Authentication and sign-in

LocationNotes currently supports local accounts, Google sign-in, and Facebook sign-in across the website and the Android app. These flows all land in the same account system, so one account can link multiple providers and use any linked method later.

Register Log in Account security

Current sign-in methods

• Local email and password through ASP.NET Core Identity.
• Google OAuth.
• Facebook OAuth.

What authentication unlocks

• Syncing personal notes and categories with the server.
• Publishing public notes and appearing on public pages.
• Creating teams, joining teams, accepting invites, and managing team workspaces.
• Using account data export, team data export, account deletion, and account security pages.

Account creation rules

New LocationNotes accounts are offered only to users age 16 and older, and older where local law requires a higher minimum age. New-account creation, including first-time external sign-in that creates an account, requires acceptance of the current Terms of Service and Privacy Policy.

How external sign-in behaves

• If the provider already belongs to a LocationNotes account, the user is signed in to that account.
• If the provider email matches an existing LocationNotes account, LocationNotes links the provider to that account and signs the user in.
• If no matching account exists yet, the user completes the first-time registration flow before the account is created.
• The website login and register pages offer the same external providers so users do not need to guess which page to use first.

Linked accounts and security

LocationNotes keeps linked-provider management on the dedicated account security page. That page is where a signed-in user can change or add a local password, request a password-reset email, change the sign-in email address, and link or unlink Google or Facebook.

• If the account already has a password, LocationNotes requires the current password before unlinking a provider or changing email.
• If the account was created through Google or Facebook and no local password exists yet, the user must set one before unlinking that provider.
• If a password exists but the user does not remember it, the security page can send an email reset link first.
• Email changes are confirmed through a link sent to the new address before the account email is updated.

Public URLs for provider setup

Use these public-facing URLs when configuring Google and Meta developer consoles. These routes are intended to live on the same final production domain as the API and website.

• Homepage URL: https://locationnotes.com/en-US
• Privacy Policy URL: https://locationnotes.com/en-US/privacy
• Terms of Service URL: https://locationnotes.com/en-US/terms
• Support URL: https://locationnotes.com/en-US/support
• Delete Data URL: https://locationnotes.com/en-US/delete-data
• Facebook Data Deletion URL: https://locationnotes.com/en-US/facebook-data-deletion

Redirect URIs

• Google redirect URI: https://locationnotes.com/signin-google
• Facebook redirect URI: https://locationnotes.com/signin-facebook

Related user-facing pages

• Website register page: https://locationnotes.com/en-US/account/register
• Website login page: https://locationnotes.com/en-US/account/login
• Website account security page: https://locationnotes.com/en-US/account/security
• API bearer login docs: https://locationnotes.com/en-US/api-docs#authentication

If a provider is configured correctly but the flow still fails, use the support page and include the provider name, the exact callback URL shown in the browser, and the full error text. Do not send passwords or provider secrets in support messages.