Authentication Testing Checklist

Authentication is the front door to your application, and AI-generated auth code is frequently insecure or broken. From registration to password reset, every step must work correctly and securely. This checklist covers the complete authentication lifecycle.

Last updated: 2026-03-14

Registration

New users can create accounts successfully

Complete the registration flow with valid data and verify the account is created and accessible.

Duplicate email registration is rejected

Attempt to register with an already-used email and verify the app shows a clear error without revealing account existence.

Password strength requirements are enforced

Try weak passwords and verify they are rejected with clear guidance on what constitutes a strong password.

Email verification works if required

Registration form handles special characters

Login

Valid credentials grant access

Invalid credentials show appropriate errors

Submit wrong passwords and non-existent emails and verify the error message does not reveal which field is wrong.

OAuth login works for all configured providers

Test login with each OAuth provider like Google or GitHub and verify the account is created or linked correctly.

Remember me functionality works

Password Management

Password reset email is sent and received

Request a password reset and verify the email arrives within a reasonable time with a working reset link.

Reset tokens expire after use or timeout

Use a reset token, then try to use it again and verify it is rejected. Also verify unused tokens expire.

New password is enforced after reset

Reset a password and verify the old password no longer works while the new one grants access.

Password change from settings works

Change the password from the account settings page and verify the old password is invalidated.

Session Management

Sessions persist across page refreshes

Refresh the browser while logged in and verify you remain authenticated without being redirected to login.

Expired sessions redirect to login

Wait for a session to expire or manually invalidate it and verify the app redirects to the login page.

Logout clears all session data

Log out and verify that back button navigation does not show authenticated content.

Concurrent sessions are handled appropriately

Protected routes redirect unauthenticated users

Access protected pages directly via URL while logged out and verify redirection to login with return URL preserved.

Frequently Asked Questions

Should I build authentication myself or use a third-party service?

For AI-generated apps, using a third-party service like Clerk, Auth0, or Supabase Auth is strongly recommended. These services handle the complex security requirements that AI-generated custom auth code typically gets wrong.

How do I test OAuth without real social accounts?

Most OAuth providers offer test or sandbox modes. Google, GitHub, and others allow you to create test applications with restricted redirect URIs for development and testing purposes.

Let human testers run through this checklist for you

Submit your app and our testers will find the bugs you missed. Starting at €15 per test.

Related checklists

Security Testing Checklist

Essential security testing checklist for AI-built applications. Cover authentication, input validation, data protection, and common vulnerabilities.

Form Testing Checklist

Thorough form testing checklist covering validation, submission, error handling, and accessibility. Catch form bugs that frustrate users and lose data.

User Onboarding Testing Checklist

User onboarding testing checklist for AI-built apps. Verify sign-up flows, welcome screens, tutorials, and first-use experiences work smoothly.

← Back to Checklists