Skip to content
Last updated

Login identifiers

Frontegg supports three login identifiers: email, username, and phone number. You can configure which identifiers users provide during sign-up and which they use to sign in, giving you full control over the authentication experience without forcing every user into an email-centric flow.


Why flexible identifiers

Not every user has an email address, and not every product should require one. Whether you're launching a new app with SMS-first onboarding, migrating users from an existing auth system, or supporting username-based access without email, Frontegg lets vendors choose how users identify themselves — making migration and new deployments simpler.

Common scenarios:

  • SMS-first onboarding — Collect a phone number at sign-up and let users sign in with an SMS one-time code, without requiring email.
  • Legacy system migration — Import users who authenticate with a username or phone number from your previous provider and match them in Frontegg.
  • Username-only products — Offer apps where users pick a handle and password, with no email required.

Supported identifiers

IdentifierSign-upSign-in
EmailSupportedPassword, magic code, magic link
UsernameSupportedPassword; magic code and magic link (code or link sent to the associated email)
Phone numberSupportedSMS one-time code

At least one identifier must be enabled for sign-up. You can combine identifiers — for example, email and username together, or username and phone number without email.

Supported configurations

Configure identifier combinations in the Frontegg Builder under SignupManage signup form. The table below shows the main patterns vendors use:

ConfigurationTypical use case
Email onlyDefault B2B SaaS flow with email verification
Email + usernameUsers sign in with either email or username and a password
Email + phone numberEmail for password or magic link; phone for SMS sign-in
Username + phone numberNo email required; SMS-first or username-first products
Username onlyInternal tools or communities where email is not collected

For step-by-step builder instructions, see User signup and User sign-in.

Sign-up behavior by identifier

Email

Users register with an email address. If email verification is enabled, users must verify before they can sign in.

Username

Users register with a username and password. When username is the only identifier collected at sign-up (no email or phone number), account activation is skipped — Frontegg does not send an activation email, regardless of your environment-level email verification setting. If the sign-up form also collects email or a phone number, standard activation rules apply.

At sign-up, usernames must contain only letters, numbers, periods (.), underscores (_), and hyphens (-), with a maximum length of 255 characters.

Phone number

Users register with a phone number. Verification depends on your field requirements in the builder. If the phone number was not verified at sign-up, users are prompted to verify it on their first SMS sign-in. See SMS sign-in for details.

When both email and phone number are required on the sign-up form, email verification takes priority; phone verification can be completed during a later sign-in.

Sign-in behavior by identifier

Password

Users enter an email or username and a password. See Password authentication.

Magic code and magic link

Users enter an email or username. Frontegg sends the one-time code or link to the email address associated with the account. See Passwordless authentication.

SMS

Users enter a phone number (or, if configured, can use email or username where supported). Frontegg sends a one-time code via SMS. See SMS sign-in.

Custom sign-up forms

If you build your own sign-up UI instead of using the hosted login box, call the sign-up API that matches the identifier type:

IdentifierEndpoint
EmailPOST /resources/users/v1/signUp
Phone numberPOST /resources/users/v1/signUp/phoneNumber
UsernamePOST /resources/users/v1/signUp/username

Each endpoint is available only when the corresponding identifier is enabled in your environment's sign-up configuration. For a full custom sign-up walkthrough, see Bring your own sign-up form.

Rate limits

Sign-up routes are intended for client-side use and are rate-limited.

Password reset

Users can reset a forgotten password using their email or phone number. If the user has a verified phone number on file, they can receive a one-time code via SMS to complete the reset. See Managing passwords.