Skip to main content

Account & Sessions

VeriWasp has no password field anywhere. Signing in is always:

  1. Enter your email on /login.
  2. Click Send magic link.
  3. Click the link that arrives by email within 15 minutes (it expires after that; just request a new one if you miss the window).

Login requests are rate-limited both per email address and per IP address, specifically so the login form can't be used to repeatedly spam an inbox that isn't yours. If you hit that limit, wait a few minutes before requesting another link.

Sessions

Once you click a valid magic link, a session cookie is set that keeps you signed in for 30 days. There's no separate "remember me" option; every session behaves the same way. Signing in again from a different browser or device doesn't invalidate your other sessions; you can be logged in from multiple places at once.

Log out (in the top nav, next to your email) clears your session cookie immediately on that browser. It doesn't affect any other active session you might have elsewhere.

Your account identity

Your account is identified purely by email address. There's no username, display name, or profile to configure. The credit balance shown in the top nav and the list of runs under My Runs are both scoped to your account; runs you create are never visible to anyone else's My Runs list (though anyone with a specific report's public link can view that one report; see Shareable Reports).

VeriWasp never automates logging into your app

This is worth stating explicitly and precisely, because it directly affects how you should write scenario steps (see the callout in Creating a Playtest Run). VeriWasp's own account system (described above) is completely separate from whatever authentication the app you're testing uses. There is currently no field anywhere in the run creation form to supply test credentials for your target app, and no automated way for a scenario to complete a real login flow that depends on receiving an email (a magic link, an OTP code, a password-reset link). A headless browser mid-run has no inbox to check.

Practically, this means:

  • Every run's browser session starts anonymous, exactly as if a stranger had just navigated to your target URL for the first time, with no cookies or prior session state.
  • A scenario can complete a normal password-based signup or login flow, since typing an email and password and clicking submit is just ordinary type/click steps. See the Sign up flow template in Scenario Templates for exactly this.
  • A scenario cannot complete any flow that depends on an external, out-of-band step, such as clicking a link sent to an inbox, receiving an SMS code, or approving a push notification, because nothing in the run has access to that external channel.
  • A step describing something that only exists for an already-logged-in user (an account settings page, a credit balance display, a personalized dashboard) will fail to resolve unless an earlier step in the same run actually completed a real, in-browser login first.

If your app's core flows are gated behind an auth method VeriWasp can't automate (SSO via an external identity provider, for instance), the parts of your app reachable without logging in (your marketing pages, signup form, and public-facing flows) are still fully testable. The deeper authenticated flows currently are not.