Auth

Phone Login

Phone Login is a method of authentication that allows users to log in to a website or application without using a password. The user authenticates through a one-time code sent via SMS.

Users can also log in with their phones using Native Mobile Login with the built-in identity provider. For Native Mobile Login with Android and iOS, see the Social Login guides.

Phone OTP login can:

  • Improve the user experience by not requiring users to create and remember a password
  • Increase security by reducing the risk of password-related security breaches
  • Reduce support burden of dealing with password resets and other password-related flows

Enabling Phone Login

Enable phone authentication on the Auth Providers page for hosted Supabase projects.

For self-hosted projects or local development, use the configuration file. See the configuration variables namespaced under auth.sms.

You also need to set up an SMS provider. Each provider has its own configuration. Supported providers include MessageBird, Twilio, Vonage, and TextLocal (community-supported).

Configuring SMS Providers

By default, a user can only request an OTP once every 60 seconds and they expire after 1 hour.

Signing in with phone OTP

With OTP, a user can sign in without setting a password on their account. They need to verify their phone number each time they sign in.


_10
const { data, error } = await supabase.auth.signInWithOtp({
_10
phone: '+13334445555',
_10
})

The user receives an SMS with a 6-digit pin that you must verify within 60 seconds.

Verifying a phone OTP

To verify the one-time password (OTP) sent to the user's phone number, call verifyOtp() with the phone number and OTP:

You should present a form to the user so they can input the 6 digit pin, then send it along with the phone number to verifyOtp:


_10
const {
_10
data: { session },
_10
error,
_10
} = await supabase.auth.verifyOtp({
_10
phone: '+13334445555',
_10
token: '123456',
_10
type: 'sms',
_10
})

If successful the user will now be logged in and you should receive a valid session like:


_10
{
_10
"access_token": "<ACCESS_TOKEN>",
_10
"token_type": "bearer",
_10
"expires_in": 3600,
_10
"refresh_token": "<REFRESH_TOKEN>"
_10
}

The access token can be sent in the Authorization header as a Bearer token for any CRUD operations on supabase-js. See our guide on Row Level Security for more info on restricting access on a user basis.

Updating a phone number

To update a user's phone number, the user must be logged in. Call updateUser() with their phone number:


_10
const { data, error } = await supabase.auth.updateUser({
_10
phone: '123456789',
_10
})

The user receives an SMS with a 6-digit pin that you must verify within 60 seconds.