Open API - anonymous user registered for each request


I have built two APIs using Mongo Realm for my app. One authorized app which handles potentially destructive operators, such as mutations. Most of the requests done from my frontend is made to an open, non-authorized app though, which handles all usual “get” requests.

I have made it so that the client logs in anonymously, keeps the returned tokens in a global store and then makes all requests to the open API using them. So far so good. The problem is, when I then check the App Users tab in the Realm UI, each request has made a new row in the view, each with a new user id. The same goes for when I check the logs in the Realm UI, the anon-user login is triggered the same amount of times as my requests. I wonder why this is. Shouldn’t requests made with the same access token be counted as the same users?

I’m a bit concerned, because even though the anon users that are older than 90 days get deleted, my app risk getting flooded with anon users… Would that affect my app?

Thanks for the help

Hi @Patrick_Mamba, welcome to the MongoDB community forum!

Just to check – are you using an SDK (and if so, which one) or webhooks for each of the APIs you mention?

1 Like

Hi Andrew! Thank you!

For the authentication I’m simply using the API endpoint to get the tokens:

const realmResponse = await fetch(
    method: 'POST',

Or what do you mean?

Hi @Andrew_Morgan! Did I answer your question? Sorry if I misunderstood you.

Hi @Patrick_Mamba and welcome in the MongoDB Community :muscle: !

Sorry we haven’t been more reactive on this one :frowning:.

I’m super confused with what you are trying to do actually.
The API you mentioned above, indeed, is used to generate a token for an anonymous user. But REST APIs created in 3rd party services => HTTP Service => Webhooks don’t need a token. You can secure these using:

  • nothing (so completely public)
  • secret parameter (not the best security but can be good enough)
  • payload signature

So unless you are using the MongoDB Realm Admin REST APIs to manipulate the content of your Realm app, I don’t understand why you even need a token in the first place.
Usually the tokens are used when you want to query a GraphQL API created in Realm for example or use an SDK to send CRUD operations or aggregation following the rules defined in Realm.

If you are using a REST API to manipulate the data which is into your Atlas cluster, then you don’t need a token basically.


1 Like

Hi Maxime! Thanks for the answer!

I’m sorry if I made it sound like I was trying to use the tokens to use the webhooks, that’s not what I meant! I’m using the webhooks separately, and it’s working like a charm.

Rather, what I meant asking for was the GraphQL requests that you mentioned. Even though I use the same token for all GraphQL queries that are made from the one client session, the Realm user log registers a new anonymous user for each GraphQL request. I wonder why that is.

Again, terribly sorry if my explanation was bad!



Hey @Patrick_Mamba,

Very different story indeed :smiley: !

So. To put this to the test, I made an M0 cluster + Realm app with anonymous auth ON + rule & schema on sample_mflix.movies collection to get graphQL working on this collection.

I created a small python code sample which does the following:

  • create an anonymous user token using a REST “POST” query.
  • send 10 GraphQL queries (the same because I’m lazy).
import requests
from graphqlclient import GraphQLClient

APP_ID = 'community-test-irazb'

response ='{APP_ID}/auth/providers/anon-user/login')
token = response.json().get('access_token')

client = GraphQLClient(f'{APP_ID}/graphql')
client.inject_token(f'Bearer {token}')

for _ in range(10):
    print(client.execute('query { movie { title } }'))

Result: 10 times the same movie title… and in my Realm application, I only have one anonymous user:

Not 10. Because I called the REST API only once to generate only a single user. Which didn’t prevent me from calling the same GraphQL API 10 times with the same token.

But note that in my logs, I have, 11 entries:

1 for the user creation and 1 for each GraphQL query.

So… I wasn’t able to reproduce the behaviour you are seeing. Can you please double check your logs & code and make sure that you are not regenerating a new user + token for each GraphQL query your are sending?

You can filter your logs using the log type to identify them more easily:


Also you can see the “User ID” on each of the GraphQL query log entries so they should all be identical if you generate just one user.


A post was split to a new topic: Accumulating hundreds of anon-users using Realm GraphQL with an SPA