Guest Login

Overview

Guest login lets users start with an anonymous session, then upgrade later by linking email/Google. This avoids friction while keeping security boundaries.

Endpoint

POST /auth/guest/start → creates a guest user and returns a JWT.

Pseudocode

const startGuest = async (req, res) => {
  const user = await createGuestUser({ origin: req.headers['x-origin'] });
  const token = issueJwt({ sub: user.id, guest: true, exp: days(1) });
  return res.json({ token, user });
};

Data Model

users.is_guest = true for guest accounts.
Stateless auth: no sessions table. Use JWT claims to mark guest.
users.normalized_email = NULL for guests; uniqueness only applies to non-guests.

Upgrade Path

Convert guest to registered on first successful email/Google login:
- Set is_guest=false, fill email/normalized_email.
- Link identities if provider login is used.

Limitations

Restrict scopes/permissions for guests.
Shorter JWT TTLs and optional Redis blacklist for revocation.
Audit guest actions (event logs) for later account linking.

Overview​

Endpoint​

Pseudocode​

Data Model​

Upgrade Path​

Limitations​

Overview

Endpoint

Pseudocode

Data Model

Upgrade Path

Limitations