Authentication

EdgeBase Authentication provides a complete identity solution for your applications. Support email/password, magic link, email OTP, passkeys, phone auth, 13 OAuth providers, anonymous sessions, and MFA out of the box. Sessions are managed via JWT with automatic refresh token rotation, and you can hook into every step of the auth flow with server-side auth hooks to enforce custom business logic.

---

Auth Methods

📧

Email & Password

PBKDF2 hashing (600K iterations), email verification support

✨

Magic Link

Passwordless email login — click a link, no password needed

🔢

Email OTP

6-digit passwordless codes delivered by email

🌐

OAuth

Google, GitHub, Apple, Discord, and 9 more providers

🪪

Passkeys

WebAuthn login with biometrics and security keys

📱

Phone / SMS

OTP-based phone login — verify identity with a 6-digit SMS code

👤

Anonymous

Instant sign-in with no credentials — upgradeable to full account later

🔐

Multi-Factor Auth

TOTP-based 2FA with recovery codes for extra account security

How Sessions Work

Session Lifecycle

Sign In → Access Token (15 min) + Refresh Token (28 days)
              │
              ▼
     Token expires → SDK auto-refreshes using Refresh Token
              │
              ▼
     New Access Token + New Refresh Token (rotation)

• Access Token — Short-lived JWT verified locally (no server round-trip)
• Refresh Token — Long-lived, single-use with rotation grace period for concurrent requests
• Multi-tab sync — Token refresh broadcasts across browser tabs via BroadcastChannel

Quick Example

// Sign up
const { user } = await client.auth.signUp({
  email: 'user@example.com',
  password: 'securePassword123',
});

// Sign in
const { user } = await client.auth.signIn({
  email: 'user@example.com',
  password: 'securePassword123',
});

// Get current user
const user = client.auth.currentUser;

// Listen for auth state changes
client.auth.onAuthStateChange((user) => {
  console.log('Auth state:', user ? 'signed in' : 'signed out');
});

Custom Claims

Attach custom data to user tokens for role-based access:

// Server-side: set custom claims
await admin.auth.setCustomClaims(userId, {
  role: 'editor',
  plan: 'pro',
});

// Use in access rules:
// access: { update(auth) { return auth?.custom?.role === 'editor' } }

Server-Side Auth Coverage

Admin user management, session revocation, and auth hook integrations are available across all Admin SDKs.

Next Steps

📧

Email & Password

Sign up, sign in, password reset, email verification

→✨

Magic Link

Passwordless email login — no password required

→🔢

Email OTP

6-digit passwordless codes sent by email

→🌐

OAuth

Social login with 13+ providers

→🏢

OIDC Federation

Connect Okta, Auth0, Keycloak, and other OIDC providers

→📱

Phone / SMS

OTP-based phone login with SMS verification

→👤

Anonymous Auth

Zero-friction sign-in, account upgrading

→🪪

Passkeys

WebAuthn sign-in and passkey management

→🔐

Multi-Factor Auth

TOTP-based 2FA with recovery codes

→🔑

Sessions

JWT lifecycle, refresh rotation, multi-tab sync

→📨

Email Change

Two-step verified email updates for signed-in users

→👨‍💼

Admin Users

Server-side user management

→⛔

Ban & Disable

Lock out compromised or abusive accounts

→📥

User Import

Bulk import existing users and credentials

→🪝

Auth Hooks

Customize auth flow with server-side hooks

→🤖

Captcha

Turnstile integration for bot protection

→🔗

Account Linking

Upgrade anonymous accounts or attach multiple OAuth providers to one user

→⚠️

Error Codes

Complete auth error reference

→🔒

Password Policy

Strength rules, HIBP leak detection, hashing

→📋

Session Management

Session limits, eviction, token rotation, cleanup

→