Learn to Code via Tutorials on Repl.it!

← Back to all posts
Authenticating users with Repl.it Auth
mat1 (3290)

This tutorial will teach you how to use the Repl.it Auth API.


You are required to know the following before you start:

  • Basic knowledge of Python/Flask
  • Basic knowledge of Jinja2 (Flask templating)
  • Basic knowledge of HTML

Starting off

We'll start off with a basic Flask template (main.py)

from flask import Flask, render_template, request
app = Flask('app')

def hello_world():
  return render_template('index.html')

app.run(host='', port=8080)


<!doctype html>
	<title>Repl Auth</title>

Nothing interesting yet.

The authentication script

Now, we'll add the authentication script.

	<script authed="location.reload()" src="https://auth.turbio.repl.co/script.js"></script>

This can be placed anywhere in the document body and will create an iframe in its parent element. Additionally, any JavaScript placed in the authed attribute will be executed when the person finishes authenticating, so the current one will just reload when the user authenticates.
If you run it now, you will notice a big Let (your site url) know who you are? with a small version of your profile and an Authorize button.
You can click the button but nothing will happen.

The headers

Now, let's make something happen.
Go back to your main.py file; we will be grabbing the Repl.it specific headers for the request and extracting data from them.
The main ones we care about are: X-Replit-User-Id, X-Replit-User-Name, and X-Replit-User-Roles. The username one will probably be the most useful for now.
With this information, we can let our HTML template be aware of them.

def hello_world():
	return render_template(


	{% if user_id %}
	<h1>Hello, {{ user_name }}!</h1>
	<p>Your user id is {{ user_id }}.</p>
	{% else %}
	Hello! Please log in.
		<script authed="location.reload()" src="https://auth.turbio.repl.co/script.js"></script>
	{% endif %}


Now, run your code. It should display a big Hello, (your username)! along with your user ID.

If you want to port this to other languages or frameworks like NodeJS + Express, just be aware of how you can get specific request headers.


Also, be aware that if you're going to be using an accounts system, PLEASE do all the specific logic for checking users on the BACKEND, that means NOT doing it with JavaScript in your HTML. That is all.

Please upvote my post if you found it helpful :)

If you want it, here is the source code for the basic Repl Auth script demonstrated in this tutorial https://repl.it/@mat1/repl-auth-example.

amasad (2510)

First person makes something cool with this will get a MAJOR shoutout on the next newsletter.

qualladoom (320)

@mat time for a real life example!?

Coder100 (6319)

How about creating and storing data with the repl.it accounts? @enigma_dev

Scoder12 (709)

@amasad I used to constantly use this bookmarklet script that would allow me to get to a repl quickly, now I made it into a site that anyone can use with repl auth: http://repl-chooser.scoder12.repl.co/

amasad (2510)

@21natzil can you please showcase repl auth and repl mail/chat in the next newsletter? @MrEconomical

MrEconomical (2189)

@amasad thanks for featuring my project! it really means a lot to me!

mylesbartlett (3)

Yeah, JavaScript logic for checking users is asking for some attacker to come and bypass authentication.

Scoder12 (709)

@mylesbartlett theres no way to circumvent it as repl sends the authentication headers to the server and theres no way to forge them. Content security policies prevent most iframes attacks you can think of, so I would say its pretty secure.

AgastyaSandhuja (148)

Would getting the user's profile picture be

def hello_world():
  return render_template(

or something like that...?

minx28 (342)

@AgastyaSandhuja I don't think so. If you want a user's avatar you'll probably have to scrape it off their profile page.

MarcusWeinberger (424)

Hey, do you have any idea why this wouldn't be working on an iPhone? I'm getting the error message An error occured Failed to authenticate :( on a plain white screen. This is inside the popup window, by the way.

PYer (3396)

Any way to add styling to the button that shows up?

CodeSalvageON (558)

imma use this to burn users at da stake

LiamDonohue (294)

tip from google


JamesGordon1 (116)

How would I make this backend? I need it for this project I'm making: https://repl.it/@JamesGordon1/Simple-chat-V01

AdCharity (1273)

@JamesGordon1 you could probably make a request to repl.it/login but since you don't host a site with flask or something similar I'm not sure how you'd set it up.

ItzMeWilliam (11)

If you want to use repl.it authentication with PHP: https://repl.it/@William3/repl-auth-php

SixBeeps (2827)

I didn't know this existed, thank you for spreading thy knowledge :)

MrEconomical (2189)

@mat1 is there any way to customize the auth page, to change the theme?

Coder100 (6319)

You shouldn't be able to. It's just like using google auth api. The only thing you can change is the auth key. @MrEconomical

AdCharity (1273)

@Coder100 you can actually make custom google auth buttons, but there are some requirements (like the google logo)

Coder100 (6319)

well yeah, but the prompt that shows up to log in I don't think you can change @AdCharity

AdCharity (1273)

Would this be possible (without accounts) for pure HTML CSS and JS?

Coder100 (6319)

Probably not, you need a backend to parse the requests. @AdCharity

Coder100 (6319)

This is a great post! Is there a way to make a node.js version of this?

mat1 (3290)

@Coder100 It's pretty similar, just get the headers of the request (in Express its req.headers), and grab whatever information you want from there (req.headers['X-Replit-User-Name']). Also instead of Jinja2 you'll probably be using EJS.

Coder100 (6319)

What is the authed attribute? Doesn’t seem to do anything @mat1

Coder100 (6319)

Nvm, but how does the iframe get hidden with express? @Coder100

mat1 (3290)

@Coder100 You can make templates in NodeJS with EJS. Here's a tutorial on how you can do that: https://www.tutorialspoint.com/expressjs/expressjs_templating.htm

Coder100 (6319)

How do I use pug on repl.it? @mat1

ironblockhd (333)

@Coder100 @mat1 is this secure? Im planning to make password resets with it