Authentication

Securing access to your Refgrow instance and affiliate dashboard

Overview

Refgrow provides multiple authentication options to meet your security requirements and integrate with your existing user systems. This guide explains how to implement authentication for both program administrators and affiliates.

Administrator Authentication

Standard Email/Password Login

Refgrow offers a built-in authentication system for program administrators:

  1. Email and password credentials
  2. Two-factor authentication (2FA) for enhanced security
  3. Password reset functionality

This is the default authentication method used when you create your Refgrow account.

Social Authentication

Connect your Refgrow administrator account with popular OAuth providers:

  • Google
  • GitHub

To enable social authentication:

  1. Go to your account settings
  2. Navigate to the "Authentication" tab
  3. Select the social providers you want to enable
  4. Follow the prompts to connect your accounts

Two-Factor Authentication (2FA)

Enable 2FA for an extra layer of security on your Refgrow administrator account:

  1. Go to your account settings
  2. Navigate to the "Security" tab
  3. Click "Enable 2FA"
  4. Scan the QR code with an authenticator app like Google Authenticator or Authy
  5. Enter the verification code to confirm setup
  6. Save your backup codes in a secure location

Once enabled, you'll need to enter both your password and a time-based one-time password (TOTP) from your authenticator app when logging in.

Affiliate Authentication

Standalone Authentication

If you're using Refgrow's standalone affiliate dashboard, affiliates can use:

  • Email and password registration
  • Magic link authentication (passwordless login via email)

This is ideal for programs where affiliates don't have accounts in your main application or when you're using Refgrow as a separate affiliate system.

Integrating with Your Existing User System

If you already have users in your application, you can integrate Refgrow with your existing authentication:

JWT Authentication

Pass a JSON Web Token (JWT) when embedding the Refgrow affiliate dashboard: 

<div 
  id="refgrow-affiliate-dashboard"
  data-program-id="YOUR_PROGRAM_ID"
  data-program-email="user@example.com"
  data-auth-token="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
></div>

<script src="https://cdn.refgrow.com/js/affiliate-dashboard.js"></script>

The JWT should include:

  • email: The affiliate's email address
  • name: The affiliate's display name
  • exp: Expiration timestamp

Sign the JWT with your Refgrow API secret from your program settings.

Setting Up a Custom Authentication Endpoint

For advanced integration, you can set up a custom authentication endpoint:

  1. Create an API endpoint in your application that validates user credentials
  2. Configure this endpoint in your Refgrow program settings under "Authentication"
  3. Refgrow will call this endpoint when affiliates attempt to log in

Your endpoint should:

  • Accept POST requests with username/password or token
  • Return a JSON response with authentication status and user details
  • Include proper CORS headers if your application and Refgrow are on different domains

Example Endpoint Response:

{
  "success": true,
  "user": {
    "email": "affiliate@example.com",
    "name": "John Doe",
    "id": "user_12345",
    "customData": {
      "accountType": "premium",
      "joinedDate": "2023-01-15"
    }
  }
}

Security Best Practices

Use Strong Passwords

Encourage administrators and affiliates to use strong, unique passwords with a combination of uppercase and lowercase letters, numbers, and special characters.

Enable 2FA

Enable two-factor authentication for all administrator accounts and consider making it mandatory for enhanced security.

Regular Token Rotation

Regularly rotate your API keys and authentication tokens, especially if you suspect a security breach.

Set Short JWT Expiration

When using JWTs, set reasonable expiration times to limit the window of opportunity if a token is compromised.

Troubleshooting

JWT Authentication Issues

If affiliates can't log in with JWT authentication:

  1. Verify your JWT is properly signed with the correct secret key
  2. Ensure the JWT hasn't expired
  3. Check that all required claims (email, name, exp) are included
  4. Verify the email in the JWT matches the email in data-program-email
Custom Endpoint Authentication Failures

If your custom authentication endpoint isn't working:

  1. Check your server logs for detailed error information
  2. Verify CORS headers are properly set if needed
  3. Ensure your endpoint returns the expected JSON structure
  4. Test the endpoint directly with a tool like Postman
2FA Issues

If you're having trouble with two-factor authentication:

  1. Ensure your device's time is correctly synchronized
  2. Try using your backup codes if you can't access your authenticator app
  3. Contact support if you've lost access to both your authenticator app and backup codes

Next Steps

Webhooks API Overview