Chapter 4 Authentication and User Management

With the Standard and Professional plans on, you can limit access to your application by enabling authentication. To enable authentication, navigate to the administrative interface, select the application to modify, and click on the Users tab.

Here is a sample application with the default visibility settings (Public):

Change the Application Visibility to Private and click on Save Settings. Changing the visibility of your application will require a restart of the application.

After the application is restarted, the Owner of the account and other members of the account will automatically be included in the list of authorized users. You can now add other authorized users by clicking the Invite User button and entering their email addresses in the subsequent dialog. These users will receive application invitations which will grant them access to the application after they follow the link in the email.

4.1 User authentication

Each user will receive an email from with an invitation to view your application. If a user does not already have an authenticated account on, they will be able to create one by authenticating through one of the following three methods:

  • Google authentication
  • GitHub authentication
  • authentication will prompt each visitor to your app for a username and password if they have not been authenticated. Only users who log in with valid credentials will be able to view or use the app.

Please note that if the invited user has a separate email address that already has a account associated with it, they can choose to log in with that account instead.

4.1.1 Google authentication

With Google authentication, the user can authenticate using the same authentication mechanism they use with their Gmail or Google Applications credentials. This flow relies on an OAuth 2.0 flow, and will leverage two factor authentication if it is enabled.

4.1.2 GitHub authentication

Similar to Google authentication, users or publishers can use their GitHub credentials to authenticate their identities.

4.1.3 authentication

With authentication, the username and password information is stored in a database on This method is most suitable for users who do not have a Google or GitHub account. After ten unsuccessful login attempts using this username and password, a user will be preventing from logging in for twenty minutes.

4.1.4 Logging out

If you have a private application and would like to provide your users with the ability to log out, you can add a link anywhere in your application in the following format:

This will log the user out of the particular application, though they will still be logged into itself.

4.2 Understanding the mechanics of authentication

This section is written for users who are interested in how authentication works at a deeper level in

When an end user is prompted to authenticate for a private application, the following happens:

  1. The user will first authenticate against the service ( If the authentication is successful, a session cookie for called shinyapps_auth is created.

  2. Once the user is authenticated against the service, they can then authenticate against the application itself using the existing session for This sets another cookie called therealshinyapps for the specific application they are logging into.

These steps happen automatically when the end user clicks "Login" for a private application. The two login steps are necessary, because these cookies must be distinct between itself, and between applications hosted on

A user can log out of an application by visiting the URL: When the end user visits this URL, they are logged out of the application, but the session cookie for remains. Clicking "Login" will authenticate the user using the existing session without requiring the user to re-enter their password.

Since uses a session cookie, closing the window should require the user to re-authenticate with the next time they attempt to authenticate to an application. However, both Chrome and Firefox keep these session cookies around for longer than they should unless you disable this feature in the browser. See this thread for more information.

Regardless, you can always logout of the service itself by going to after you log out of your application.