Frontegg supports three login identifiers: email, username, and phone number. You can configure which identifiers users provide during sign-up and which they use to sign in, giving you full control over the authentication experience without forcing every user into an email-centric flow.
Not every user has an email address, and not every product should require one. Whether you're launching a new app with SMS-first onboarding, migrating users from an existing auth system, or supporting username-based access without email, Frontegg lets vendors choose how users identify themselves — making migration and new deployments simpler.
Common scenarios:
- SMS-first onboarding — Collect a phone number at sign-up and let users sign in with an SMS one-time code, without requiring email.
- Legacy system migration — Import users who authenticate with a username or phone number from your previous provider and match them in Frontegg.
- Username-only products — Offer apps where users pick a handle and password, with no email required.
| Identifier | Sign-up | Sign-in |
|---|---|---|
| Supported | Password, magic code, magic link | |
| Username | Supported | Password; magic code and magic link (code or link sent to the associated email) |
| Phone number | Supported | SMS one-time code |
At least one identifier must be enabled for sign-up. You can combine identifiers — for example, email and username together, or username and phone number without email.
Configure identifier combinations in the Frontegg Builder under Signup → Manage signup form. The table below shows the main patterns vendors use:
| Configuration | Typical use case |
|---|---|
| Email only | Default B2B SaaS flow with email verification |
| Email + username | Users sign in with either email or username and a password |
| Email + phone number | Email for password or magic link; phone for SMS sign-in |
| Username + phone number | No email required; SMS-first or username-first products |
| Username only | Internal tools or communities where email is not collected |
For step-by-step builder instructions, see User signup and User sign-in.
Users register with an email address. If email verification is enabled, users must verify before they can sign in.
Username
Users register with a username and password. When username is the only identifier collected at sign-up (no email or phone number), account activation is skipped — Frontegg does not send an activation email, regardless of your environment-level email verification setting. If the sign-up form also collects email or a phone number, standard activation rules apply.
At sign-up, usernames must contain only letters, numbers, periods (.), underscores (_), and hyphens (-), with a maximum length of 255 characters.
Phone number
Users register with a phone number. Verification depends on your field requirements in the builder. If the phone number was not verified at sign-up, users are prompted to verify it on their first SMS sign-in. See SMS sign-in for details.
When both email and phone number are required on the sign-up form, email verification takes priority; phone verification can be completed during a later sign-in.
Password
Users enter an email or username and a password. See Password authentication.
Magic code and magic link
Users enter an email or username. Frontegg sends the one-time code or link to the email address associated with the account. See Passwordless authentication.
SMS
Users enter a phone number (or, if configured, can use email or username where supported). Frontegg sends a one-time code via SMS. See SMS sign-in.
If you build your own sign-up UI instead of using the hosted login box, call the sign-up API that matches the identifier type:
| Identifier | Endpoint |
|---|---|
POST /resources/users/v1/signUp | |
| Phone number | POST /resources/users/v1/signUp/phoneNumber |
| Username | POST /resources/users/v1/signUp/username |
Each endpoint is available only when the corresponding identifier is enabled in your environment's sign-up configuration. For a full custom sign-up walkthrough, see Bring your own sign-up form.
Rate limits
Rate limits
Sign-up routes are intended for client-side use and are rate-limited.
Users can reset a forgotten password using their email or phone number. If the user has a verified phone number on file, they can receive a one-time code via SMS to complete the reset. See Managing passwords.