Codapult
PricingPluginsDocs
Codapult

The SaaS Boilerplate for Builders

Product

  • Pricing
  • Plugins
  • Documentation

Company

  • Contact
  • GitHub

Legal

  • Privacy Policy
  • Terms of Service

© 2026 Codapult. All rights reserved.

All articles

Getting Started

  • Introduction
  • Quick Start
  • Project Structure

Configuration

  • Environment Variables
  • App Configuration

Authentication

  • Authentication
  • OAuth Providers
  • Two-Factor & Passwordless
  • Enterprise SSO (SAML)

Database

  • Database
  • Migrations

Teams

  • Teams & Organizations
  • Permissions & RBAC

Payments

  • Payments & Billing
  • Stripe Setup
  • LemonSqueezy Setup
  • Polar Setup
  • Payment Webhooks

Api

  • API Layer
  • tRPC
  • GraphQL

Ai

  • AI Features

Email

  • Email
  • Email Templates

Infrastructure

  • Infrastructure
  • File Storage
  • Background Jobs

Ui

  • UI & Theming

I18n

  • Internationalization

Content Management

  • Content Management

Admin

  • Admin Panel

Security

  • Security

Monitoring

  • Analytics & Monitoring

Modules

  • Module Architecture

Plugins

  • Plugin System
  • AI Kit Plugin
  • CRM Plugin
  • Helpdesk Plugin
  • Email Marketing Plugin

Deployment

  • Deployment
  • Troubleshooting

Upgrading

  • Upgrading Codapult

Developer Tools

  • MCP Server
  • Testing
Authentication

Two-Factor & Passwordless

Set up 2FA (TOTP), magic links, and passkeys for your SaaS users.

Codapult supports three additional sign-in methods beyond email/password and OAuth — all configurable in src/config/app.ts.

Magic Links

Magic links provide passwordless email sign-in. Users enter their email and receive a link that signs them in directly.

Setup

  1. Set magicLink: true in src/config/app.ts
  2. Configure RESEND_API_KEY in .env.local (magic links are sent via Resend)
auth: {
  magicLink: true,
},

The link expires after 10 minutes. If the user doesn't have an account, one is created automatically.

Two-Factor Authentication (2FA)

TOTP-based two-factor authentication using authenticator apps (Google Authenticator, Authy, 1Password, etc.).

Setup

Set twoFactor: true in src/config/app.ts:

auth: {
  twoFactor: true,
},

The TOTP issuer name shown in authenticator apps is read from appConfig.brand.name.

End-User Flow

  1. Navigate to Settings → Two-Factor Authentication
  2. Click Enable 2FA
  3. Scan the QR code with an authenticator app
  4. Enter the 6-digit verification code to confirm
  5. Save the backup codes in a secure location

Once enabled, users are prompted for a TOTP code after entering their password on sign-in.

Passkeys (WebAuthn)

Passkeys let users sign in with biometrics (fingerprint, face ID) or hardware security keys.

Setup

  1. Set passkeys: true in src/config/app.ts
  2. Ensure HTTPS in production (WebAuthn requires a secure origin)
auth: {
  passkeys: true,
},

The passkey relying party ID and origin are derived from NEXT_PUBLIC_APP_URL automatically.

End-User Flow

  1. Sign in with email/password
  2. Go to Settings → Passkeys
  3. Click Register Passkey and follow the browser prompt
  4. On next sign-in, choose Sign in with passkey

Auth API Endpoints

EndpointMethodDescription
/api/auth/magic-link/sendPOSTSend a magic link email
/api/auth/two-factor/enablePOSTEnable TOTP 2FA for current user
/api/auth/two-factor/verifyPOSTVerify a TOTP code during sign-in
/api/auth/passkey/registerPOSTRegister a new passkey
/api/auth/passkey/authenticatePOSTAuthenticate with a passkey
OAuth ProvidersEnterprise SSO (SAML)