Email / SMS OTP
Learn how to send one-time codes (OTP) to authenticate users.
Overview
Clerk supports passwordless authentication, which lets users sign in and sign up without having to remember a password. During sign-in, users will be asked to enter their identifier (email address or phone number) to receive a one-time code and complete the authentication process.
Arguably, passwordless authentication provides greater security and a better user experience than traditional passwords. However, it is not without its downsides, and often still boils down to the email providers "knowledge based factor" instead of yours.
There are multiple ways to set up passwordless authentication in Clerk such as Clerk Components, or by creating a custom flow using Clerk's SDKs.
The rest of this guide will explain how to set up passwordless authentication using any of the above methods. Before you start, you will need to configure your instance to allow passwordless sign-ins.
Looking for magic links? Check out our Magic links authentication guide.
Looking for 2FA? Check out our Multi-factor authentication guide.
Before you start
- You need to create a Clerk Application in your Clerk Dashboard. For more information, check out our Set up your application guide.
- You need to install Clerk React or ClerkJS to your application.
Configuration
Passwordless authentication can be configured through the Clerk Dashboard. Go to your instance, then User & Authentication > Email, Phone, Username > Authentication factors. Simply choose one of the available passwordless authentication strategies that send one-time codes; Email verification code or SMS verification code.
Don't forget that you also need to make sure you've configured your application instance to request the user's contact information. Users can receive one-time codes via either an email address or a phone number.
Make sure you toggle one of Email address, Phone number on in the Contact information section. Once you've enabled one of the two contact information options, ensure it can be used for identification. Click the cog on the top-right, and verify that the Used for identification toggle is on.
Don't forget to click on the Apply Changes button at the bottom of the page once you're done configuring your instance.
That's all you need to do to enable passwordless authentication with One-time codes for your instance.
Custom flow
In case one of the above integration methods doesn't cover your needs, you can make use of lower-level commands and create a completely custom passwordless authentication flow.
You still need to configure your instance in order to enable passwordless authentication, as described at the top of this guide.
Sign up using a custom flow
The passwordless sign-up flow is a process that requires users to provide their authentication identifier (email address or phone number) and a one-time code that is sent to them. The important thing to note here is that a user's email address or phone number needs to be verified before the registration is completed.
A successful sign-up consists of the following steps:
- Initiate the sign-up process, by collecting the user's identifier (email address or phone number).
- Prepare the identifier verification.
- Attempt to complete the identifier verification.
Let's see the above in action. If you want to learn more about sign-ups, check out our documentation on Clerk's sign-up flow.
1import { useSignUp } from "@clerk/clerk-react";23function SignUpPage() {4const { signUp,setActive } = useSignUp();56async function onClick(e) {7e.preventDefault();8// Kick off the sign-up process, passing the user's9// phone number.10await signUp.create({11phoneNumber: "+11111111111",12});1314// Prepare phone number verification. An SMS message15// will be sent to the user with a one-time16// verification code.17await signUp.preparePhoneNumberVerification();1819// Attempt to verify the user's phone number by20// providing the one-time code they received.21await signUp.attemptPhoneNumberVerification({22code: "123456",23});2425await setActive({sessionId: signUp.createdSessionId});26}2728return (29<button onClick={onClick}>30Sign up without password31</button>32);33}
1const { client } = window.Clerk;23// Kick off the sign-up process, passing the user's4// phone number.5const signUp = await client.signUp.create({6phoneNumber: "+11111111111",7});89// Prepare phone number verification. An SMS will10// be sent to the user with a one-time verification11// code.12await signUp.preparePhoneNumberVerification();1314// Attempt to verify the user's phone number by providing15// the one-time code they received.16await signUp.attemptPhoneNumberVerification({17code: "123456",18});
You can also verify your users via their email address. There's two additional helper methods, prepareEmailAddressVerification and attemptEmailAddressVerification that work the same way as their phone number counterparts do. You can find more available methods in our ClerkJS API documentation for the SignUp object.
Sign in using a custom flow
The passwordless sign-in flow is a process that requires users to provide their authentication identifier (email address or phone number) and subsequently a one-time code that is sent to them. We call this one-time code the first factor of authentication.
So, in essence, when you want to authenticate users in your application, you need to
- Initiate the sign-in process, by collecting the user's authentication identifier.
- Prepare the first factor verification.
- Attempt to complete the first factor verification.
Let's see the above in action. If you want to learn more about sign-ins, check out our documentation on Clerk's sign-in flow.
1import { useSignIn } from "@clerk/clerk-react";23function SignInPage() {4const { signIn,setActive } = useSignIn();56async function onClick(e) {7e.preventDefault();8// Kick off the sign-in process, passing the user's9// authentication identifier. In this case it's their10// phone number.11const { supportedFirstFactors } = await signIn.create({12identifier: "+11111111111",13});1415// Find the phoneNumberId from all the available first factors for the current sign in16const firstPhoneFactor = supportedFirstFactors.find(factor => {17return factor.strategy === 'phone_code'18});1920const { phoneNumberId } = firstPhoneFactor;2122// Prepare first factor verification, specifying23// the phone code strategy.24await signIn.prepareFirstFactor({25strategy: "phone_code",26phoneNumberId,27});2829// Attempt to verify the user providing the30// one-time code they received.31await signIn.attemptFirstFactor({32strategy: "phone_code",33code: "123456",34});3536await setActive({sessionId: signIn.createdSessionId});37}3839return (40<button onClick={onClick}>41Sign in without password42</button>43);44}
1const { client } = window.Clerk;2// Kick off the sign-in process, passing the user's3// authentication identifier. In this case it's their4// phone number.5const { supportedFirstFactors } = await client.signIn.create({6identifier: "+11111111111",7});89// Find the phoneNumberId from all the available first factors for the current sign in10const firstPhoneFactor = supportedFirstFactors.find(factor => {11return factor.strategy === 'phone_code'12});1314const { phoneNumberId } = firstPhoneFactor;1516// Prepare first factor verification, specifying17// the phone code strategy.18await signIn.prepareFirstFactor({19strategy: "phone_code",20phoneNumberId,21});2223// Attempt to verify the user providing the24// one-time code they received.25await signIn.attemptFirstFactor({26strategy: "phone_code",27code: "123456",28});
You can also achieve passwordless sign-ins with an email address. Simply pass the value email_code as the first factor strategy. Just make sure you've collected the user's email address first. You can find all available methods on the SignIn object documentation.