Skip to main content
Every Sherpo-generated site ships with a secure authentication layer by default, so your customers can log in, access their purchases, and manage their profile, all under your brand. You don’t need to wire up OAuth or manage sessions yourself: Sherpo handles it automatically for every site (e.g., yoursite.sherpo.io).

How customers log in

Entry points

Every Sherpo-generated site includes a Sign in button in the header. Once logged in, this button turns into a profile avatar linking to their dashboard.
Sherpo-generated site header
By default, visitors enter their email address and receive a secure code via email to complete the sign-in process. This is a passwordless flow: faster, simpler, and more secure on mobile.
Sherpo access code sent to the inbox

Google sign-in

Sherpo includes Google OAuth out of the box. Visitors can simply click Sign in with Google and complete the flow without leaving your site.
Authentication screen for Sherpo-generated site

Redirect behavior

Customers who log in with Google are automatically redirected to your site homepage after authentication. For example, if they were on demo.sherpo.io/course during login, they’ll land on demo.sherpo.io/ upon completing the process. This doesn’t happen to customers who log-in through email magic links.

Security and session management

  • All authentication flows are secured through Cloudflare, protecting against bots and spam logins.
  • Once logged in, users stay signed in across your Sherpo-generated site, until they log out or the session expires.
Unlike other platforms, customers who sign in to your Sherpo-generated site are not signed in to other Sherpo sites. They are 100% your customers, not ours, or anyone else’s.

FAQ

No. Google OAuth is currently built-in and active by default to maximize ease of access and reduce login friction.
No. For security reasons, Sherpo uses passwordless magic links for email-based login. Customers simply enter their email and receive a one-time code to confirm their identity.
Each login event is linked to a valid order, product access, or free unlock. You can then track authenticated customers in your Sales and Customers dashboard.
Never. Authentication is scoped to your domain (e.g., yoursite.sherpo.io). Each site has its own isolated user base, ensuring data privacy and ownership for every creator.
Sessions are persistent but device-specific. Customers logging in on a new device will need to reauthenticate via email or Google.
You can customize your site branding, logo, and accent colors: these apply automatically to the site. The structure of the authentication is not editable.
Sherpo never exposes account existence information. Users who enter a non-existent or incorrect email will simply not receive a code, keeping your user base private and protected.