Registering users without username and password

System Information
  • Strapi Version: 3.6.2
  • Operating System: macOS
  • Database: MongoDB
  • Node Version: 14.6.1
  • NPM Version: 6.14.12
  • Yarn Version: 1.22.0


I’m trying to create a Strapi backend that could register users without a username and password.
I want to store only email addresses.
Logging in will be performed by clicking a link sent via email. The link will redirect to a page that will generate JWT token.
Is it doable with Strapi?

I’m using GraphQL extenstion.
I started with exploring users-permissions plugin.
I removed username and password attributes from User model.
Those fields disappeared from Users collection in admin panel but they’re still required in GraphQL register mutation as part of UsersPermissionsRegisterInput type.

When I copy schema.graphql.js to the config folder (to remove username and password from the type) then I’m getting error There can be only one type named "UsersPermissionsMe"
so it looks like I cannot modify those GraphQL types this way.

How to make registration with email field only?

I guess further steps regarding logging in without a password will be achievable using a custom controller, will they?

I’ve figured out how to get rid of username
I changed in User.settings.json attributes to:

    "username": {
      "type": "string",
      "unique": false,
      "configurable": false,
      "required": false

so that field is now not required and doesn’t have to be unique - passing an empty string works fine

So right now I have a problem only with the password.
How to disable the password field? Or how do not require a password field in registration?
I don’t want users to be able to log in using credentials.
I want logging in to be available only via a link sent to the email address.


I haven’t found any rational way to achieve users logging in via email link without a password.
I ended up creating my own backend API instead of using Strapi.

1 Like

This is an old question, but I wanted to do the same thing, and used the afterCreate lifecycle to clear the password. So first I created the user with some random password, then clear the password:

      async afterCreate(data) {

        //clear password
        await axios.put(`${process.env.STRAPI_URL}/api/users/${}`, {data:{password:''}},{
          headers: { 
            'Authorization': `Bearer ${process.env.ADMIN_TOKEN}`

What about allowing users to log in using only their email address and login token sent to their email?

Getting rid of requesting passwords is just a small portion of the problem.

Also, clearing the password doesn’t create a security hole to allow you to log in via API for any account, right?

Ah maybe my use case is a little different. I’m using Strapi Passwordless to for log in.

I was migrating users over from WordPress, so I was having issues creating users with Strapi’s REST API - it was complaining there is no password

That plugin looks promising. Thanks for the link!

1 Like