Codapult supports three additional sign-in methods beyond email/password and OAuth — all configurable in src/lib/config.ts.
Magic Links
Magic links provide passwordless email sign-in. Users enter their email and receive a link that signs them in directly.
Setup
Configure AUTH_MAGIC_LINK and RESEND_API_KEY in .env.local (magic links are sent via Resend).
AUTH_MAGIC_LINK="true"
RESEND_API_KEY="..."
The link expires after 10 minutes. If the user doesn't have an account, one is created automatically.
Two-Factor Authentication (2FA)
TOTP-based two-factor authentication using authenticator apps (Google Authenticator, Authy, 1Password, etc.).
Setup
Configure ENABLE_TWO_FACTOR in .env.local.
ENABLE_TWO_FACTOR="true"
The TOTP issuer name shown in authenticator apps is read from appConfig.brand.name.
End-User Flow
- Navigate to Settings → Two-Factor Authentication
- Click Enable 2FA
- Scan the QR code with an authenticator app
- Enter the 6-digit verification code to confirm
- Save the backup codes in a secure location
Once enabled, users are prompted for a TOTP code after entering their password on sign-in.
Passkeys (WebAuthn)
Passkeys let users sign in with biometrics (fingerprint, face ID) or hardware security keys.
Setup
- Configure
AUTH_PASSKEYSin.env.local - Ensure HTTPS in production (WebAuthn requires a secure origin)
AUTH_PASSKEYS="true"
The passkey relying party ID and origin are derived from NEXT_PUBLIC_APP_URL automatically.
End-User Flow
- Sign in with email/password
- Go to Settings → Passkeys
- Click Register Passkey and follow the browser prompt
- On next sign-in, choose Sign in with passkey
Auth API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/auth/magic-link/send | POST | Send a magic link email |
/api/auth/two-factor/enable | POST | Enable TOTP 2FA for current user |
/api/auth/two-factor/verify | POST | Verify a TOTP code during sign-in |
/api/auth/passkey/register | POST | Register a new passkey |
/api/auth/passkey/authenticate | POST | Authenticate with a passkey |