AuthRocket 2 is here. Read the announcement or try it now.

AuthRocket 2 is here

February 24, 2020

Today we’re excited to share with you the next generation of AuthRocket.

Two years ago we started asking some big questions: Given everything we’ve learned, how would we build AuthRocket today? What would we keep? What could we do better? What have we learned from years of discussions with customers?

We gave ourselves freedom to rethink things, without boundaries. How could we simplify not just authentication, but ultimately, app development? Could we make all-things-auth nearly invisible for developers?

The result is AuthRocket 2. We’ve changed some things. We’ve kept other things. We’ve even rebuilt some parts completely.

This is actually just the beginning. We have more in mind yet, but we’re excited to share this much with you now, without waiting any longer.

Some highlights:


LoginRocket, our hosted logins and signups feature, has been completely rebuilt. It has a fresh look. More significantly, it now provides user profile management, including updating emails and passwords, enrolling in 2FA, refer-a-friend, and more.

Also new is multi-user (team) accounts management, which includes adding and removing team members, sending invitations, and even permissions management. All this is for your users to self-manage. No more need to build your own UI against our API.

Custom domains for LoginRocket now automatically provision TLS/SSL certs via LetsEncrypt. No need to upload (or pay for) custom certs anymore.


It’s now easier than ever to add your branding to LoginRocket and elsewhere. Upload logos and select colors directly, without messing with CSS or external image hosting.


AuthRocket now supports three different types of invitations:

Prelaunch / closed signups - Not ready to launch publicly yet? Allow visitors to request invitations, and send out those invitations as you’re ready. Or even close signups entirely, but still invite trusted friends and colleagues to try out your app ahead of time.

Refer a friend - Make it easy for users to invite others to signup for your app, helping spread the word.

Join my account - For multi-user accounts, allow users to invite new members to join their account. Account owners can assign permissions ahead of time, which will be automatically added when the new user accepts the invitation and creates a login.

All of these are built-in to LoginRocket, in addition to being available via the AuthRocket API.

Account switching

When users are members of more than one account, LoginRocket can now help users switch between those accounts. Login tokens will reflect the current account choice, eliminating the need for your app to even know about user-to-account relationships. The API has also been extended to include the same functionality.

Login tokens

Login tokens (which are JWTs) are now OpenID Connect compatible, making it super easy to integrate with OIDC-compatible libraries in your language of choice.

A new JWKS endpoint enables easy retrieval of public login token signing keys, eliminating the need to manage these keys separately. This also makes it easier than ever for SPAs or 3rd parties to validate login tokens without compromising security.

Better still, some of our official libraries now know how to use this new endpoint on their own, making it possible to integrate without worrying about JWT signing keys at all.

Even more

Outbound email may now be sent through Mailgun, SendGrid, or your SMTP provider of choice. Login session timeouts are more configurable. We’ve simplified much of the UI.

There are countless other changes that we haven’t covered here. Do let us know if you’re looking for something specific and can’t find it.

AuthRocket 1 customers

If you’re an existing customer, after reading the above you may (quite legitimately) be wondering how this affects your existing account. Does this break things? How long do I have to migrate?

The changes in AuthRocket 2 are far reaching and do break backwards compatibility. Rather than burden you with a forced migration, there’s a better way.

AuthRocket 1 will continue to operate as-is for existing paid customers.

That means everything remains the same—same URLs, same APIs, same features. Nothing to break because your account stays on AR 1.

AuthRocket 1 will continue to receive security updates and bug fixes. As you might guess, there won’t be much in the way of new features though—that’s what AR 2 is for. But, if you’re happy with AR 1, we don’t want to take that away from you.

We’re still working out migration options for those interested in making the jump to AR 2. If that’s something you’d like to do, please contact us.

Please also feel free to signup for a new AuthRocket 2 trial and kick the tires a bit. It’s a separate login, so it won’t interfere with your existing account at all.

Try it out

That’s AuthRocket 2. It’s our best work ever and we really hope you like it.

Want to try it out? Simply signup for a new AuthRocket 2 account and give it a spin.

Logins are separate from AR 1, so if you had an AR 1 login, you’ll need a new login for AR 2.

Questions, concerns, or other thoughts? We’d love to hear from you. Give us a shout.