Two-Factor & Passwordless

Codapult supports three additional sign-in methods beyond email/password and OAuth — all configurable in src/config/app.ts.

Magic Links

Magic links provide passwordless email sign-in. Users enter their email and receive a link that signs them in directly.

Setup

1. Set magicLink: true in src/config/app.ts
2. Configure RESEND_API_KEY in .env.local (magic links are sent via Resend)

auth: {
  magicLink: true,
},

The link expires after 10 minutes. If the user doesn't have an account, one is created automatically.

Two-Factor Authentication (2FA)

TOTP-based two-factor authentication using authenticator apps (Google Authenticator, Authy, 1Password, etc.).

Setup

Set twoFactor: true in src/config/app.ts:

auth: {
  twoFactor: true,
},

The TOTP issuer name shown in authenticator apps is read from appConfig.brand.name.

End-User Flow

1. Navigate to Settings → Two-Factor Authentication
2. Click Enable 2FA
3. Scan the QR code with an authenticator app
4. Enter the 6-digit verification code to confirm
5. Save the backup codes in a secure location

Once enabled, users are prompted for a TOTP code after entering their password on sign-in.

Passkeys (WebAuthn)

Passkeys let users sign in with biometrics (fingerprint, face ID) or hardware security keys.

Setup

1. Set passkeys: true in src/config/app.ts
2. Ensure HTTPS in production (WebAuthn requires a secure origin)

auth: {
  passkeys: true,
},

The passkey relying party ID and origin are derived from NEXT_PUBLIC_APP_URL automatically.

End-User Flow

1. Sign in with email/password
2. Go to Settings → Passkeys
3. Click Register Passkey and follow the browser prompt
4. On next sign-in, choose Sign in with passkey

Auth API Endpoints