EasyStarter logoEasyStarter
Authentication

Email OTP Login

Configure email verification code login

Email OTP Login

EasyStarter includes a built-in email OTP (one-time password) login powered by the Better Auth Email OTP plugin. Users simply enter their email address and receive a one-time verification code to sign in — no password required.

How It Works

  1. The user enters their email address on the sign-in page
  2. The server sends a one-time verification code to that email via the Email Service
  3. The user enters the received code
  4. The server verifies the code and completes sign-in (auto-registers if the user doesn't exist)

Enabling Email OTP Login

Email OTP login is controlled by a feature flag in packages/app-config/src/app-config.ts:

packages/app-config/src/app-config.ts
auth: {
  methods: {
    emailOtpEnabled: true,
  },
}

Prerequisites

Email OTP login depends on the email sending capability. Make sure you have completed the Email Service setup first.

OTP Configuration

The verification code behavior is configured in the auth.otp.email section of packages/app-config/src/app-config.ts:

packages/app-config/src/app-config.ts
auth: {
  otp: {
    email: {
      // Number of digits in the verification code
      otpLength: 6,
      // Code expiration time in seconds
      expiresInSeconds: 300,
      // Maximum verification attempts per issued code
      allowedAttempts: 3,
      // Client-side resend cooldown in seconds
      resendCooldownSeconds: 60,
    },
  },
}

Rate Limiting

The server applies dedicated rate limits to email OTP endpoints to prevent abuse:

apps/server/src/lib/auth.ts
rateLimit: {
  customRules: {
    "/email-otp/send-verification-otp": { window: 60, max: 3 },
    "/sign-in/email-otp": { window: 60, max: 10 },
  },
}
  • Send verification code: max 3 requests per 60 seconds
  • Verify and sign in: max 10 requests per 60 seconds