Docs Menu

Docs HomeRealm

Authenticate Users - .NET SDK

On this page

  • Log In
  • Anonymous User
  • Email/Password User
  • API Key User
  • Custom JWT User
  • Custom Function User
  • Facebook User
  • Google User
  • Apple User
  • Offline Login
  • Log a User Out
  • Retrieve the Current User
  • Get a User Access Token

The SDK provides an API for authenticating users using any enabled authentication provider. Instantiate a Credentials object and pass it to the LogInAsync() method to authenticate and obtain a User instance. The Credentials class exposes factory methods that correspond to each of the authentication providers:

Before you can authenticate a user, ensure you have:

If you have enabled Anonymous authentication in the App Services UI, users can immediately log into your app without providing any identifying information. The following code shows how to do this:

var user = await app.LogInAsync(Credentials.Anonymous());

If you have enabled Email/Password authentication, you can log in using the following code:

var user = await app.LogInAsync(
Credentials.EmailPassword("", "shhhItsASektrit!"));

If you have enabled API Key authentication, you can log in using the following code:

var user = await app.LogInAsync(Credentials.ApiKey(apiKey));

If you have enabled the Custom JWT authentication provider, you can log in using the following code:

var user =
await app.LogInAsync(Credentials.JWT(jwt_token));

If you have enabled the Custom Function authentication provider, you can log in using the following code:

var functionParameters = new
username = "caleb",
password = "shhhItsASektrit!",
IQ = 42,
isCool = false
var user =
await app.LogInAsync(Credentials.Function(functionParameters));

The Facebook authentication provider allows you to authenticate users through a Facebook app using their existing Facebook account.


Enable the Facebook Auth Provider

To log a user in with their existing Facebook account, you must configure and enable the Facebook authentication provider for your application.


Do Not Store Facebook Profile Picture URLs

Facebook profile picture URLs include the user's access token to grant permission to the image. To ensure security, do not store a URL that includes a user's access token. Instead, access the URL directly from the user's metadata fields when you need to fetch the image.

var user =
await app.LogInAsync(Credentials.Facebook(facebookToken));

If you have enabled Google authentication, you can log in using the following code:

var user =
await app.LogInAsync(Credentials.Google(googleAuthCode, GoogleCredentialType.AuthCode));

If you have enabled Sign-in with Apple authentication, you can log in using the following code:

var user =
await app.LogInAsync(Credentials.Apple(appleToken));


If you get a Login failed error saying that the token contains an invalid number of segments, verify that you're passing a UTF-8-encoded string version of the JWT.

When your Realm application authenticates a user, it caches the user's credentials. You can check for existing user credentials to bypass the login flow and access the cached user. Use this to open a realm offline.


Initial login requires a network connection

When a user signs up for your app, or logs in for the first time with an existing account on a client, the client must have a network connection. Checking for cached user credentials lets you open a realm offline, but only if the user has previously logged in while online.

The following example checks if there is a cached User object. If not, it logs the user in. Otherwise, it uses the cached credentials:

if (app.CurrentUser == null)
// App must be online for user to authenticate
user = await app.LogInAsync(
Credentials.EmailPassword("", "shhhItsASektrit!"));
config = new PartitionSyncConfiguration("_part", user);
realm = await Realm.GetInstanceAsync(config);
// This works whether online or offline
user = app.CurrentUser;
config = new PartitionSyncConfiguration("_part", user);
realm = Realm.GetInstance(config);

Once logged in, you can log out by calling the LogOutAsync() method:

await user.LogOutAsync();


When a user logs out, you can no longer read or write data in any synced realms that the user opened. As a result, any operation that has not yet completed before the initiating user logs out cannot complete successfully and will likely result in an error. Any data in a write operation that fails in this way will be lost.

Once you have an authenticated user, you can retrieve the User object with the App.CurrentUser property. The CurrentUser object is persisted in local storage, so even if the app shuts down after the initial authentication, you do not need to call LoginAsync again (unless the user logged out). Instead, use Realm.GetInstance(config), where config is a PartitionSyncConfiguration object. This approach results in a faster start-up and also enables the user to work offline.

When a user logs in, Atlas App Services creates an access token for the user that grants them access to your App. The Realm SDK automatically manages access tokens, refreshes them when they expire, and includes a valid access token for the current user with each request. If you send requests outside of the SDK (for example, through the GraphQL API) then you need to include the user's access token with each request, and manually refresh the token when it expires.

You can access and refresh a logged in user's access token in the SDK from their Realm.User object, as in the following example:

// Returns a valid user access token to authenticate requests
public async Task<string> GetValidAccessToken(User user)
// An already logged in user's access token might be stale. To
// guarantee that the token is valid, refresh it.
await user.RefreshCustomDataAsync();
return user.AccessToken;
←  Create and Delete Users - .NET SDKCustom User Data - .NET SDK →
Share Feedback
© 2023 MongoDB, Inc.


  • Careers
  • Investor Relations
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2023 MongoDB, Inc.