Authentication
Email OTP Login
Configure email verification code login
Email OTP Login
EasyStarter includes a built-in email OTP (one-time password) login powered by the Better Auth Email OTP plugin. Users simply enter their email address and receive a one-time verification code to sign in — no password required.
How It Works
- The user enters their email address on the sign-in page
- The server sends a one-time verification code to that email via the Email Service
- The user enters the received code
- The server verifies the code and completes sign-in (auto-registers if the user doesn't exist)
Enabling Email OTP Login
Email OTP login is controlled by a feature flag in packages/app-config/src/app-config.ts:
auth: {
methods: {
emailOtpEnabled: true,
},
}Prerequisites
Email OTP login depends on the email sending capability. Make sure you have completed the Email Service setup first.
OTP Configuration
The verification code behavior is configured in the auth.otp.email section of packages/app-config/src/app-config.ts:
auth: {
otp: {
email: {
// Number of digits in the verification code
otpLength: 6,
// Code expiration time in seconds
expiresInSeconds: 300,
// Maximum verification attempts per issued code
allowedAttempts: 3,
// Client-side resend cooldown in seconds
resendCooldownSeconds: 60,
},
},
}Rate Limiting
The server applies dedicated rate limits to email OTP endpoints to prevent abuse:
rateLimit: {
customRules: {
"/email-otp/send-verification-otp": { window: 60, max: 3 },
"/sign-in/email-otp": { window: 60, max: 10 },
},
}- Send verification code: max 3 requests per 60 seconds
- Verify and sign in: max 10 requests per 60 seconds