Email + OTP + Guest Authentication

Guest (anonymous) authentication is already handled in the codebase, when you ran starter-setup script or ran pnpm dev:server it automatically enables guest authentication.

To allow guest logins, you must enable anonymous sign-ins in your Supabase project:

1. Go to Authentication > Sign In / Providers.
2. Enable Allow anonymous sign-ins.

Email verification is toggled via the SEND_OTP_ON_SIGNUP environment variable in convex (by default it is set to true)

• Set to false to allow users to sign in immediately without OTP verification.

cd packages/backend
npx convex env set SEND_OTP_ON_SIGNUP false

In your Supabase Dashboard, go to Authentication > Sign In / Providers and find the Confirm email toggle:

• ON: Users must verify their email via a sent link before they can access protected routes.
• OFF: Users are immediately authenticated upon signup.

Configure Resend

The backend uses Resend for email delivery. Files: packages/backend/convex/authCustomEmailOtpProvider.ts, authOtp.ts, authPasswordResetActions.ts, and shared/email.ts.

Set your Resend API key:

npx convex env set AUTH_RESEND_KEY your_resend_api_key
npx convex env set AUTH_EMAIL "VibeFast <noreply@yourdomain.com>"
npx convex env set SEND_OTP_ON_SIGNUP true

Signup + verification codes

1. Signup screen calls api.authOtp.signUpWithOtp which stores the OTP and emails via Resend
2. Users verify with api.authOtp.verifyOtpAndCreateUser
3. Re-call signUpWithOtp to regenerate and re-send

Password reset

1. api.authPasswordResetActions.requestPasswordReset creates a 1-hour token and emails a reset link
2. User opens link and submits new password via api.authPasswordResetActions.resetPassword

Configure Supabase Auth

Supabase handles email verification and password resets automatically via the Supabase Dashboard.

Enable email auth

1. Go to Authentication > Providers > Email in your Supabase Dashboard
2. Customize email templates under Authentication > Email Templates