Master advanced user authentication patterns in Bubble including combining email and social login, handling authentication errors gracefully, maintaining auth state across sessions, and debugging login issues. This tutorial goes beyond basic signup to cover the full authentication lifecycle with error handling and session management.
Overview: Handling User Authentication in Bubble
This tutorial covers advanced authentication patterns in Bubble beyond basic registration and login. You will learn to combine multiple login methods, handle auth errors gracefully, maintain login state across page navigations and browser sessions, and debug common authentication problems. Essential for any production Bubble app that needs reliable user authentication.
Prerequisites
- A Bubble account with an existing app
- Basic user registration and login already set up
- Understanding of Bubble workflows and conditionals
- OAuth plugins installed if using social login (Google, Facebook)
Step-by-step guide
Build a unified login page with email and social options
Build a unified login page with email and social options
Create a login page with a central Group. At the top, add social login buttons (Sign in with Google, Sign in with Facebook) that trigger their respective OAuth plugin actions. Below, add a divider with text 'or continue with email'. Below that, add email and password Input elements and a Log In button. For registration, add a toggle link that shows a registration form with Name, Email, Password, and Confirm Password fields. Use custom states to toggle between login and registration views without separate pages.
Expected result: A single login page offers both social login buttons and email/password fields, with a toggle to switch to registration.
Handle authentication errors with user-friendly messages
Handle authentication errors with user-friendly messages
In the login workflow, use the Log the user in action. After this action, add an Only when condition that checks for errors. Bubble provides an 'An unhandled error occurs' event that you can use at the page level. Create this event and add conditionals: when Current workflow error's message contains 'INVALID_LOGIN_CREDENTIALS', show an Alert with 'Incorrect email or password.' When it contains 'USER_NOT_FOUND', show 'No account found with this email.' When it contains any other error, show a generic 'Something went wrong. Please try again.' Store error messages in a custom state and display them in a red Text element below the form.
Pro tip: Customize error messages in Settings then Languages tab to replace Bubble's default technical messages with user-friendly text.
Expected result: Authentication errors display clear, friendly messages instead of technical error strings.
Redirect unauthenticated users from protected pages
Redirect unauthenticated users from protected pages
On every page that requires login, add a Page is loaded event with an Only when condition: Current User is logged out. In the workflow, add a Go to page action targeting the login page. For a centralized approach, create a Reusable Element called Auth Guard containing this workflow, and place it on every protected page. To preserve the intended destination, add a URL parameter: append ?redirect= followed by the current page path. After successful login, read this parameter and redirect the user to their intended page.
Expected result: Unauthenticated users are automatically redirected to the login page, and returned to their intended page after logging in.
Merge social and email accounts for the same user
Merge social and email accounts for the same user
When a user signs up with Google and later tries to log in with email using the same address (or vice versa), Bubble creates separate accounts. To prevent this, after social login check if a user with that email already exists. If yes, link the social identity to the existing account using the Make changes to a thing action to update the existing user's record. Show a message saying 'We found an existing account with this email. Your accounts have been linked.' Handle the reverse case by checking for social identities during email registration.
Expected result: Users who sign up with different methods using the same email address have their accounts merged rather than duplicated.
Implement session persistence and timeout
Implement session persistence and timeout
Bubble maintains sessions using cookies by default. For custom session control, create a custom state or database field called Last Activity (date) on the User. Update it on each page load and significant user action. Add a recurring Do when condition is true event that checks if Current date/time minus Current User's Last Activity exceeds your timeout threshold (such as 30 minutes). When triggered, log the user out and redirect to the login page with a message 'Your session has expired.'
Expected result: User sessions persist across browser tabs and page reloads, with automatic logout after a configurable inactivity period.
Debug authentication issues using the Debugger and Logs
Debug authentication issues using the Debugger and Logs
When authentication fails unexpectedly, use these diagnostic steps. In preview mode, open the Debugger and step through the login workflow to see which action fails. Check the Server Logs for error details. Common issues: the Privacy Rules on the User Data Type blocking the login lookup (temporarily disable to test), email casing mismatch (Bubble is case-sensitive for emails), or a plugin conflict with the authentication flow. Test with a fresh browser profile to rule out cached cookie issues.
Pro tip: Create a test user with a known email and password. Use this account to verify the basic login flow works before debugging more complex scenarios.
Expected result: You can systematically identify and resolve authentication failures using the Debugger, Server Logs, and Privacy Rule inspection.
Complete working example
1USER AUTHENTICATION — WORKFLOW SUMMARY2=======================================34PAGE: login5 Custom states:6 - Show Mode (text: 'login' or 'register')7 - Error Message (text)8 - Redirect URL (text, from URL parameter)910WORKFLOW 1: Email Login11 Trigger: Log In button clicked12 Actions:13 1. Log the user in (email, password)14 2. Go to page (Redirect URL or dashboard)15 Error handler:16 - Set state Error Message = friendly text1718WORKFLOW 2: Google Login19 Trigger: Sign in with Google clicked20 Actions:21 1. Signup/login with Google OAuth22 2. Check: existing user with same email?23 If yes → merge accounts24 3. Go to page (Redirect URL or dashboard)2526WORKFLOW 3: Registration27 Trigger: Sign Up button clicked28 Condition: Password = Confirm Password29 Actions:30 1. Sign the user up (email, password)31 2. Make changes → set Name field32 3. Send email verification33 4. Go to page (dashboard)3435WORKFLOW 4: Auth Guard (on protected pages)36 Trigger: Page is loaded37 Condition: Current User is logged out38 Actions:39 1. Go to page → login?redirect=current_page4041WORKFLOW 5: Session Timeout42 Trigger: Do when condition is true (every 5 min)43 Condition: now - Last Activity > 30 min44 Actions:45 1. Log the user out46 2. Go to page → login (message: session expired)4748WORKFLOW 6: Update Last Activity49 Trigger: Page is loaded (all protected pages)50 Actions:51 1. Make changes to Current User52 Last Activity = Current date/timeCommon mistakes when building user authentication in Bubble
Why it's a problem: Not handling the case where social login and email accounts use the same email
How to avoid: After social login, check for existing accounts with the same email and merge them rather than creating a new user
Why it's a problem: Displaying raw Bubble error messages to users
How to avoid: Map each error code to a friendly message using conditionals or the Languages tab in Settings
Why it's a problem: Not preserving the redirect URL when sending users to login
How to avoid: Pass the intended page as a URL parameter (?redirect=page-name) and use it after successful authentication
Best practices
- Provide both social login and email options on the same page for maximum flexibility
- Map all authentication error codes to user-friendly messages
- Implement redirect preservation so users return to their intended page after login
- Check for duplicate accounts when users sign in with different methods using the same email
- Add session timeout for security, especially for apps handling sensitive data
- Use the Debugger and Server Logs as first diagnostic steps for auth issues
- Test authentication flows in an incognito browser window to avoid cached session interference
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I need to improve the authentication system in my Bubble.io app. I want to combine Google and email login, handle errors with friendly messages, redirect unauthenticated users to login, and add session timeout. What are the best practices?
Set up a login page with both Google OAuth and email/password login. Add error handling that shows friendly messages when login fails. Include a redirect system that sends logged-out users to the login page.
Frequently asked questions
How does Bubble handle session persistence?
Bubble uses browser cookies to maintain sessions. By default, sessions persist until the user explicitly logs out or clears their cookies. There is no built-in session timeout, so you must implement it yourself using Last Activity tracking.
Can I add two-factor authentication?
Yes. See our dedicated 2FA tutorial. You can implement TOTP-based 2FA using a plugin or API Connector with a service like Twilio for SMS codes.
Why does login fail with correct credentials?
Common causes: Privacy Rules on the User Data Type blocking the lookup, email case mismatch (test@email.com vs Test@email.com), or the user signed up with a social login method and has no password set.
How do I force HTTPS for authentication pages?
Bubble serves all pages over HTTPS by default. Custom domains require DNS configuration for SSL. Check that your domain settings show a valid SSL certificate in Settings then Domain/email.
Can RapidDev help implement enterprise authentication?
Yes. RapidDev can help implement SSO, SAML integration, role-based access control, audit logging, and other enterprise authentication requirements for your Bubble app.
How do I test authentication without creating real accounts?
Create test accounts in the Data tab under App data then User. Set known passwords for testing. Use Bubble's Run as feature in the editor to simulate different user accounts.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation