| title | description |
|---|---|
Phone Login |
Learn about logging in to your platform using SMS one-time passwords. |
Phone Login is a method of authentication that allows users to log in to a website or application without using a password. The user authenticates through a one-time code sent via SMS.
Users can also log in with their phones using Native Mobile Login with the built-in identity provider. For Native Mobile Login with Android and iOS, see the Social Login guides.
Phone OTP login can:
- Improve the user experience by not requiring users to create and remember a password
- Increase security by reducing the risk of password-related security breaches
- Reduce support burden of dealing with password resets and other password-related flows
Enable phone authentication on the Auth Providers page for hosted Supabase projects.
For self-hosted projects or local development, use the configuration file. See the configuration variables namespaced under auth.sms.
You also need to set up an SMS provider. Each provider has its own configuration. Supported providers include MessageBird, Twilio, Vonage, and TextLocal (community-supported).
By default, a user can only request an OTP once every auth.rate_limits.otp.period and they expire after auth.rate_limits.otp.validity.
With OTP, a user can sign in without setting a password on their account. They need to verify their phone number each time they sign in.
<Tabs scrollable size="small" type="underlined" defaultActiveId="js" queryGroup="language"
const { data, error } = await supabase.auth.signInWithOtp({
phone: '+13334445555',
})try await supabase.auth.signInWithOTP(
phone: "+13334445555"
)supabase.auth.signInWith(OTP) {
phone = "+13334445555"
}curl -X POST 'https://cvwawazfelidkloqmbma.supabase.co/auth/v1/otp' \
-H "apikey: SUPABASE_KEY" \
-H "Content-Type: application/json" \
-d '{
"phone": "+13334445555"
}'The user receives an SMS with a 6-digit pin that you must verify within 60 seconds.
To verify the one-time password (OTP) sent to the user's phone number, call verifyOtp() with the phone number and OTP:
<Tabs scrollable size="small" type="underlined" defaultActiveId="js" queryGroup="language"
You should present a form to the user so they can input the 6 digit pin, then send it along with the phone number to verifyOtp:
const {
data: { session },
error,
} = await supabase.auth.verifyOtp({
phone: '+13334445555',
token: '123456',
type: 'sms',
})You should present a form to the user so they can input the 6 digit pin, then send it along with the phone number to verifyOTP:
try await supabase.auth.verifyOTP(
phone: "+13334445555",
token: "123456",
type: .sms
)You should present a form to the user so they can input the 6 digit pin, then send it along with the phone number to verifyPhoneOtp:
supabase.auth.verifyPhoneOtp(
type = OtpType.Phone.SMS,
phone = "+13334445555",
token = "123456"
)curl -X POST 'https://<PROJECT_REF>.supabase.co/auth/v1/verify' \
-H "apikey: <SUPABASE_KEY>" \
-H "Content-Type: application/json" \
-d '{
"type": "sms",
"phone": "+13334445555",
"token": "123456"
}'If successful the user will now be logged in and you should receive a valid session like:
{
"access_token": "<ACCESS_TOKEN>",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": "<REFRESH_TOKEN>"
}The access token can be sent in the Authorization header as a Bearer token for any CRUD operations on supabase-js. See our guide on Row Level Security for more info on restricting access on a user basis.
To update a user's phone number, the user must be logged in. Call updateUser() with their phone number:
<Tabs scrollable size="small" type="underlined" defaultActiveId="js" queryGroup="language"
const { data, error } = await supabase.auth.updateUser({
phone: '123456789',
})try await supabase.auth.updateUser(
user: UserAttributes(
phone: "123456789"
)
)The user receives an SMS with a 6-digit pin that you must verify within 60 seconds.