Supabase wordmarkSupabase wordmarkDOCS
  • Start
Supabase wordmarkSupabase wordmarkDOCS
Main menu
    Auth
  • Overview
  • Architecture
    • Getting Started
  • Next.js
  • React
  • React Native
    • Concepts
  • Users
  • Identities
  • Sessions
    • Flows (How-tos)
  • Server-Side Rendering
  • Password-based
  • Email (Magic Link or OTP)
  • Phone Login
  • Social Login (OAuth)
  • Enterprise SSO
  • Anonymous Sign-Ins
  • Web3 (Sign in with Solana)
  • Mobile Deep Linking
  • Identity Linking
  • Multi-Factor Authentication
  • Signout
    • Debugging
  • Error Codes
  • Troubleshooting
    • Third-party auth
  • Overview
  • Clerk
  • Firebase Auth
  • Auth0
  • AWS Cognito (Amplify)
  • WorkOS
    • Configuration
  • General Configuration
  • Email Templates
  • Redirect URLs
  • Auth Hooks
  • Custom SMTP
  • User Management
    • Security
  • Password Security
  • Rate Limits
  • Bot Detection (CAPTCHA)
  • JSON Web Tokens (JWT)
  • JWT Signing Keys
  • Row Level Security
  • Column Level Security
  • Custom Claims & RBAC
    • Auth UI
  • Auth UI (Deprecated)
  • Flutter Auth UI
Supabase wordmarkSupabase wordmarkDOCS
  • Start
Supabase wordmarkSupabase wordmarkDOCS
Auth
  1. Auth
  3. Flows (How-tos)
  5. Phone Login

Phone Login

Phone Login is a method of authentication that allows users to log in to a website or application without using a password. The user authenticates through a one-time password (OTP) sent via a channel (SMS or WhatsApp).

At this time, WhatsApp is only supported as a channel for the Twilio and Twilio Verify Providers.

Users can also log in with their phones using Native Mobile Login with the built-in identity provider. For Native Mobile Login with Android and iOS, see the Social Login guides.

Phone OTP login can:

  • Improve the user experience by not requiring users to create and remember a password
  • Increase security by reducing the risk of password-related security breaches
  • Reduce support burden of dealing with password resets and other password-related flows

To keep SMS sending costs under control, make sure you adjust your project's rate limits and configure CAPTCHA. See the Production Checklist to learn more.


Some countries have special regulations for services that send SMS messages to users, (e.g India's TRAI DLT regulations). Remember to look up and follow the regulations of countries where you operate.

Enabling phone login#

Enable phone authentication on the Auth Providers page for hosted Supabase projects.

For self-hosted projects or local development, use the configuration file. See the configuration variables namespaced under auth.sms.

You also need to set up an SMS provider. Each provider has its own configuration. Supported providers include MessageBird, Twilio, Vonage, and TextLocal (community-supported).

Configuring SMS Providers

By default, a user can only request an OTP once every 60 seconds and they expire after 1 hour.

Signing in with phone OTP#

With OTP, a user can sign in without setting a password on their account. They need to verify their phone number each time they sign in.

1
2
3
const { ,  } = await ..({  : '+13334445555',})

The user receives an SMS with a 6-digit pin that you must verify within 60 seconds.

Verifying a phone OTP#

To verify the one-time password (OTP) sent to the user's phone number, call verifyOtp() with the phone number and OTP:

You should present a form to the user so they can input the 6 digit pin, then send it along with the phone number to verifyOtp:

1
2
3
4
5
6
7
8
const {  : {  },  ,} = await ..({  : '13334445555',  : '123456',  : 'sms',})

If successful the user will now be logged in and you should receive a valid session like:

1
2
3
4
5
6
{  "access_token": "<ACCESS_TOKEN>",  "token_type": "bearer",  "expires_in": 3600,  "refresh_token": "<REFRESH_TOKEN>"}

The access token can be sent in the Authorization header as a Bearer token for any CRUD operations on supabase-js. See our guide on Row Level Security for more info on restricting access on a user basis.

Updating a phone number#

To update a user's phone number, the user must be logged in. Call updateUser() with their phone number:

1
2
3
const { ,  } = await ..({  : '123456789',})

The user receives an SMS with a 6-digit pin that you must verify within 60 seconds. Use the phone_change type when calling verifyOTP to update a user’s phone number.

Edit this page on GitHub

Is this helpful?

On this page

Enabling phone loginSigning in with phone OTPVerifying a phone OTPUpdating a phone number

  • Need some help?

    Contact support

  • Latest product updates?

    See Changelog

  • Something's not right?

    Check system status
© Supabase Inc—ContributingAuthor StyleguideOpen SourceSupaSquad
GitHubTwitterDiscord

Twilio#

Prerequisites

You'll need:

  • Twilio account (sign up)
  • Supabase project (create one here)
  • Mobile phone capable of receiving SMS

SMS Authentication can be done with either Twilio Verify or Twilio Programmable Messaging. Twilio Verify is a specialized OTP solution and is recommended for most developers that need over-the-phone authentication. Alternatively you can use Twilio Programmable Messaging which offers generic SMS sending support.

To keep SMS sending costs under control, make sure you adjust your project's rate limits and configure CAPTCHA. See the Production Checklist to learn more.


Some countries have special regulations for services that send SMS messages to users, (e.g India's TRAI DLT regulations). Remember to look up and follow the regulations of countries where you operate.

Twilio Verify

To set up Twilio Verify, you will need to:

  1. Create a new verification service in the Twilio dashboard.
  2. Switch Phone Provider to Twilio Verify
  3. Configure the Twilio Verify Service ID field using the Verification Service ID obtained in 1.

When using Twilio Verify, OTPs are generated by Twilio. This means that:

  • Unlike other providers, the OTP expiry duration and message content fields are not configurable via the Supabase dashboard. Please head to Twilio Verify to configure these settings.
  • The token remains the same during its validity period until the verification is successful. This means if your user makes another request within that period, they will receive the same token.
  • Twilio Verify has a separate set of rate limits that apply. Visit Twilio's Rate Limit and Timeouts page to find out more.

At this time, Twilio Verify is only supported on the whatsapp and sms channels.

Twilio (Programmable Messaging)

In this section, you'll set up Twilio as an SMS provider:

What you'll need:

  • A Twilio account (sign up here: https://www.twilio.com/try-twilio)
  • A Supabase project (create one here: https://supabase.com/dashboard)
  • A mobile phone capable of receiving SMS

Setting up your Twilio credentials

Start by logging into your Twilio account and starting a new project: https://www.twilio.com/console/projects/create

Give your project a name and verify the mobile number you'll be using to test with. This is the number that will be receiving the SMS OTPs.

Name your twilio project verify your own phone number

Select 'SMS', 'Identity & Verification', and 'With code' as options on the welcome form.

Form Fields

When you're back on the Twilio console screen, you need to scroll down and click 'Get a trial phone number' - this is the number that you'll be sending SMSs from.

Get a trial phone number

Successful phone number

You should now be able to see all three values you'll need to get started:

  • Account SID
  • Auth Token
  • Sender Phone Number

All the credentials you'll need

Now go to the Auth > Providers page in the Supabase dashboard and select "Phone" from the Auth Providers list.

You should see an option to enable the Phone provider.

Toggle it on, and copy the 3 values over from the Twilio dashboard. Click save.

Note: for "Twilio Message Service SID" you can use the Sender Phone Number generated above.

Plug in Twilio credentials

Now the backend should be setup, we can proceed to add our client-side code!

The Twilio Content SID field is specific to Twilio Programmable Messaging (WhatsApp) senders. Disregard this field if you are only sending SMS messages. Refer to the section on WhatsApp OTP Logins for further details.

SMS custom template

The SMS message sent to a phone containing an OTP code can be customized. This is useful if you need to mention a brand name or display a website address.

Go to the Auth > Providers page in the Supabase dashboard and select "Phone" from the Auth Providers list. Scroll to the very bottom of the "Phone" section to the "SMS Message" input - you can customize the SMS message here.

Use the variable .Code in the template to display the OTP code. Here's an example in the SMS template.

example in the SMS template

WhatsApp OTP logins

In some cases, you may wish to use WhatsApp as a delivery channel instead. Here are some examples our users have cited:

  • You want higher deliverability
  • You wish for a secure channel
  • Your users mostly use WhatsApp as a messaging platform

Twilio Verify can be used with WhatsApp OTPs with no additional configuration.

Complete the following steps to use WhatsApp OTP with Twilio Programmable Messaging:

  1. Go through the Twilio self sign up guide for WhatsApp.
  2. Register a Twilio Content Template via the API and note the corresponding Twilio Content SID. You can also use the Template Builder on the Twilio dashboard to create a Content Template Twilio Content SID Image
  3. Register the Twilio Content SID on the Supabase dashboard under Authentication > Providers > Phone > Twilio Content SID. Ensure you have Twilio selected as your phone provider.

You may only use one Twilio Content SID at a time. Supabase Auth will use the Content Template over the SMS Message field when sending WhatsApp messages. Use Twilio Verify if you need to use more than one message template.