Authentication controls who can access your application and how they sign in. Applications you build in Aha! Builder include built-in authentication. You do not need to write code or configure an external service to protect them.
Click Configuration in your application's navigation bar and select the Authentication tab. Authentication is organized into three sub-tabs — Configurations, Users, and IP addresses — and your settings apply separately to your Preview and Production environments, so you can test changes in preview without affecting your live application.
Choose authentication methods
The Configurations sub-tab controls which sign-in methods your application supports. Toggle each method on or off based on what your users need. You can enable more than one at the same time.
Aha! Builder supports six authentication methods:
Method |
Description |
Best for |
|---|---|---|
Password |
Sign in with an email address and password |
Applications where you want full control over user accounts, or where your users do not have a shared identity provider |
Aha! |
Sign in with an Aha! account |
Applications built for existing Aha! users |
Sign in with a Google account |
Teams that use Google Workspace |
|
GitHub |
Sign in with a GitHub account |
Technical teams that already use GitHub |
Microsoft |
Sign in with a Microsoft account |
Teams that use Microsoft 365 or Entra ID |
If your users share a common identity provider (e.g., Google Workspace, Microsoft 365, or GitHub), enable that provider and disable Password. This gives your users a familiar, one-click sign-in experience and avoids the need to manage separate passwords.
If your users come from different organizations or do not share a common provider, enable Password so they can create accounts with their email address. You can enable additional providers alongside Password. Your users will see all enabled options on the sign-in page and can choose what is most convenient.
Your application users do not need an Aha! account to sign in with any method other than Aha!. Authentication for your application is completely separate from your Aha! Builder account. Anyone you authorize can access your application, whether or not they use Aha! software.
Add a custom SAML provider
If your organization uses its own single sign-on (SSO) identity provider, add it under SAML on the Configurations sub-tab. Click Add provider to connect a new SAML identity provider, or Manage providers to edit or remove existing ones. Your users can then sign in with their existing SSO credentials alongside any other authentication methods you have enabled.
Control who can create an account
The Allow signup toggle on the Configurations sub-tab controls whether new people can create accounts in your application.
On: Anyone who visits your application can create an account using the enabled authentication methods. This is useful during early development or for applications where you want open access.
Off: Only people who already have an account can sign in. New visitors cannot create accounts on their own. Use this setting when you want to control exactly who has access — for example, by creating accounts yourself before sharing the application link.
Disabling signup does not affect existing users. They can continue to sign in as usual.
Preview and production authentication
Your application has two separate environments — Preview and Production — and each maintains its own authentication configuration and user list. Use the Preview and Production toggle at the top of the Authentication tab to switch between them.
Preview is your building and testing environment. Configure authentication here first. When you preview your application, you use the authentication methods you have enabled in this environment.
Production is what your users see. Update settings in the preview environment, then deploy them to production so they take effect there. The production environment authentication settings are read-only.
Changes in one environment do not affect the other. A few things to keep in mind:
User accounts are separate between environments: A user who signs up in preview does not automatically have an account in production (and vice versa).
Test your sign-in flow in preview first: Enable the authentication methods you plan to use, then open your application in a new browser window to confirm the sign-in experience works as expected.
Manage application users
The Users sub-tab shows everyone who has signed in to your application. The table includes:
Column |
Description |
|---|---|
The user's email address |
|
Name |
The user's display name |
Verified |
Whether the user's email address has been verified |
Identities |
The identity provider they used to sign in (for example, Aha!, Password, Google, GitHub, or Microsoft) |
Created |
When the user's account was created |
Click a user's email to open their details. The user detail view shows their email, name, verification status, and when they were created and last appeared. From here you can:
Reset their password: Click Reset password to send a password reset to the user's email address.
Review linked identities: The Single sign on section shows which external identity providers the user has used to sign in. You can Remove an identifier if a user needs to relink their account with a different provider.
Restrict access by IP address
The IP addresses sub-tab limits access to your production application by IP address. Only users whose IP address matches the filter you configure can reach your application. Use this to restrict a business application to your corporate network, a VPN range, or specific office locations.
Enter one or more IP address filters as a comma-delimited list in the IP filter field. Leave the field blank to allow access from any IP address. Supported entry formats:
IPv4 address: A single address, such as
192.168.1.1.CIDR block: A range in CIDR notation, such as
192.168.0.0/16.IPv4 address + netmask: An address paired with a netmask, such as
192.168.1.0/255.255.255.240.IPv4 address range: A start and end address separated by a hyphen, such as
192.168.0.1-192.168.255.255.
Verify your own IP is included before you save, or you will be locked out along with everyone else.
Click Update IP access to save your filter. Changes take effect immediately on your production application. IP restrictions apply only to your production application. Your preview environment is unaffected.