Build custom AI powered apps for your Circle community members with fine grained access control.
This is the perfect foundation for creating member exclusive tools, AI applications, or premium features that only your authenticated, paid, or specifically tagged members can access. Whether you want to build:
- π€ AI Content Generators (GPT powered tools, image generators, etc.)
- π οΈ Premium Member Tools (calculators, analyzers, custom utilities)
- π Member Only Dashboards (analytics, reports, exclusive content)
- π‘ Interactive Features (quizzes, assessments, personalized experiences)
This app provides the authentication backbone, credit system, and member management you need.
- Deploy this app to your server with your Circle API credentials
- Create a new post in your Circle community
- Add the embed code to the post's Custom HTML field (see screenshot below)
Your members can then access your custom app directly within Circle, with automatic authentication and credit management.
Here's an example of how the embedded AI app appears to your Circle members:
The app automatically:
- β Authenticates the member
- π³ Shows their credit balance
- π€ Displays member info
- π Tracks credit refresh dates
- π― Provides admin access
A secure, enterprise grade embedded authentication application for Circle.so communities that provides automatic member authentication using Circle's Headless API with built-in credit management and comprehensive database integration.
Important: This application requires a Circle Business Plan or above to access both the Headless Auth API and Admin API functionality. These APIs are not available on Starter or Basic plans.
- π Automatic Member Authentication: Seamlessly authenticates Circle members using multiple detection methods
- π‘οΈ Enterprise Security: Multi layered security architecture preventing unauthorized access
- π Headless API Integration: Full integration with Circle's enterprise Headless Auth API
- π·οΈ Admin API Integration: Automatic management of member tags and purchase processing
- π« Iframe Enforcement: Configurable requirement for embedding within Circle communities only
- β CORS & Origin Validation: Comprehensive request validation and origin checking
- π Multiple Auth Fallbacks: 10+ methods to extract and verify member data
- π PostgreSQL Database: Full member data synchronization and persistent storage
- π³ Advanced Credit System: Automated credit allocation, monthly refreshes, and usage tracking
- π° Purchase Tag Processing: Automatic detection and processing of numeric purchase tags ($10, $50, etc.)
- π₯ Paid Member Detection: Automatic identification of premium members via configurable tags
- π Action Logging: Complete audit trail of all member actions and credit transactions
- π¨ Admin Panel: Built in administrative interface for member and credit management
- π± Responsive Design: Optimized for all devices and screen sizes (desktop and mobile web browsers - note: custom HTML embeds have limitations in Circle's mobile app)
- π Real-time Sync: Automatic database synchronization on authentication
- π― PostMessage Communication: Secure cross-origin data exchange
- π³ Docker Support: Production ready containerization with Docker Compose
- π Comprehensive Logging: Detailed debugging and monitoring capabilities
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Circle Community β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Circle Member (Browser) β β
β β β β
β β ββββββββββββββββ ββββββββββββββββ β β
β β β window. βββββββββΆβ Iframe β β β
β β β circleUser β β (Your App) β β β
β β ββββββββββββββββ ββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ PostMessage
βββββββββββββββββββββ
β Express Server β
β (server.js) β
βββββββββββββββββββββ
β
βββββββββββ΄βββββββββββ
βΌ βΌ
ββββββββββββββββββββ βββββββββββββββββββββ
β Circle Headless β β PostgreSQL DB β
β Auth API β β - members β
ββββββββββββββββββββ β - credits β
β - actions β
β - history β
βββββββββββββββββββββ
- Circle Business Plan or higher (required for API access)
- Node.js 14+ and npm
- Docker and Docker Compose (recommended for production)
- PostgreSQL 15+ (included in Docker setup)
- A Circle community with custom HTML support enabled
git clone https://github.com/Creator-Magic/circle-member-app.git
cd circle-member-appnpm installCopy .env.example to .env and configure with your values:
cp .env.example .env# ============================================
# CIRCLE API CONFIGURATION
# ============================================
# CRITICAL: Must be "Headless Auth" token from Circle Developers
# Get from: Circle Admin β Developers β Tokens β Create Token (type: Headless Auth)
# Requires Circle Business Plan or higher
CIRCLE_API_TOKEN=your_headless_auth_token_here
# CRITICAL: Circle Admin API token for managing tags
# Get from: Circle Admin β Developers β Tokens β Create Token (type: Admin API)
# Required for automatic purchase tag removal
# Requires Circle Business Plan or higher
CIRCLE_ADMIN_API_TOKEN=your_admin_api_token_here
# Your Circle community domain (without protocol)
CIRCLE_COMMUNITY_DOMAIN=your-community.circle.so
# ============================================
# APPLICATION CONFIGURATION
# ============================================
# Your application's public domain
APP_DOMAIN=your-app.example.com
# Allowed origins for CORS (comma-separated)
ALLOWED_ORIGINS=https://your-community.circle.so,https://your-app.example.com
# Application port
PORT=8080
# ============================================
# MEMBER CONFIGURATION
# ============================================
# Tags that identify paid/premium members (comma-separated)
PAID_MEMBER_TAGS=paid,premium,subscriber,member,vip,pro,business
# ============================================
# DATABASE CONFIGURATION
# ============================================
POSTGRES_DB=circle_app
POSTGRES_USER=circle_user
POSTGRES_PASSWORD=your_super_secure_password_here
DATABASE_URL=postgres://circle_user:your_super_secure_password_here@db:5432/circle_app
# ============================================
# CREDIT SYSTEM CONFIGURATION
# ============================================
# Initial credits granted to new members
INITIAL_CREDITS_FREE=10
INITIAL_CREDITS_PAID=100
# Monthly credit refresh amounts
MONTHLY_CREDITS_FREE=10
MONTHLY_CREDITS_PAID=100
# ============================================
# SECURITY CONFIGURATION
# ============================================
# Production security settings (set to true for production)
REQUIRE_IFRAME=true # Enforce iframe embedding
DISABLE_EMAIL_ONLY_AUTH=true # Disable insecure email-only auth
# Environment mode
NODE_ENV=production# Start all services (app + database)
docker compose up -d
# Initialize database schema
docker cp database/schema.sql $(docker compose ps -q db):/schema.sql
docker compose exec db psql -U circle_user -d circle_app -f /schema.sql
# View logs
docker compose logs -f- Log in to your Circle community admin panel
- Navigate to Developers β Tokens
- Click Create Token
β οΈ IMPORTANT: Select type "Headless Auth" (NOT "API Token")- Name your token (e.g., "Member App Authentication")
- Copy the generated token to
CIRCLE_API_TOKENin your.envfile
- In the same Developers β Tokens section
- Click Create Token again
- Select type "Admin API"
- Name your token (e.g., "Tag Management")
- Copy the generated token to
CIRCLE_ADMIN_API_TOKENin your.envfile
Note: Both tokens require Circle Business Plan or higher. Regular API tokens will NOT work.
Update circle-embed.html with your app domain:
const ALLOWED_APP_ORIGIN = 'https://your-app-domain.com';- Navigate to your Circle community
- Create a new post (or edit an existing one)
- Click the settings cog in the post editor
- Scroll down to "Custom HTML" field (see screenshot above)
- Copy and paste the complete contents of your configured
circle-embed.htmlfile
The Custom HTML field allows you to embed your app directly into Circle posts, making it accessible to your community members with seamless authentication.
The circle-embed.html file includes:
<!-- Your app iframe -->
<iframe
id="circle-member-app"
src="https://your-app-domain.com"
width="100%"
height="600"
frameborder="0"
style="border-radius: 12px; box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);">
</iframe>
<script>
// Complete authentication script that:
// - Extracts Circle member data from window.circleUser
// - Handles multiple authentication fallback methods
// - Communicates securely with your app via PostMessage
// - Provides real-time member authentication
</script>- Save/publish your post
- View the post as a member to test authentication
- Check browser console for authentication logs
- Verify member data is correctly passed to your app
The application uses PostgreSQL with the following core tables:
circle_member_id: Unique Circle member identifieremail: Member's email addressname: Member's display nameavatar_url: Profile picture URLis_paid: Boolean indicating premium statustags: JSON array of member tagsfirst_seen_at: First authentication timestamplast_seen_at: Most recent activity
member_credits: Current credit balances and refresh trackingapp_actions: Log of all credit-consuming actionscredit_history: Complete audit trail of credit changes
- Timestamp tracking on all records
- Foreign key constraints for data integrity
- Optimized indexes for query performance
- JSONB support for flexible metadata storage
- Automatic credit history logging via triggers
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/config |
Returns client configuration |
| POST | /api/auth |
Authenticates member and syncs to database |
| POST | /api/auth/cookies |
Cookie-based authentication fallback |
| GET | /api/member/check |
Validates current session |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/credits/:circle_member_id |
Get current credit balance |
| POST | /api/credits/spend |
Consume credits for an action |
| GET | /api/credits/:circle_member_id/history |
Transaction history |
| GET | /api/actions/:circle_member_id |
Member's action log |
| Method | Endpoint | Description |
|---|---|---|
| GET | /admin |
Admin panel interface |
| GET | /api/admin/members |
List all members |
| POST | /api/admin/credits/grant |
Manually grant credits |
| GET | /api/admin/stats |
System statistics |
-
Initial Allocation: New members receive credits based on membership type
- Free members: Configurable via
INITIAL_CREDITS_FREE - Paid members: Configurable via
INITIAL_CREDITS_PAID
- Free members: Configurable via
-
Monthly Refresh: Automatic credit replenishment after 30 days
- Credits are added to existing balance (not replaced)
- Configurable amounts for free and paid tiers
-
Purchase Tags: Automatic processing of numeric tags
- Detects tags like "$10", "$50", "$100" or "10", "50", "100"
- Credits are immediately added to member balance
- Tags are automatically removed via Admin API
- Perfect for one-time credit purchases
-
Usage Tracking: All credit consumption is logged with:
- Action type and cost
- Timestamp and metadata
- Complete audit trail
// Spending credits for a feature
const response = await fetch('/api/credits/spend', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
circle_member_id: member.id,
action_type: 'generate_content',
credits_cost: 10,
metadata: {
feature: 'ai_generation',
prompt: 'User prompt here',
model: 'gpt-4'
}
})
});
if (response.status === 402) {
alert('Insufficient credits! Please wait for monthly refresh.');
} else if (response.ok) {
const result = await response.json();
console.log(`Credits remaining: ${result.credits_remaining}`);
}-
Environment Based Configuration
- All sensitive data stored in
.envfiles - Never commit secrets to version control
- All sensitive data stored in
-
CORS Protection
- Strict origin validation
- Configurable allowed domains
- Credential support for secure cookies
-
Iframe Enforcement
- Optional requirement for embedding
- Prevents direct access to application
- Validates parent window origin
-
Authentication Security
- Headless API token validation
- Referrer header verification
- PostMessage origin checking
- Session token management
-
Database Security
- Prepared statements prevent SQL injection
- Connection pooling for performance
- Transaction support for data integrity
- Automatic rollback on errors
services:
app:
build: .
ports:
- "8080:8080"
env_file: .env
depends_on:
- db
restart: always
db:
image: postgres:15-alpine
environment:
POSTGRES_DB: ${POSTGRES_DB}
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
volumes:
- postgres_data:/var/lib/postgresql/data
- ./database/schema.sql:/docker-entrypoint-initdb.d/schema.sql
restart: always
volumes:
postgres_data:# Production deployment
NODE_ENV=production docker compose up -d
# View logs
docker compose logs -f app
# Database backup
docker compose exec db pg_dump -U circle_user circle_app > backup.sql
# Database restore
docker compose exec db psql -U circle_user circle_app < backup.sql
# Stop services
docker compose down- Solution: Upgrade to Circle Business Plan for API access
- Cause: Using wrong token type
- Solution: Ensure you're using a "Headless Auth" token, not a regular API token
- Cause: Domain not in allowed origins
- Solution: Add your domain to
ALLOWED_ORIGINSin.env
- Cause: Direct access when iframe is required
- Solution: Access through Circle community or set
REQUIRE_IFRAME=falsefor development
- Cause: PostgreSQL not running or misconfigured
- Solution: Check
DATABASE_URLand ensure PostgreSQL is running
- Cause: Member doesn't exist or API issue
- Solution: Verify member exists in Circle and token has proper permissions
- Cause: Less than 30 days since last refresh
- Solution: Wait for monthly refresh period or manually grant credits via admin panel
Set in .env:
DEBUG=true
LOG_LEVEL=verboseLook for:
=== CIRCLE MEMBER DATA EXTRACTION ====== POSTMESSAGE RECEIVED ===β Authentication successful!- Credit balance updates
Monitor with:
docker compose logs -f app | grep -E "(AUTH|CREDIT|ERROR)"NODE_ENV=development
REQUIRE_IFRAME=false
DISABLE_EMAIL_ONLY_AUTH=false
DEBUG=trueNODE_ENV=production
REQUIRE_IFRAME=true
DISABLE_EMAIL_ONLY_AUTH=true
DEBUG=false- Always use HTTPS in production environments
- Rotate API tokens regularly for security
- Monitor credit usage for unusual patterns
- Backup database regularly
- Review logs for failed authentication attempts
- Update dependencies to patch security vulnerabilities
- Use strong passwords for database access
- Implement rate limiting for API endpoints
- Set up monitoring for system health
- Document custom modifications for maintenance
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Ensure all tests pass
- Submit a pull request
MIT License - See LICENSE file for details
- Circle Platform: Circle.so
- Documentation: Check
/AGENTS.mdfor detailed technical documentation - Issues: Open an issue on GitHub
- Community: Join the Circle community for discussions
Built for the Circle.so community platform to enhance member experiences with secure authentication and credit management.
This project was created as part of Creator Magic Premium members working together to make cool things with AI in our Vibe Coding Lab.
The Vibe Coding Lab is a community led initiative where premium members collaborate on open source projects, share knowledge, and build innovative tools together. It's a space for creators to:
- π€ Collaborate on real-world projects
- π§ Share knowledge and learn from each other
- π οΈ Build tools that solve actual problems
- π Experiment with AI and emerging technologies
Want to be part of building the next generation of creator tools? Join us at Creator Magic Premium and participate in our collaborative coding sessions!
Remember: This application requires a Circle Business Plan or above for API access. Both the Headless Auth API and Admin API are not available on Starter or Basic plans.
The app automatically detects and processes numeric tags for one time credit purchases:
-
Tag Detection: When a member authenticates, the app checks for numeric tags:
- Format: "$10", "$50", "$100" (with dollar sign)
- Format: "10", "50", "100" (without dollar sign)
-
Credit Addition: The numeric value is added to the member's credit balance
-
Tag Removal: The tag is automatically removed from Circle using the Admin API
-
Audit Logging: All transactions are logged in the database
-
Configure Admin API Token in
.env:CIRCLE_ADMIN_API_TOKEN=your_admin_api_token_here
-
Create Purchase Tags in Circle:
- Go to Circle Admin β Members β Tags
- Create tags like "$10", "$50", "$100"
- Apply these tags when members make purchases
-
Integration with Payment Systems:
- Use Circle's Zapier integration to apply tags after payment
- Or manually apply tags after processing payments
- Tags are processed immediately on next member authentication
- Member purchases 50 credits through your payment system
- Your system (or manually) applies the "$50" tag in Circle
- Member logs into the app
- App detects the "$50" tag
- 50 credits are added to member's balance
- The "$50" tag is automatically removed from Circle
- Transaction is logged for audit purposes
This system allows for flexible, one time credit purchases without requiring a separate payment integration in the app itself.