// CloudBase Web Authentication Quick Guide for frontend integration after auth-tool has already been checked. Provides concise and practical Web authentication solutions with multiple login methods and complete user management.
CloudBase platform overview and routing guide. This skill should be used when users need high-level capability selection, platform concepts, console navigation, or cross-platform best practices before choosing a more specific implementation skill.
Use this skill when a browser/Web app (React, Vue, Angular, Next, Nuxt, static sites, SPAs, dashboards, AI chat UI) needs AI models via @cloudbase/js-sdk. Default routing for page/页面/Web/前端/frontend/网页/H5 AI — call directly from browser, do NOT propose a Node.js proxy. Covers generateText and streamText. Models via ai.createModel with groups cloudbase, hunyuan-exp, or custom-*. Model IDs (deepseek-v4-flash, deepseek-v3.2, hunyuan-2.0-instruct-20251111, glm-5, kimi-k2.6) go in the model field. MUST run two-step preflight before code — see body. Keywords: 页面, Web, 前端, React, Vue, Next, Nuxt, SPA, AI chat UI, generateText, streamText, createModel, hunyuan-exp, Token Credits, TokenHub, Hunyuan, DeepSeek, GLM, Kimi, MiniMax. NOT for Node.js backend (use ai-model-nodejs), Mini Program (use ai-model-wechat), or image generation (Node SDK only).
Complete guide for CloudBase cloud storage using Web SDK (@cloudbase/js-sdk) - upload, download, temporary URLs, file management, and best practices.
CloudBase official HTTP API client guide. This skill should be used when backends, scripts, or non-SDK clients must call CloudBase platform APIs over raw HTTP instead of using a platform SDK or MCP management tool.
Use CloudBase document database Web SDK to query, create, update, and delete data. Supports complex queries, pagination, aggregation, realtime, and geolocation queries.
Use when building frontend Web apps that talk to CloudBase Relational Database via @cloudbase/js-sdk – provides the canonical init pattern so you can then use Supabase-style queries from the browser.
| name | auth-web-cloudbase |
| description | CloudBase Web Authentication Quick Guide for frontend integration after auth-tool has already been checked. Provides concise and practical Web authentication solutions with multiple login methods and complete user management. |
| version | 2.20.1 |
| alwaysApply | false |
If this environment only installed the current skill, start from the CloudBase main entry and use the published cloudbase/references/... paths for sibling skills.
https://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/SKILL.mdhttps://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/references/auth-web/SKILL.mdKeep local references/... paths for files that ship with the current skill directory. When this file points to a sibling skill such as auth-tool or web-development, use the standalone fallback URL shown next to that reference.
@cloudbase/js-sdk and the auth provider setup has already been checked.auth-tool first to ensure providers are enabled, then return here for frontend integration.../auth-tool/SKILL.md (standalone fallback: https://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/references/auth-tool/SKILL.md) for provider setup../web-development/SKILL.md (standalone fallback: https://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/references/web-development/SKILL.md) for Web project structure and deploymentauth-tool-cloudbase before auth-web-cloudbase.Skipping publishable key and provider checks.
Replacing built-in Web auth with cloud function login logic.
Reusing this flow in Flutter, React Native, or native iOS/Android code.
Creating a detached helper file with auth.signUp / verifyOtp but never wiring it into the existing form handlers, so the actual button clicks still do nothing.
Using signInWithEmailAndPassword or signUpWithEmailAndPassword for username-style accounts such as admin and editor.
Keeping the login or register account input as type="email" when the task explicitly says the account identifier is a plain username string.
Starting implementation before calling queryAppAuth(action="getLoginConfig") and enabling usernamePassword when it is still off.
Treating auth.getUser() or deprecated auth.getLoginState() as proof of real login. When the SDK is initialized with accessKey, the deprecated getLoginState() returns an object with a valid uid even without any login — causing route guards that check !!loginState or !!uid to incorrectly pass. The fix is to use auth.getSession() instead: it returns data.session === undefined when no real login has occurred. Only !!data.session from getSession() is a reliable authentication check.
Note: anonymous login is now disabled by default for new environments and inactive existing environments. Always use auth.getSession() for auth guards.
Prerequisites: CloudBase environment ID (env)
Prerequisites: CloudBase environment Region (region)
Use Case: Web frontend projects using @cloudbase/js-sdk@2.24.0+ for user authentication
Key Benefits: Supabase-compatible Auth API — all methods return { data, error }, supports phone, email, anonymous (disabled by default), username/password, OAuth, and third-party login methods
📌 Supabase API Compatibility: CloudBase Web SDK v2 auth module is designed with Supabase-like API ergonomics. If you are familiar with
supabase-jsauth patterns, the same mental model applies:
- All methods return
Promise<{ data, error }>— always checkerrorfirstsignInWithPassword,signInWithOtp,signUp,signOut,getSession,getUserfollow the same naming as SupabaseonAuthStateChange(callback)provides reactive auth state observation (events:INITIAL_SESSION,SIGNED_IN,SIGNED_OUT,TOKEN_REFRESHED,USER_UPDATED,PASSWORD_RECOVERY,BIND_IDENTITY)- Session management via
getSession()/refreshSession()/setSession()mirrors Supabase patternsKey differences from Supabase:
- OTP verification: Supabase uses a standalone
auth.verifyOtp({ phone, token, type })call; CloudBase returnsverifyOtpas a callback ondata— calldata.verifyOtp({ token })from thesignInWithOtp/signUpresultaccessKeyreplaces Supabase'sanonKey; environment usesenv+regioninstead of Supabase'surlsignInWithIdTokenfor direct third-party token login (similar to Supabase's same-named method)
Use npm installation for modern Web projects. In React, Vue, Vite, and other bundler-based apps, install and import @cloudbase/js-sdk from the project dependencies instead of using a CDN script.
auth-tool-cloudbase to check app-side auth readiness via queryAppAuth / manageAppAuth, then get the publishable key and configure login methods.auth-tool-cloudbase failed, let user go to https://tcb.cloud.tencent.com/dev?envId={env}#/env/apikey to get publishable key and https://tcb.cloud.tencent.com/dev?envId={env}#/identity/login-manage to set up login methodsloginMethods.usernamePassword === true from queryAppAuth(action="getLoginConfig"). If it is false, enable it with manageAppAuth(action="patchLoginStrategy", patch={ usernamePassword: true }) before wiring frontend auth code.envQuery(action="list", alias=..., aliasExact=true) first and use the returned canonical full EnvId for SDK init, console links, and generated config. Do not pass alias-like short forms directly into cloudbase.init({ env }).supabase-js auth example is valid unchanged”queryAppAuth / manageAppAuth returns sdkStyle: "supabase-like" and sdkHints, follow those method and parameter hints firstauth.signInWithOtp({ phone }) and auth.signUp({ phone }) use the phone number in a phone field, not phone_numberauth.signInWithOtp({ email }) and auth.signUp({ email }) use emailauth.signUp({ username, password }) and auth.signInWithPassword({ username, password }) are the canonical username/password Web auth pathadmin, editor, or another plain string without @, treat it as a username-style identifier rather than an email addressverifyOtp({ token }) expects the SMS or email code in tokenaccessKey is the publishable key from queryAppAuth / manageAppAuth via auth-tool-cloudbase, not a secret keyaccessKey triggers automatic anonymous session creation — the deprecated auth.getLoginState() returns an object with a valid uid even without explicit login, which misleads route guards into thinking the user is authenticated. Use auth.getSession() instead — it returns data.session === undefined when no real login has occurred, making auth checks straightforward and reliable.accessKey to envId, a username, or any placeholder string. If you do not have a real Publishable Key yet, do not fabricate one.auth-tool-cloudbase before writing frontend code// npm install @cloudbase/js-sdk
import cloudbase from '@cloudbase/js-sdk'
const app = cloudbase.init({
env: 'your-full-env-id', // Canonical full CloudBase environment ID resolved from envQuery or the console, not an alias or shorthand
region: `region`, // CloudBase environment Region, default 'ap-shanghai'
accessKey: 'publishable key', // required, get from auth-tool-cloudbase
// ⚠️ With accessKey, the deprecated getLoginState() returns misleading auth data (uid)
// even without login. Always use auth.getSession() — returns undefined when not logged in.
auth: { detectSessionInUrl: true }, // required
})
const auth = app.auth({ persistence: 'local' })
If the current task has not retrieved a real Publishable Key, omit accessKey instead of inventing one. A wrong accessKey can break auth-state checks and protected-route behavior.
1. Phone OTP (Recommended)
auth-tool-cloudbase to turn on SMS Login through manageAppAuthauth.signInWithOtp({ phone, ... }), then call the returned verifyOtp({ token }).signInWithOtp can automatically create a new user if the user does not exist; control this via shouldCreateUser parameter (default true).const { data, error } = await auth.signInWithOtp({ phone: '13800138000' })
const { data: loginData, error: loginError } = await data.verifyOtp({ token: '123456' })
2. Email OTP
auth-tool-cloudbase to turn on Email Login through manageAppAuthconst { data, error } = await auth.signInWithOtp({ email: 'user@example.com' })
const { data: loginData, error: loginError } = await data.verifyOtp({ token: '654321' })
3. Password
All auth methods return { data, error }. Always check error first:
// Login — returns { data: { user, session }, error: null } on success
const { data, error } = await auth.signInWithPassword({ username: 'test_user', password: 'pass123' })
if (error) {
// Handle login failure (wrong password, user not found, provider not enabled)
console.error('Login failed:', error.message)
return false
}
// data.user.id is the uid; data.session contains the active session
const uid = data.user.id
// Also works with email or phone:
// await auth.signInWithPassword({ email: 'user@example.com', password: 'pass123' })
// await auth.signInWithPassword({ phone: '13800138000', password: 'pass123' })
Checking login state (for route guards / auth checks):
// Use auth.getSession() — NOT the deprecated getLoginState().
//
// Why: getLoginState() returns an object with uid even when only accessKey is
// present (no real login), causing route guards to incorrectly pass anonymous users.
// getSession() returns data.session === undefined when no real login exists,
// making the check reliable and simple.
const { data, error } = await auth.getSession()
if (!data?.session) {
// No real login — redirect to sign-in page
window.location.href = '/login'
return
}
// Also reject anonymous sessions (when signInAnonymously() was called explicitly)
if (data.session.user?.is_anonymous) {
// Anonymous user — not allowed for protected routes
window.location.href = '/login'
return
}
// data.session contains: access_token, refresh_token, expires_in, user
// data.session.user contains the authenticated user info
const currentUser = data.session.user
// Optional: further verify identity type if needed
const { data: userData } = await auth.getUser()
const hasVerifiedIdentity = userData?.user && (
userData.user.phone_confirmed_at ||
userData.user.email_confirmed_at ||
userData.user.user_metadata?.username
)
// ❌ Do NOT use auth.getLoginState() — it's deprecated and returns
// misleading data (uid/loginState) even without real login
// ❌ Do NOT use !!loginState or !!loginState.uid as auth checks
4. Registration
admin, editor, or user01, the canonical form code is auth.signUp({ username, password })// Username + Password
const usernameSignUp = await auth.signUp({
username: 'newuser',
password: 'pass123',
nickname: 'User',
})
// Email Otp
// Use only when the task explicitly requires email addresses.
// Email Otp
const emailSignUp = await auth.signUp({ email: 'new@example.com', nickname: 'User' })
const emailVerifyResult = await emailSignUp.data.verifyOtp({ token: '123456' })
// Phone Otp
// Use only when the task explicitly requires phone numbers.
// Phone Otp
const phoneSignUp = await auth.signUp({ phone: '13800138000', password: 'pass123', nickname: 'User' })
const phoneVerifyResult = await phoneSignUp.data.verifyOtp({ token: '123456' })
When the project already has handleSendCode / handleRegister or similar UI handlers, wire the SDK calls there directly instead of leaving them commented out in App.tsx.
For username-style account tasks:
const handleRegister = async () => {
const { error } = await auth.signUp({
username,
password,
nickname: username,
})
if (error) throw error
}
const handleLogin = async () => {
const { data, error } = await auth.signInWithPassword({
username,
password,
})
if (error) throw error
// Login succeeded — data.user.id is the uid
return true
}
Do not use email OTP or email-only helpers for these flows unless the task explicitly says the account identifier is an email address. The corresponding form field should stay type="text" rather than type="email" for username-style account identifiers.
const handleSendCode = async () => {
try {
const { data, error } = await auth.signUp({
phone,
password: password || undefined,
})
if (error) throw error
verifyOtpRef.current = data.verifyOtp
} catch (error) {
console.error('Failed to send sign-up code', error)
}
}
const handleRegister = async () => {
try {
if (!verifyOtpRef.current) throw new Error('Please send the code first')
const { error } = await verifyOtpRef.current({ token: code })
if (error) throw error
} catch (error) {
console.error('Failed to complete sign-up', error)
}
}
5. Anonymous
⚠️ Anonymous login is disabled by default for new environments. The SDK initialized with
accessKeywill automatically create an anonymous session regardless of this setting. Do not rely onsignInAnonymously()for production flows — use verified login methods instead.
auth-tool-cloudbase to turn on Anonymous Login through manageAppAuth (must be explicitly enabled first)// Anonymous login is disabled by default — must be explicitly enabled via auth-tool
const { data, error } = await auth.signInAnonymously()
6. OAuth (Google/WeChat)
auth-tool-cloudbase to turn on Google Login or WeChat Login through manageAppAuthconst { data, error } = await auth.signInWithOAuth({ provider: 'google' })
window.location.href = data.url // Auto-complete after callback
7. Custom Ticket
await auth.signInWithCustomTicket(async () => {
const res = await fetch('/api/ticket')
return (await res.json()).ticket
})
8. ID Token (Third-party token validation)
// Direct login with a third-party JWT/OAuth token (e.g. from native SDK)
const { data, error } = await auth.signInWithIdToken({
provider: 'wechat', // or 'google', 'github', etc.
token: '<jwt-or-oauth-token>',
})
9. Upgrade Anonymous
const sessionResult = await auth.getSession()
const upgradeResult = await auth.signUp({
phone: '13800000000',
anonymous_token: sessionResult.data.session.access_token,
})
await upgradeResult.data.verifyOtp({ token: '123456' })
// Sign out
const signOutResult = await auth.signOut()
// Get user
const userResult = await auth.getUser()
console.log(
userResult.data.user.email,
userResult.data.user.phone,
userResult.data.user.user_metadata?.nickName,
)
// Update user (except email, phone)
const updateProfileResult = await auth.updateUser({
nickname: 'New Name',
gender: 'MALE',
avatar_url: 'url',
})
// Update user (email or phone)
const updateEmailResult = await auth.updateUser({ email: 'new@example.com' })
const verifyEmailResult = await updateEmailResult.data.verifyOtp({
email: 'new@example.com',
token: '123456',
})
// Change password (logged in)
const resetPasswordResult = await auth.resetPasswordForOld({
old_password: 'old',
new_password: 'new',
})
// Reset password (forgot)
const reauthResult = await auth.reauthenticate()
const forgotPasswordResult = await reauthResult.data.updateUser({
nonce: '123456',
password: 'new',
})
// Link third-party
const linkIdentityResult = await auth.linkIdentity({ provider: 'google' })
// View/Unlink identities
const identitiesResult = await auth.getUserIdentities()
const unlinkIdentityResult = await auth.unlinkIdentity({
provider: identitiesResult.data.identities[0].id,
})
// Delete account
const deleteMeResult = await auth.deleteMe({ password: 'current' })
// Listen to state changes
const authStateSubscription = auth.onAuthStateChange((event, session, info) => {
// INITIAL_SESSION, SIGNED_IN, SIGNED_OUT, TOKEN_REFRESHED, USER_UPDATED, PASSWORD_RECOVERY, BIND_IDENTITY
})
// Get access token
const sessionResult = await auth.getSession()
await fetch('/api/protected', {
headers: { Authorization: `Bearer ${sessionResult.data.session?.access_token}` },
})
// Refresh session (extend token validity)
const refreshResult = await auth.refreshSession() // uses current refresh_token
// or with explicit token: await auth.refreshSession(refresh_token)
// Set session manually (e.g. from external auth flow or SSR hydration)
const setResult = await auth.setSession({ refresh_token: '<token-from-server>' })
// Refresh user (sync latest user data from server)
const refreshUserResult = await auth.refreshUser()
declare type User = {
id: any
aud: string
role: string[]
email: any
email_confirmed_at: string
phone: any
phone_confirmed_at: string
confirmed_at: string
last_sign_in_at: string
app_metadata: {
provider: any
providers: any[]
}
user_metadata: {
name: any
picture: any
username: any
gender: any
locale: any
uid: any
nickName: any
avatarUrl: any
location: any
hasPassword: any
}
identities: any
created_at: string
updated_at: string
is_anonymous: boolean
}
class PhoneLoginPage {
async sendCode() {
const phone = document.getElementById('phone').value
if (!/^1[3-9]\d{9}$/.test(phone)) return alert('Invalid phone')
const { data, error } = await auth.signInWithOtp({ phone })
if (error) return alert('Send failed: ' + error.message)
this.verifyOtp = data.verifyOtp
document.getElementById('codeSection').style.display = 'block'
this.startCountdown(60)
}
async verifyCode() {
const code = document.getElementById('code').value
if (!code) return alert('Enter code')
if (!this.verifyOtp) return alert('Send the code first')
const { data, error } = await this.verifyOtp({ token: code })
if (error) return alert('Verification failed: ' + error.message)
console.log('Login successful:', data.user)
window.location.href = '/dashboard'
}
startCountdown(seconds) {
let countdown = seconds
const btn = document.getElementById('resendBtn')
btn.disabled = true
const timer = setInterval(() => {
countdown--
btn.innerText = `Resend in ${countdown}s`
if (countdown <= 0) {
clearInterval(timer)
btn.disabled = false
btn.innerText = 'Resend'
}
}, 1000)
}
}