Email OTP

The Email OTP plugin allows user to sign in, verify their email, or reset their password using a one-time password (OTP) sent to their email address.

Installation

import { betterAuth } from "better-auth"
import { emailOTP } from "better-auth/plugins"
 
export const auth = betterAuth({
    // ... other config options
    plugins: [
        emailOTP({ 
                async sendVerificationOTP({ email, otp, type}) { 
					// Implement the sendVerificationOTP method to send the OTP to the user's email address
				}, 
        }) 
    ]
})

import { createAuthClient } from "better-auth/client"
import { emailOTPClient } from "better-auth/client/plugins"
 
export const authClient = createAuthClient({
    plugins: [
        emailOTPClient()
    ]
})

Usage

Send OTP

First, send an OTP to the user's email address.

const { data, error } = await authClient.emailOtp.sendVerificationOtp({
    email: "[email protected]", // required
    type: "sign-in", // required
});

Sign in with OTP

Once the user provides the OTP, you can sign in the user using the signIn.emailOtp() method.

const { data, error } = await authClient.signIn.emailOtp({
    email: "[email protected]", // required
    otp: "123456", // required
});

Verify Email

To verify the user's email address, use the verifyEmail() method.

const { data, error } = await authClient.emailOtp.verifyEmail({
    email: "[email protected]", // required
    otp: "123456", // required
});

Forgot & Reset Password

To reset the user's password, you must use the forgotPassword method:

const { data, error } = await authClient.forgetPassword.emailOtp({
    email: "[email protected]", // required
});

After that, you may use the resetPassword() method to apply the password reset.

const { data, error } = await authClient.emailOtp.resetPassword({
    email: "[email protected]", // required
    otp: "123456", // required
    password: "new-secure-password", // required
});

Override Default Email Verification

To override the default email verification, pass overrideDefaultEmailVerification: true in the options. This will make the system use an email OTP instead of the default verification link whenever email verification is triggered. In other words, the user will verify their email using an OTP rather than clicking a link.

import { betterAuth } from "better-auth";
 
export const auth = betterAuth({
  plugins: [
    emailOTP({
      overrideDefaultEmailVerification: true, 
      async sendVerificationOTP({ email, otp, type }) {
        // Implement the sendVerificationOTP method to send the OTP to the user's email address
      },
    }),
  ],
});

Options

• sendVerificationOTP: A function that sends the OTP to the user's email address. The function receives an object with the following properties:
  • email: The user's email address.
  • otp: The OTP to send.
  • type: The type of OTP to send. Can be "sign-in", "email-verification", or "forget-password".

Example

import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    plugins: [
        emailOTP({
            async sendVerificationOTP({
                email,
                otp,
                type
            }) {
                if (type === "sign-in") {
                    // Send the OTP for sign-in
                } else if (type === "email-verification") {
                    // Send the OTP for email verification
                } else {
                    // Send the OTP for password reset
                }
            },
        })
    ]
})

• otpLength: The length of the OTP. Defaults to 6.
• expiresIn: The expiry time of the OTP in seconds. Defaults to 300 seconds.

import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    plugins: [
        emailOTP({
            otpLength: 8,
            expiresIn: 600
        })
    ]
})

• sendVerificationOnSignUp: A boolean value that determines whether to send the OTP when a user signs up. Defaults to false.

• disableSignUp: A boolean value that determines whether to prevent automatic sign-up when the user is not registered. Defaults to false.

• generateOTP: A function that generates the OTP. Defaults to a random 6-digit number.

• allowedAttempts: The maximum number of attempts allowed for verifying an OTP. Defaults to 3. After exceeding this limit, the OTP becomes invalid and the user needs to request a new one.

import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    plugins: [
        emailOTP({
            allowedAttempts: 5, // Allow 5 attempts before invalidating the OTP
            expiresIn: 300
        })
    ]
})

When the maximum attempts are exceeded, the verifyOTP, signIn.emailOtp, verifyEmail, and resetPassword methods will return an error with code MAX_ATTEMPTS_EXCEEDED.

• storeOTP: The method to store the OTP in your database, wether encrypted, hashed or plain text. Default is plain text.

Alternatively, you can pass a custom encryptor or hasher to store the OTP in your database.

Custom encryptor

emailOTP({
    storeOTP: { 
        encrypt: async (otp) => {
            return myCustomEncryptor(otp);
        },
        decrypt: async (otp) => {
            return myCustomDecryptor(otp);
        },
    }
})

Custom hasher

emailOTP({
    storeOTP: {
        hash: async (otp) => {
            return myCustomHasher(otp);
        },
    }
})