Home

Login With Magic Link

Magic links are a form of passwordless logins where users click on a link sent to their email address to log in to their accounts. Magic links only work with email addresses and are one-time use only. By default, a user can only request a magic link once every 60 seconds and they expire after 24 hours.

Set up Magic Link logins for your Supabase application.

  • Enable the email provider in your Supabase Project
  • Configure the Site URL and any additional redirect URLs in the authentication management tab.
  • The Site URL represents the default URL that the user will be redirected to after clicking on the email signup confirmation link.
  • If a user has not signed up yet, signing in with a magic link will automatically sign up the user. To prevent users from signing up through magic links, you can set the shouldCreateUser option to false.

caution

When using Magic Links in the PKCE Flow, keep in mind that links can only be opened from the same browser that they are sent from (as defined in the PKCE spec). Consequently, a magic link sent from Chrome on Desktop will be invalid if used on a Mobile Device.

When your user signs in, call signInWithOtp() with their email address:


_10
async function signInWithEmail() {
_10
const { data, error } = await supabase.auth.signInWithOtp({
_10
email: 'example@email.com',
_10
options: {
_10
// set this to false if you do not want the user to be automatically signed up
_10
shouldCreateUser: false,
_10
emailRedirectTo: 'https://example.com/welcome',
_10
},
_10
})
_10
}

When your user signs out, call signOut() to remove them from the browser session and any objects from localStorage:


_10
async function signOut() {
_10
const { error } = await supabase.auth.signOut()
_10
}

Resources#

© Supabase IncContributingAuthor StyleguideOpen SourceSupaSquad