Account Recovery
Account recovery and generation of new credentials (passkeys) is performed through an OTP (One-Time Password) to validate the user's identity and email authenticity.
Start recovery
A new OTP is sent to the user each time it's requested using the sendOTP function. The user must have been previously registered using the signin method.
import { sendOTP } from "@noauth/browser";
await sendOTP("[email protected]", {
apiKey: "your-api-key",
});import { NoAuth } from "@noauth/browser";
const noauth = new NoAuth({ apiKey: "your-api-key" });
await noauth.otp.create("[email protected]");Alternatives to validate the OTP
There are 2 alternatives to validate a user's OTP code:
1. Signin with OTP
Once the user receives the OTP, they must start the authentication process by adding the OTP in the signin function options. This method is useful for account recovery and will force the creation of a new passkey for the user.
import { signin } from "@noauth/browser";
const { verified } = await signin("[email protected]", {
apiKey: "your-api-key",
otp: "123456",
});import { NoAuth } from "@noauth/browser";
const noauth = new NoAuth({ apiKey: "your-api-key" });
const { verified } = await noauth.signin("[email protected]", "123456");2. Validate via Access Token
When the user receives the OTP, you can validate it using an existing access token. This method is useful for confirming a user's authenticity.
import { verifyOTP, signin } from "@noauth/browser";
// Previously obtained access token
const { accessToken } = await signin("[email protected]");
// Validate the OTP with an existing access token
const verified = await verifyOTP(accessToken, "123456", {
apiKey: "your-api-key",
});import { NoAuth } from "@noauth/browser";
const noauth = new NoAuth({ apiKey: "your-api-key" });
// Previously obtained access token
const { accessToken } = await noauth.signin("[email protected]");
// Validate the OTP with an existing access token
const verified = await noauth.otp.verify(accessToken, "123456");OTP Delivery
The OTP can be delivered to the user through two options. You can configure which option to use in your application settings.
Email managed by noauth.sh (recommended for most cases)
The OTP is automatically sent to the user using noauth.sh email servers. This option includes rate limiting to prevent abuse and is the simplest to implement.
Custom webhook (for advanced cases)
You can delegate notification via webhooks, which gives you complete freedom to use any notification method (SMS, custom email, push notifications, etc.) and fully control the delivery flow. To use this option, you must register a webhook in your application settings.