This feature is in beta. Core behavior is stable, but some APIs or configuration may change before general availability.
Authentication
EdgeBase Authentication provides a complete identity solution for your applications. Support email/password, magic link, email OTP, passkeys, phone auth, 14 OAuth providers, anonymous sessions, and MFA out of the box. Sessions are managed via JWT with automatic refresh token rotation, and you can extend every step of the auth flow with backend authentication triggers and delivery hooks.
- Access Rules: Authentication Access Rules allow or deny auth actions such as sign-up, sign-in, MFA, OAuth, refresh, and sign-out.
- Hooks: Authentication Delivery Hooks and the Authentication Context Hook customize outbound email/SMS and request-scoped auth metadata.
- Triggers: Authentication Triggers run backend logic during sign-up, sign-in, token refresh, password reset, and account lifecycle events.
- Handlers: Inline authentication behavior lives under
auth.handlers.*inedgebase.config.ts.
Auth Methods
Email & Password
PBKDF2 hashing (100K iterations), email verification support
Magic Link
Passwordless email login — click a link, no password needed
Email OTP
6-digit passwordless codes delivered by email
OAuth
Google, GitHub, Apple, Discord, and 10 more providers
Passkeys
WebAuthn login with biometrics and security keys
Phone / SMS
OTP-based phone login — verify identity with a 6-digit SMS code
Anonymous
Instant sign-in with no credentials — upgradeable to full account later
Multi-Factor Auth
TOTP-based 2FA with recovery codes for extra account security
How Sessions Work
Sign In → Access Token (15 min) + Refresh Token (28 days)
│
▼
Token expires → SDK auto-refreshes using Refresh Token
│
▼
New Access Token + New Refresh Token (rotation)- Access Token — Short-lived JWT verified locally (no server round-trip)
- Refresh Token — Long-lived, single-use with rotation grace period for concurrent requests
- Multi-tab sync — Token refresh broadcasts across browser tabs via BroadcastChannel
Quick Example
Assume client is already initialized with your platform SDK.
- JavaScript
- Dart/Flutter
- Swift
- Kotlin
- Java
- C#
- C++
const signUpResult = await client.auth.signUp({
email: 'user@example.com',
password: 'securePassword123',
});
const session = await client.auth.signIn({
email: 'user@example.com',
password: 'securePassword123',
});
const currentUser = client.auth.currentUser;
client.auth.onAuthStateChange((event, nextUser) => {
console.log(event, nextUser?.email);
});
final signUp = await client.auth.signUp(
email: 'user@example.com',
password: 'securePassword123',
);
final signIn = await client.auth.signIn(
email: 'user@example.com',
password: 'securePassword123',
);
final user = client.auth.currentUser;
client.auth.onAuthStateChange((event, currentUser) {
print('$event ${currentUser?.email}');
});
let signUp = try await client.auth.signUp(
email: "user@example.com",
password: "securePassword123"
)
let signIn = try await client.auth.signIn(
email: "user@example.com",
password: "securePassword123"
)
let user = await client.auth.currentUser()
client.auth.onAuthStateChange { event, currentUser in
print(event, currentUser?["email"] ?? "")
}
val signUp = client.auth.signUp(
email = "user@example.com",
password = "securePassword123"
)
val signIn = client.auth.signIn(
email = "user@example.com",
password = "securePassword123"
)
val user = client.auth.currentUser() ?: client.auth.getMe()
client.auth.onAuthStateChange { event, currentUser ->
println(event + " " + currentUser?.get("email"))
}
Map<String, Object> signUp = client.auth().signUp(
"user@example.com",
"securePassword123",
Map.of()
);
Map<String, Object> signIn = client.auth().signIn(
"user@example.com",
"securePassword123"
);
Map<String, Object> user = client.auth().currentUser();
client.auth().onAuthStateChange((event, currentUser) -> {
System.out.println(event + " " + currentUser.get("email"));
});
var signUp = await client.Auth.SignUpAsync(
"user@example.com",
"securePassword123"
);
var signIn = await client.Auth.SignInAsync(
"user@example.com",
"securePassword123"
);
var user = await client.Auth.GetUserAsync();
client.Auth.OnAuthStateChange += (currentUser) => {
Console.WriteLine(currentUser?["email"]);
};
auto signUp = client.auth().signUp("user@example.com", "securePassword123");
auto signIn = client.auth().signIn("user@example.com", "securePassword123");
auto user = client.auth().currentUser();
client.auth().onAuthStateChange([](const std::string& userJson) {
std::cout << userJson << std::endl;
});
Custom Claims
Attach custom data to user tokens for role-based access:
// Server-side: set custom claims
await admin.auth.setCustomClaims(userId, {
role: 'editor',
plan: 'pro',
});
// Use in access rules:
// access: { update(auth) { return auth?.custom?.role === 'editor' } }
Admin user management, session revocation, and authentication trigger integrations are available across all Admin SDKs.
Next Steps
Sign up, sign in, password reset, email verification
Passwordless email login — no password required
6-digit passwordless codes sent by email
Social login with 14 providers
Connect Okta, Auth0, Keycloak, and other OIDC providers
OTP-based phone login with SMS verification
Zero-friction sign-in, account upgrading
WebAuthn sign-in and passkey management
TOTP-based 2FA with recovery codes
JWT lifecycle, refresh rotation, multi-tab sync
Two-step verified email updates for signed-in users
Server-side user management
Lock out compromised or abusive accounts
Bulk import existing users and credentials
Allow or deny auth actions such as sign-up, sign-in, MFA, OAuth, refresh, and sign-out
Run server-side logic during sign-up, sign-in, token refresh, and more
Rewrite or block outbound auth email and SMS messages
Turnstile integration for bot protection
Upgrade anonymous accounts or attach multiple OAuth providers to one user
Complete auth error reference
Strength rules, HIBP leak detection, hashing
Session limits, eviction, token rotation, cleanup
See which auth capabilities belong to Client SDK vs Admin SDK