Skip to main content

Source: ocean/docs/adr/009-otp-expiration-fix.md | ✏️ Edit on GitHub

ADR-009: Fix OTP Immediate Expiration Issue

Status

Accepted

Date

2025-01-14

Context

Users were experiencing OTP codes expiring immediately after being sent, preventing successful authentication. Investigation revealed multiple configuration issues in Supabase:

  1. OTP signups were disabled - The primary issue was that the auth system was returning "Signups not allowed for otp" error
  2. OTP expiry configuration - The email_otp_exp setting needed to be explicitly set to 600 seconds (10 minutes)
  3. Email validation - Supabase correctly rejects test emails with fake domains (e.g., test@example.com)

Decision

We fixed the OTP configuration by:

  1. Enabling OTP signups in Supabase auth configuration
  2. Setting OTP expiry to 600 seconds (10 minutes)
  3. Ensuring email auth is enabled
  4. Setting OTP length to 6 digits

The fix was applied via Supabase Management API and the following SQL:

UPDATE auth.config SET value = 'true' WHERE key = 'enable_signup';
UPDATE auth.config SET value = '600' WHERE key = 'email_otp_exp';
UPDATE auth.config SET value = 'true' WHERE key = 'email_enabled';
INSERT INTO auth.config (key, value) VALUES ('email_otp_length', '6') ON CONFLICT (key) DO UPDATE SET value = '6';

Consequences

Positive

  • OTP codes now work correctly with a 10-minute expiration window
  • Users can successfully sign up and log in using passwordless authentication
  • The system properly validates real email addresses while rejecting obvious test emails

Negative

  • None identified

Neutral

  • Test emails must use real domains (e.g., ryan+TEST_NUMBER@goldfish.io for testing)
  • Future configuration changes should be made through Supabase Dashboard to ensure persistence

Lessons Learned

  1. Always check auth.config table - Supabase auth issues often stem from misconfigured settings in the auth.config table
  2. Use real emails for testing - Supabase's email validation rejects fake domains to maintain deliverability
  3. Monitor multiple error types - The "Signups not allowed for otp" error was more critical than the expiration issue
  4. Management API is powerful - When direct SQL access is limited, the Supabase Management API can apply configuration changes

References