Email & Password
Email and password authentication with Clowk
Overview
Clowk supports email and password authentication alongside OAuth providers. Users can sign up with an email and password, then sign in with the same credentials.
The entire flow happens on Clowk's hosted page — your app never handles passwords.
How it works
- User clicks "Sign up" in your app
- Your app redirects to Clowk's hosted sign-up page
- User enters their email and password
- Clowk creates the user account and generates a JWT
- Clowk redirects back to your app with the token
Sign-in follows the same pattern — user enters credentials, Clowk verifies them and returns a JWT.
Password requirements
- Minimum 8 characters (configurable per instance via
min_password_length) - Passwords are hashed with bcrypt (cost factor 12) before storage
- Clowk never stores or logs plaintext passwords
Instance configuration
You can control email/password behavior per instance in the Clowk dashboard:
| Setting | Default | Description |
|---|---|---|
allow_email_signin | true | Allow sign-in with email |
allow_email_signup | true | Allow sign-up with email |
allow_password_signin | true | Allow password-based sign-in |
require_password_signup | true | Require password on sign-up |
min_password_length | 8 | Minimum password length |
Email verification
When a user signs up with email and password, their email_verified_at field is null until they verify their email. Users who sign in via OAuth providers (Google, GitHub) have their email automatically verified.
JWT payload
The JWT for email/password users includes "provider": "email":
{
"iss": "clowk",
"sub": "user-uuid",
"email": "jane@example.com",
"name": "Jane Doe",
"provider": "email",
"instance_id": "inst_abc123",
"app_id": "app_xyz789",
"iat": 1711152000,
"exp": 1711155600
}Password reset
- User requests a password reset on the Clowk hosted page
- Clowk sends a reset link to the user's email
- User clicks the link and sets a new password
- Rate limited to 3 attempts per minute per email