Demo account credentials provided if login is required

Why it matters

Missing demo credentials is one of the top five App Store rejection causes for apps with authentication. Apple reviewers will not create an account, will not guess a password, and will not use Google or GitHub OAuth (they have no access to those identity providers). A submission that requires login without working demo credentials is rejected under Guideline 2.1 (App Completeness) within 24-48 hours, wasting a review cycle and pushing launch dates back by a week or more.

Remediation

Create a dedicated demo account in production (not staging), pre-load it with representative content, and document the credentials in REVIEW_NOTES.md at the repo root. Paste the same credentials into App Store Connect's "Notes for Reviewer" field on submission. If the only login method is Sign in with Apple or third-party OAuth, add an email/password fallback or a "Continue as Guest" mode — reviewers cannot authenticate otherwise.

## Demo Account
Email: demo@yourapp.com
Password: Reviewer2026!
Note: Account has sample data pre-loaded. No email verification required.

Detection

ID: app-store-metadata-listing.review-submission.demo-account
Severity: critical
What to look for: First, confirm whether the app requires login. Check for auth libraries (@supabase/supabase-js, firebase/auth, clerk, auth0-react-native, expo-auth-session, react-native-app-auth) or login screens (LoginScreen, SignInScreen, AuthScreen, login.tsx). If auth exists, check for demo credentials in: (a) fastlane/Deliverfile — look for a demo_account_user and demo_account_password field or a notes field containing credentials, (b) a REVIEW_NOTES.md, review-notes.txt, submission.md, or similar file in the project root containing a "Demo Account" section, (c) eas.json — some teams configure review notes in EAS Submit config. Credentials must be for an account that: is pre-created and active (not requiring an email verification step), has representative data loaded, has full app functionality accessible (not an account that triggers "invite required" or waitlist flows). If the app uses Sign in with Apple or Google OAuth exclusively, also check whether there is a documented fallback for reviewers (Apple reviewers cannot use Google OAuth; they need a direct email/password option or a "Guest" mode). Count every app feature that requires authentication and enumerate which are accessible via the demo account vs. which are locked.
Pass criteria: Demo credentials are documented in a file that would accompany the submission review notes; credentials appear valid (not placeholder like test@test.com / password); or the app does not require login. At least 1 implementation must be confirmed.
Fail criteria: App requires login and no demo credentials are found anywhere in the repository or documented; credentials are obvious placeholders (test@example.com, password123); the only login method is a third-party OAuth that reviewers cannot access. Do NOT pass if the demo account credentials are expired or the demo environment is inaccessible — reviewers will reject the submission.
Skip (N/A) when: App has no authentication — no login screen, no auth library dependency.
Cross-reference: The review-notes-quality check verifies the submission notes that should reference the demo account provided here.
Detail on fail: "App requires login (Supabase auth detected) but no demo account credentials found in REVIEW_NOTES.md, fastlane/Deliverfile, or any review notes file" or "Only login method is Google OAuth — Apple reviewers cannot authenticate without email/password fallback or guest mode".
Remediation: Missing demo credentials is one of the top five rejection causes for apps with authentication. Apple reviewers will reject rather than guess.
1. Create a dedicated demo account in your production environment (not sandbox/staging)
2. Pre-load the account with representative data — a blank account with no content doesn't show the app's value
3. Document the credentials in a REVIEW_NOTES.md file at the project root:
```
## Demo Account
Email: demo@yourapp.com
Password: [your password]
Note: Account has sample data pre-loaded. No email verification required.
```
4. Paste these same credentials into the "Notes for Reviewer" field in App Store Connect when submitting
5. If using Sign in with Apple exclusively, add an email/password option or implement a "Continue as Guest" mode that lets reviewers access the core features

Why it matters

Remediation

## Demo Account
Email: demo@yourapp.com
Password: Reviewer2026!
Note: Account has sample data pre-loaded. No email verification required.

Detection

ID: app-store-metadata-listing.review-submission.demo-account
Severity: critical
What to look for: First, confirm whether the app requires login. Check for auth libraries (@supabase/supabase-js, firebase/auth, clerk, auth0-react-native, expo-auth-session, react-native-app-auth) or login screens (LoginScreen, SignInScreen, AuthScreen, login.tsx). If auth exists, check for demo credentials in: (a) fastlane/Deliverfile — look for a demo_account_user and demo_account_password field or a notes field containing credentials, (b) a REVIEW_NOTES.md, review-notes.txt, submission.md, or similar file in the project root containing a "Demo Account" section, (c) eas.json — some teams configure review notes in EAS Submit config. Credentials must be for an account that: is pre-created and active (not requiring an email verification step), has representative data loaded, has full app functionality accessible (not an account that triggers "invite required" or waitlist flows). If the app uses Sign in with Apple or Google OAuth exclusively, also check whether there is a documented fallback for reviewers (Apple reviewers cannot use Google OAuth; they need a direct email/password option or a "Guest" mode). Count every app feature that requires authentication and enumerate which are accessible via the demo account vs. which are locked.
Pass criteria: Demo credentials are documented in a file that would accompany the submission review notes; credentials appear valid (not placeholder like test@test.com / password); or the app does not require login. At least 1 implementation must be confirmed.
Fail criteria: App requires login and no demo credentials are found anywhere in the repository or documented; credentials are obvious placeholders (test@example.com, password123); the only login method is a third-party OAuth that reviewers cannot access. Do NOT pass if the demo account credentials are expired or the demo environment is inaccessible — reviewers will reject the submission.
Skip (N/A) when: App has no authentication — no login screen, no auth library dependency.
Cross-reference: The review-notes-quality check verifies the submission notes that should reference the demo account provided here.
Detail on fail: "App requires login (Supabase auth detected) but no demo account credentials found in REVIEW_NOTES.md, fastlane/Deliverfile, or any review notes file" or "Only login method is Google OAuth — Apple reviewers cannot authenticate without email/password fallback or guest mode".
Remediation: Missing demo credentials is one of the top five rejection causes for apps with authentication. Apple reviewers will reject rather than guess.
1. Create a dedicated demo account in your production environment (not sandbox/staging)
2. Pre-load the account with representative data — a blank account with no content doesn't show the app's value
3. Document the credentials in a REVIEW_NOTES.md file at the project root:
```
## Demo Account
Email: demo@yourapp.com
Password: [your password]
Note: Account has sample data pre-loaded. No email verification required.
```
4. Paste these same credentials into the "Notes for Reviewer" field in App Store Connect when submitting
5. If using Sign in with Apple exclusively, add an email/password option or implement a "Continue as Guest" mode that lets reviewers access the core features

Demo account credentials provided if login is required

Why it matters

Severity rationale

Remediation

Detection

Taxons

History

Demo account credentials provided if login is required

Why it matters

Severity rationale

Remediation

Detection

Taxons

History