title | description |
---|---|
Phone Login |
Learn about logging in to your platform using SMS one-time passwords. |
Phone Login is a method of authentication that allows users to log in to a website or application without using a password. The user authenticates through a one-time code sent via SMS.
Users can also log in with their phones using Native Mobile Login with the built-in identity provider. For Native Mobile Login with Android and iOS, see the Social Login guides.
Phone OTP login can:
- Improve the user experience by not requiring users to create and remember a password
- Increase security by reducing the risk of password-related security breaches
- Reduce support burden of dealing with password resets and other password-related flows
Enable phone authentication on the Auth Providers page for hosted Supabase projects.
For self-hosted projects or local development, use the configuration file. See the configuration variables namespaced under auth.sms
.
You also need to set up an SMS provider. Each provider has its own configuration. Supported providers include MessageBird, Twilio, Vonage, and TextLocal (community-supported).
By default, a user can only request an OTP once every auth.rate_limits.otp.period and they expire after auth.rate_limits.otp.validity.
With OTP, a user can sign in without setting a password on their account. They need to verify their phone number each time they sign in.
<Tabs scrollable size="small" type="underlined" defaultActiveId="js" queryGroup="language"
const { data, error } = await supabase.auth.signInWithOtp({
phone: '+13334445555',
})
try await supabase.auth.signInWithOTP(
phone: "+13334445555"
)
supabase.auth.signInWith(OTP) {
phone = "+13334445555"
}
curl -X POST 'https://cvwawazfelidkloqmbma.supabase.co/auth/v1/otp' \
-H "apikey: SUPABASE_KEY" \
-H "Content-Type: application/json" \
-d '{
"phone": "+13334445555"
}'
The user receives an SMS with a 6-digit pin that you must verify within 60 seconds.
To verify the one-time password (OTP) sent to the user's phone number, call verifyOtp()
with the phone number and OTP:
<Tabs scrollable size="small" type="underlined" defaultActiveId="js" queryGroup="language"
You should present a form to the user so they can input the 6 digit pin, then send it along with the phone number to verifyOtp
:
const {
data: { session },
error,
} = await supabase.auth.verifyOtp({
phone: '+13334445555',
token: '123456',
type: 'sms',
})
You should present a form to the user so they can input the 6 digit pin, then send it along with the phone number to verifyOTP
:
try await supabase.auth.verifyOTP(
phone: "+13334445555",
token: "123456",
type: .sms
)
You should present a form to the user so they can input the 6 digit pin, then send it along with the phone number to verifyPhoneOtp
:
supabase.auth.verifyPhoneOtp(
type = OtpType.Phone.SMS,
phone = "+13334445555",
token = "123456"
)
curl -X POST 'https://<PROJECT_REF>.supabase.co/auth/v1/verify' \
-H "apikey: <SUPABASE_KEY>" \
-H "Content-Type: application/json" \
-d '{
"type": "sms",
"phone": "+13334445555",
"token": "123456"
}'
If successful the user will now be logged in and you should receive a valid session like:
{
"access_token": "<ACCESS_TOKEN>",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": "<REFRESH_TOKEN>"
}
The access token can be sent in the Authorization header as a Bearer token for any CRUD operations on supabase-js. See our guide on Row Level Security for more info on restricting access on a user basis.
To update a user's phone number, the user must be logged in. Call updateUser()
with their phone number:
<Tabs scrollable size="small" type="underlined" defaultActiveId="js" queryGroup="language"
const { data, error } = await supabase.auth.updateUser({
phone: '123456789',
})
try await supabase.auth.updateUser(
user: UserAttributes(
phone: "123456789"
)
)
The user receives an SMS with a 6-digit pin that you must verify within 60 seconds.