User Accounts
A DataCore Community account is what ties a plugin listing or bundle to an identifiable owner instead of a free-text "author" field, and lets you delete your own listings later.
Register / log in
Register with an email, username, and password (min. 8 characters) at the community site, or from the login prompt that appears the first time you try to post from the main Web UI. A session cookie is issued immediately — you can browse and even complete registration while unverified, but posting requires a verified email.
Email verification
Registering sends a verification email with a link like http://localhost:5273/verify-email?token=.... If the registry has no SMTP_HOST configured (the default for local/demo use), that email is instead written to a file in registry/data/outbox/ — read it with:
docker compose exec registry sh -c "cat data/outbox/*<your-email>*"and open the link inside. Configure SMTP_HOST/SMTP_PORT/SMTP_USER/SMTP_PASS/MAIL_FROM on the registry service for real delivery.
Password reset
"Forgot password?" on the login form sends a reset link the same way (real email or data/outbox/). The endpoint always returns success regardless of whether the email is registered, so it can't be used to check whether someone has an account.
GitHub sign-in
"Continue with GitHub" requires the operator to register their own OAuth App at https://github.com/settings/developers and set three environment variables on the registry service:
GITHUB_CLIENT_IDGITHUB_CLIENT_SECRETGITHUB_CALLBACK_URL(must exactly match the callback URL registered with GitHub, e.g.http://localhost:4001/api/v1/auth/github/callback)
Without these, the sign-in button returns a clear 501 GITHUB_OAUTH_NOT_CONFIGURED error rather than failing silently. A GitHub-authenticated account is treated as email-verified immediately, since the email came from GitHub itself.
Sessions
Sessions are a signed JWT in an httpOnly cookie, valid 30 days. Without a fixed JWT_SECRET set on the registry service, a random secret is generated on every container start — meaning every existing session is invalidated whenever the container restarts. Set JWT_SECRET to a fixed value for anything persistent.