Start a new topic

Master Secret

Okay. I am sure this is a stupid question but I am a bit confused. In XE7 when I try to log in a new user I find I must have the master secret. But that would require it to be somewhere on the client side (bad). So is there a way to create a new user other than manually without this? Thanks.

Hi, you actually need to use the app secret rather than the master secret to create or log in users. Since the app secret has very limited privileges, storing it in the client should not pose a risk.
Hmmm. In XE7 I have the app secret but received a message that I needed the master secret. Will investigate further. Thanks.
Found the issue. Before the user can be created I need to see if they have a valid activation code in a data store collection. Is there any way to do this without a master secret since the user has not been officially signed in or created?
Hi, it sounds like a better approach might be to perform this check on the backend, using business logic, before the user is created. If you perform the activation code check on the client, then someone may be able to figure out a way to bypass the check. On the other hand, if you perform the check on the server, there would be no way for anyone to create a user who does not pass the requirements.

You could implement this functionality using an onPreSave collection hook -- for more information about business logic, please see
Perfect! Just wanted I need to know. Thanks so much for your help.
Login or Signup to post a comment