Guest authentication
Guest authentication creates temporary users with no username or password. Users can use the app immediately; require full registration later if needed.
Prerequisites
Before using guest authentication, ensure the following settings are enabled on the application:
- Enable signup — Guest user creation requires signup to be allowed.
- Enable guest signin — The explicit toggle that permits the
guest-usercode flow. Without it, the token endpoint returnsinvalid_grant.
Both settings are found on the application edit page under the Authentication tab. Guest authentication is not available for the built-in organization.
Creating a guest user
POST to the token endpoint with the special code guest-user:
POST https://<CASDOOR_HOST>/api/login/oauth/access_token
Request Body:
{
"grant_type": "authorization_code",
"client_id": "your_client_id",
"client_secret": "your_client_secret",
"code": "guest-user"
}
The code "guest-user" is a Casdoor extension that creates a guest user instead of completing the normal OAuth code flow.
Response:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 10080,
"scope": "openid"
}
Casdoor creates a user with: username guest_<uuid>, a random password, and tag guest-user.
Upgrading to a normal user
When the user sets or changes their username (to something not starting with guest_) or sets a password via the user update API, they are upgraded: the tag becomes normal-user and they can use normal sign-in.
Restrictions
Guest users cannot sign in via the normal login page until they upgrade (set a real username or password).
Example Integration
// Create a guest user
async function createGuestUser() {
const response = await fetch('https://your-casdoor-host/api/login/oauth/access_token', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
grant_type: 'authorization_code',
client_id: 'your_client_id',
client_secret: 'your_client_secret',
code: 'guest-user'
})
});
const data = await response.json();
return data.access_token;
}
// Later, upgrade the guest user
async function upgradeGuestUser(accessToken, newUsername, newPassword) {
const response = await fetch('https://your-casdoor-host/api/update-user', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${accessToken}`
},
body: JSON.stringify({
name: newUsername,
password: newPassword
})
});
return response.json();
}
Related Documentation
- OAuth 2.0 - Standard OAuth flows
- User Tags - Understanding user tags
- Application Tags - Restricting access by tags