← Back to documentation

Account Access

Complete guide to authentication workflows in PayloadRelay, including SSO and recovery.

8 min read

Use this guide for login, recovery, confirmation, and invitation access flows.

Purpose

This page covers:

  • Login (password and OAuth).
  • Password reset request + consume.
  • Email confirmation preview + consume.
  • Organization invitation preview + accept.

Prerequisites and permissions

  • Public pages: /login, /forgot-password, /password-reset, /confirm-email, /invite/accept.
  • Signup may be disabled in closed-beta environments.
  • Valid token required for confirm/reset/invite token flows.

Step-by-step workflow

A. Sign in

  1. Open /login.
  2. Choose email/password, or OAuth (Google, Microsoft, Apple) when enabled.
  3. Successful auth sets an HttpOnly session cookie and redirects to the app.

If email is unconfirmed, use Resend confirmation email and complete the confirm flow.

B. Reset password

  1. Open /forgot-password.
  2. Submit your email (POST /auth/password-reset/request).
  3. Open the reset link.
  4. The reset page validates token (GET /auth/password-reset).
  5. Submit new password (POST /auth/password-reset/consume).

Rules:

  • New password must be at least 8 characters.
  • Reset links are single-use and time-bound.

C. Confirm account email

  1. Open confirmation link from email.
  2. Page validates token (GET /auth/confirm).
  3. Select Confirm email (POST /auth/confirm/consume).

If validation fails, request a fresh confirmation email.

D. Accept organization invitation

  1. Open /invite/accept?token=....
  2. Review invitation preview (GET /auth/invitations/preview).
  3. Set password and optional display name.
  4. Submit acceptance (POST /auth/invitations/accept).

Rules:

  • Password must be at least 8 characters.
  • Password and confirmation must match.

Expected result and verification checks

  • Login grants access to authenticated pages.
  • Reset flow allows login with the new password.
  • Confirm flow marks email as confirmed.
  • Invitation acceptance creates account access in the target organization.

Common issues and fixes

  • Missing token error: use the latest link from email.
  • OAuth button missing: provider is not configured in this environment.
  • Invitation rejected: token may be expired/revoked; ask org admin to resend.
  • Login denied after account changes: clear stale cookies and retry.

Related guides

← Back to documentation