Skip to content
Worldview
Get started

Sign Up & Authentication

How to create an account, verify your email, and log in with Zitadel OIDC.

On this page (5)

Worldview uses Zitadel as its identity provider. Zitadel is an open-source OIDC/OAuth 2.0 platform — your credentials are never stored directly in Worldview's database.

Create an account

  1. Go to the registration page

    Navigate to /register. Enter your email address and choose a strong password (minimum 10 characters).

  2. Submit the form

    Click Create account. Worldview sends a verification email via Zitadel's email service within a few seconds.

  3. Verify your email

    Open your inbox and click the Verify email link. The link is valid for 24 hours. If it expires, use the Resend verification link on the login page.

  4. Sign in

    Return to /login, enter your credentials, and click Sign in. You are redirected to /dashboard.

PKCE flow

The browser uses the OAuth 2.0 PKCE (Proof Key for Code Exchange) flow. Your access token lives in React state only — it is never written to localStorage or cookies, which prevents token theft via XSS.

Development login

For local development, when Zitadel is not configured, Worldview ships a convenience endpoint:

curl -X POST http://localhost:8000/v1/auth/dev-login \
  -H "Content-Type: application/json" \
  -d '{"email": "dev@example.com"}'
# Returns: { "access_token": "...", "token_type": "bearer" }

The /login page shows a Dev Login button automatically when NEXT_PUBLIC_DEV_LOGIN_ENABLED=true.

Token lifecycle

TokenLifetimeStorage
Access token1 hourReact state (memory only)
Refresh token30 daysZitadel session cookie (HttpOnly, Secure)
Internal JWT (X-Internal-JWT)5 minutesPassed as request header to backends

Worldview silently refreshes the access token in the background when it has less than 5 minutes remaining. You should never see an unexpected logout during an active session.

Password reset

  1. Click Forgot password on the login page
  2. Enter your email address
  3. Click the reset link in your inbox (valid 1 hour)
  4. Set a new password and sign in

Email delivery

Verification and reset emails may land in your spam folder. Add noreply@worldview.app to your contacts to prevent this.

Security tips

  • Use a unique password not shared with any other service
  • The access token is scoped read/write for your own tenant — it cannot access other users' data
  • If you suspect your account is compromised, change your Zitadel password immediately and all active sessions will be revoked

Was this page helpful?

Last updated