Supabase Auth v2: Phone Auth now available

2021-07-28

4 minute read

Since launching Supabase Auth last summer it's proven to be a key part of the Supabase Stack. We receive a constant stream of feature requests and community PRs resulting in a long list of external providers including GitHub, Discord, Azure, Apple and more.

Supabase Auth is similar to Auth0 and Firebase Auth with one major difference - the user data lives in your own database, reducing lock-in, and making the auth system more extensible. You can write native PostgreSQL Row Level Security policies to determine which data your users should (or should not) have access to. It can even be used in conjunction with other Supabase features, such as Storage, to control access for specific files and buckets.

Today we're announcing some major new features for our fork of Netlify's GoTrue Auth server.

Phone Auth is here!

Your users can now log in using their mobile with SMS-based OTPs (one-time password).

Passwordless SMS login

Users can log in using a passwordless SMS based OTP with supabase-js, or directly with the Auth API.

After logging in, the user will receive a six-digit One Time Password. The OTP can be easily verified.

SMS login with passwords

Phone Auth can be used in conjunction with a password. Using this flow, your users can subsequently log in with either an OTP or a phone + password combo.

Choose an SMS Provider

Supabase Auth supports Twilio as an SMS provider, with more options coming soon. Simply plug your Twilio credentials into your Auth Settings in the Supabase Dashboard to get started.

Check out the documentation to get started with Mobile OTPs, or watch the Youtube guide.

Multi-Factor Auth coming soon

Phone Auth is available today on all new and existing Supabase projects. We've also laid the groundwork for mobile Multi-Factor Auth and will be offering that as an option soon.

Even more OAuth providers

The community has contributed tons of OAuth providers, and today we're announcing two more.

Shoutout to @ph1p who contributed Twitch as our latest OAuth provider! The Supabase team added Discord last month, bringing the total OAuth Providers to ten.

You can request more providers on our Auth repo and Pull Requests are, of course, always welcome.

To make life easy for developers, the Supabase hosted platform manages all Auth-related emails, including confirmation, recovery, invite, and passwordless "magic-link" emails. The templates are customizable and we even offer the ability to bring your own SMTP provider.

Some of our power users require a little more flexibility however. We've had a lot of requests to dynamically generate email content, especially for sending internationalized emails. To handle situations like these, today we're adding the ability to generate confirmation, invite, recovery, and magic links via an API endpoint.

We've exposed this functionality in supabase-js, and it can be invoked with the use of your service_role admin key (which means you should only be calling this function from a backend and not from the client itself).

What's next?

The next major item on the list is MFA (Multi-Factor Authentication) - which includes TOTP (Time-Based One Time Password).

Find out how Mobbin is using Supabase Auth to manage 200,000 users.

Anything else you want to see or can help implement in Auth? Reach out on Discord and give Auth a try by creating a project on Supabase!

Share this article

Build in a weekend, scale to millions