sectionWhat authentication methods does Kinde support?
Kinde supports password-based, passwordless (email magic links), phone authentication, social sign-in (Google, Apple, GitHub, etc.), and enterprise connections via SAML. You can mix and match these methods based on your application needs.
Learn more: About authentication
Can I use different authentication methods for different applications?
Yes, authentication settings can be configured per environment and per application. Your production web app and mobile app can have completely different authentication requirements while using the same Kinde account.
Learn more: About authentication
How does multi-domain authentication work?
Kinde supports authenticated sessions across domains and subdomains. Once a user signs in to one domain, they can seamlessly access other subdomains without re-authenticating, as long as you use prompt=none in your auth URLs.
Learn more: About authentication
Authentication Methods
Link to this sectionHow do I set up passwordless authentication?
Passwordless authentication is enabled by default for new Kinde businesses. Users receive magic links via email to sign in without passwords. You can configure this in your authentication settings and customize the email templates.
Learn more: Passwordless authentication
Can I require both email and phone verification?
Yes, you can configure multiple verification methods. Users can be required to verify both their email address and phone number during sign-up, or you can make one optional while requiring the other.
Learn more: Set up user authentication
What’s the difference between username and email authentication?
Username authentication allows users to sign in with a custom username instead of their email address. This is useful for applications where users prefer not to share their email publicly or want a more memorable login identifier.
Learn more: Username authentication
How do I handle SMS delivery issues?
If you’re experiencing SMS delivery problems, check your SMS provider configuration, ensure proper phone number formatting, and consider implementing fallback authentication methods. Kinde provides SMS deliverability monitoring to help identify issues.
Learn more: SMS deliverability
Can I customize password requirements?
Yes, you can configure password policies including minimum length, complexity requirements, and whether to allow common passwords. These settings can be adjusted per organization and environment.
Learn more: Password authentication
Enterprise Connections
Link to this sectionWhat’s the difference between SAML and OIDC?
SAML is an older standard widely supported by enterprise systems, while OIDC is a newer, more modern protocol built on OAuth 2.0. SAML is great for legacy enterprise integrations, while OIDC offers better mobile support and simpler implementation.
Learn more: About enterprise connections
How do I troubleshoot SAML connection issues?
Common SAML issues include certificate expiration, incorrect entity IDs, and attribute mapping problems. Check your SAML logs in Kinde, verify your identity provider settings, and ensure your certificates are valid and properly configured.
Learn more: Advanced SAML configurations
Can I use multiple identity providers for the same organization?
Yes, you can configure multiple SAML or OIDC providers for a single organization. This is useful for companies that have acquired other businesses or need to support different user groups with different identity systems.
Learn more: About enterprise connections
How do I handle user provisioning from enterprise systems?
Kinde supports automatic user provisioning from enterprise identity providers. Users can be automatically created when they first sign in through SAML, and you can configure attribute mapping to populate user profiles with data from your identity provider.
Learn more: Provision users from enterprise
What if my enterprise system doesn’t support SAML?
If your enterprise system doesn’t support SAML, you can use OIDC instead, which is supported by most modern identity systems. Alternatively, you can implement custom user provisioning workflows using Kinde’s APIs.
Learn more: About enterprise connections
Social Sign-In
Link to this sectionWhich social providers should I enable for my application?
Choose social providers based on your target audience. For developer-focused apps, GitHub and GitLab are essential. For business applications, Microsoft and LinkedIn are popular. For consumer apps, Google, Apple, and Facebook are widely used.
Learn more: Add social sign-in
How do I handle social sign-in rate limiting?
To avoid rate limiting, always use your own app credentials (Client ID and Client Secret) from social providers rather than relying on Kinde’s proxy credentials. This ensures you have full control over your API quotas and rate limits.
Learn more: Add social sign-in
Can users link multiple social accounts to the same profile?
Yes, users can link multiple social accounts to their Kinde profile. This allows them to sign in using any of their connected social accounts while maintaining a single user identity in your system.
Learn more: Add social sign-in
What happens if a social provider changes their API?
Kinde monitors social provider API changes and updates our integrations accordingly. However, if you’re using custom social sign-in implementations, you’ll need to stay updated with provider changes and update your code as needed.
Learn more: Add social sign-in
How do I customize the social sign-in experience?
You can customize the social sign-in flow by modifying the UI components, adding custom branding, and configuring which social providers are displayed to users. You can also implement conditional logic to show different providers based on user context.
Learn more: Custom authentication pages
Multi-Factor Authentication
Link to this sectionCan I require MFA for specific user roles?
Yes, you can configure MFA requirements per organization and per user role. This allows you to enforce stricter security for administrative users while keeping the experience simpler for regular users.
Learn more: MFA per organization
What MFA methods does Kinde support?
Kinde supports multiple MFA methods including SMS, authenticator apps (TOTP), and email verification. You can enable one or multiple methods and let users choose their preferred option.
Learn more: About multi-factor authentication
How do I handle MFA backup codes?
Kinde automatically generates backup codes when MFA is enabled. Users can use these codes to access their account if they lose their primary MFA device. You can configure how many backup codes are generated and whether they expire.
Learn more: Enable multi-factor authentication
Can I enforce MFA for enterprise users?
Yes, you can enforce MFA for users signing in through enterprise connections. This provides an additional security layer for your enterprise users while maintaining the convenience of SSO.
Learn more: MFA per organization
Custom Configurations
Link to this sectionHow do I create custom authentication pages?
You can create custom authentication pages by connecting your repository to Kinde and implementing the authentication flow using our SDKs. This gives you complete control over the user experience while maintaining security.
Learn more: Custom authentication pages
Can I disable user registration?
Yes, you can disable user registration and only allow users to sign up through invitations or enterprise connections. This is useful for B2B applications where you want to control who can access your system.
Learn more: Disable sign-up
How do I implement custom redirects after authentication?
You can configure custom redirect URLs based on user roles, organizations, or other criteria. This allows you to direct users to different parts of your application based on their authentication context.
Learn more: Redirect users
Can I prepopulate user information during sign-up?
Yes, you can prepopulate user information during the sign-up process by passing parameters in your authentication URLs. This is useful for applications where you already have some user information and want to streamline the onboarding process.
Learn more: Prepopulate identity sign-in
Managing Authentication
Link to this sectionHow do I manage user sessions across multiple applications?
Kinde provides session management tools that allow you to control user sessions across different applications. You can configure session timeouts, implement single sign-out, and manage user authentication state across your entire system.
Learn more: Session management
What happens when a user’s enterprise account is deactivated?
When a user’s enterprise account is deactivated, you can configure Kinde to either immediately revoke their access or implement a grace period. You can also set up webhooks to be notified of these changes in real-time.
Learn more: Manage authentication applications
How do I sync user data between Kinde and my application?
Kinde provides APIs and webhooks to keep user data synchronized between your application and Kinde. You can implement real-time synchronization or batch updates depending on your requirements.
Learn more: Sync with Kinde
Can I customize the authentication experience per organization?
Yes, you can customize the authentication experience per organization, including branding, authentication methods, and user flows. This is useful for multi-tenant applications where different organizations have different requirements.
Learn more: Organization auth experience
Troubleshooting
Link to this sectionWhy are my users getting rate limited?
Rate limiting usually occurs when you’re not using your own third-party app credentials or when you have too many authentication attempts from the same source. Check your social provider configurations and implement proper rate limiting in your application.
Learn more: Add social sign-in
How do I debug authentication errors?
Kinde provides detailed error logs and error codes to help you debug authentication issues. Check the error codes in your application logs and refer to our error code documentation for specific solutions.
Learn more: Error codes
What should I do if my SAML certificate expires?
When your SAML certificate expires, you’ll need to generate a new one and update both your identity provider and Kinde configurations. Kinde provides tools to help you refresh certificates and update configurations seamlessly.
Learn more: Refresh SAML certificate
How do I handle authentication failures gracefully?
Implement proper error handling in your authentication flow to provide users with clear error messages and alternative authentication options. Use Kinde’s error codes to identify specific issues and guide users to appropriate solutions.
Learn more: Error codes
User Support Scenarios
Link to this sectionMy user says they can’t sign in - what should I check first?
Start by checking if the user is using the correct email/username, if their account exists in your system, and if there are any authentication restrictions (like disabled accounts or MFA requirements). You can also check Kinde’s user logs to see what’s happening during their sign-in attempts.
Learn more: Manage authentication applications
A user is locked out of their account - how do I help them?
First, check if their account is actually locked or if they’re just experiencing authentication issues. You can reset their password, disable MFA temporarily, or check if their account has been suspended. Always verify their identity before making changes.
Learn more: Add and edit users
How do I help a user who lost their phone (and MFA access)?
If a user loses their phone and can’t access their MFA app, you can temporarily disable MFA for their account, help them set up a new device, or use their backup codes if they have them. Consider implementing account recovery procedures for future incidents.
Learn more: Enable multi-factor authentication
What should I do if a user reports suspicious activity on their account?
Immediately check the user’s authentication logs in Kinde, look for unusual sign-in patterns, and consider temporarily suspending their account. You can also force a password reset and enable additional security measures like MFA if it wasn’t already enabled.
Learn more: View user activity
How do I help enterprise users who can’t access their SSO?
For enterprise SSO issues, check if the user’s account exists in their identity provider, verify the SAML/OIDC configuration is correct, and ensure their account hasn’t been deactivated. You may need to coordinate with their IT department to resolve the issue.
Learn more: About enterprise connections
A user wants to change their email address - what’s the process?
Users can typically change their email address through their profile settings, but you may want to require email verification for the new address. Consider implementing a grace period where both old and new emails work to prevent account lockouts during the transition.
Learn more: Add and edit users
How do I handle users who want to delete their account?
Implement a proper account deletion process that includes data export options if required by law, confirmation steps to prevent accidental deletions, and clear communication about what data will be permanently removed. You may also want to offer account deactivation as an alternative.
Learn more: Delete or suspend users
What should I do if multiple users report the same authentication issue?
If multiple users report the same issue, it’s likely a system-wide problem rather than individual user issues. Check your Kinde configuration, monitor system status, and look for recent changes that might have caused the problem. Communicate with affected users about the issue and expected resolution time.
Learn more: Manage authentication applications
How do I help users who are having trouble with social sign-in?
Check if the social provider is experiencing issues, verify your app credentials are still valid, and ensure the user’s social account hasn’t been suspended. You can also provide alternative authentication methods while troubleshooting the social sign-in issue.
Learn more: Add social sign-in
A user says they never received their verification email - what can I do?
Check if the email was sent (look in Kinde’s logs), verify the user’s email address is correct, and check if the email was delivered to spam/junk folders. You can also resend the verification email or temporarily use an alternative verification method like SMS.
Learn more: Email deliverability
How do I handle users who want to use multiple email addresses?
You can allow users to add multiple email addresses to their account, with one primary email for authentication and others for notifications. This is useful for users who want to receive updates at different addresses or who are transitioning between email providers.
Learn more: Add and edit users
What should I do if a user’s authentication keeps failing after multiple attempts?
After multiple failed attempts, the user’s account may be temporarily locked for security reasons. Check if there are any IP restrictions, verify their credentials are correct, and consider implementing a cooldown period before allowing additional attempts. You may also want to offer account recovery options.
Learn more: Manage authentication applications
How do I help users who are experiencing slow authentication?
Slow authentication can be caused by network issues, server load, or configuration problems. Check your Kinde performance metrics, verify your network configuration, and consider implementing authentication caching or optimizing your authentication flow to improve response times.
Learn more: Service status