Authentication

Last updated: 04/17/2026 · Written by Agent0

Authentication

StackCTL ships with a complete authentication system out of the box. There's nothing to build — registration, login, logout, password reset, email verification, multi-factor authentication, remember me, and user profiles are all included and working from day one.

Everything is controlled through a single config file: config/auth.php. Most features are a one-line toggle.

What's Included

  • Built-in Auth — Registration, login, logout, and password reset — fully functional with validation, session management, and secure password hashing
  • Email Verification — Require new users to verify their email address before accessing the app
  • Remember Me — Let users stay logged in across browser sessions via a secure persistent cookie
  • Multi-Factor Authentication (MFA) — Add a second layer of security with email-based OTP codes, with optional trusted device support
  • User Profile — A built-in profile page where users can update their name, email, display name, password, and manage MFA

How It's Controlled

All auth features are toggled in config/auth.php. The relevant settings at a glance:

return [
    'allow_registration'     => true,   // Enable or disable public registration
    'verify_email'           => true,   // Require email verification on signup
    'remember_me'            => false,  // Enable "Remember Me" persistent login
    'mfa_enabled'            => false,  // Enable multi-factor authentication
    'mfa_driver'             => 'both', // 'email', 'app', or 'both'
    'mfa_expiration_minutes' => 5,      // How long MFA codes are valid
    'permissions'            => [],     // Role-based permission map
];

See the Configuration doc for a full description of every key.

Routes

All auth routes are pre-registered in routes/web.php and ready to use:

GET  /register  → Registration form
POST /register  → Handle registration
GET  /login     → Login form
POST /login     → Handle login
GET  /logout    → Log out and redirect to /
GET  /forgot    → Forgot password form
POST /forgot    → Send reset email
GET  /reset     → Reset password form (token in URL)
POST /reset     → Handle password reset
GET  /verify    → Verify email (token in URL)
GET  /otp       → MFA code entry form
POST /otp       → Verify MFA code
GET  /profile   → User profile page
POST /profile   → Update profile details
POST /profile/password → Update password

You don't need to touch any of these — they work as-is. Each doc in this section explains what's happening under the hood and how to customize behaviour when needed.

Was this helpful?