Tutorial: Guest login

Serverless AuthenticationSigning in and out Guest login

Guest login makes it possible to authenticate users without any explicit credentials. The authentication is based on a temporary session (associated with your Webcom application), which is created locally on the client device. Anyone invoking the guest login on this device will then be authenticated always the same way (ie. with the same account identifier).

It can be useful to allow a guest user to modify the data s/he created while providing other users with read-only access to the same data. Think for example to a blog (with comments) service where users can edit their posts. Another example could be a guest user on a chat service: the user doesn't need to sign in, but the service is able to securely identify her/his messages.

On the back end side, a new temporary account identifier (uid) is generated when a user authenticates with guest login. It remains valid until her/his session ends (as configured in the "authentication" tab of the Webcom developer console) or s/he explicitly sign out.

If you wish to keep the uid of a guest user further, you have to associate it with another permanent identity (for example an email-based one) before it expires.

Guest login usage

To use guest login, it must first be enabled in the "authentication" tab of the Webcom developer console.

Then, simply use the following snippet (replace “<your-app>” with your actual application identifier):

var ref = new Webcom("<your-app>");
    .then(auth => console.log("Anonymously logged in with the following identity:" , auth))
    .catch(error => console.log("Authentication error: ", error));

The auth parameter returned by the promise is a JSON object representing the signed in identity, which directly feeds the current authentication state. The provider property here equals "anonymous".

Webcom ref = new Webcom(new WebcomApp("<your-app>"));
final OnAuth listener = new OnAuth(){
    public void onComplete(@Nullable AuthResponse authResponse) {
        Log.v(TAG,"Anonymously logged in with the account:" + authResponse.getUid());
    public void onError(WebcomError webcomError) {
        Log.v(TAG,"Error : " + webcomError.getMessage());

In case of error, the onError method is called with an object describing the root cause of the error. Otherwise, the onComplete method is called with an authResponse representing the signed in identity, which directly feeds the current authentication state.

let authenticationService = Webcom.defaultApplication.authenticationService
let guestMethod = AuthenticationMethodGuest()
authenticationService.authenticate(with: guestMethod) { result in
    switch result {
    case let .success(details):
        print("Logged in with the account:", details.uid)
    case let .failure(error):
        print("Error:", error)

Security rules

The authentication state passed to security rules (auth variable) contains no more than the generic provider, providerUid and uid fields (see authentication model).

Here is a typical example of security rules in the context of guest login:

  "rules": {
    "users": {
        // allow the user itself to edit its own profile
        ".write": "auth !== null && auth.uid === $userId",
        // allow only guest users to read
        ".read": "auth !== null && auth.provider === 'anonymous'"