Account Recovery

Account recovery and new credential generation is performed via OTP (One-Time Password) to validate the user's identity and email authenticity.

1. Start Recovery

A new OTP is sent to the user each time it is requested using the otp.create function. Note that the user must have been previously registered using the signin method.

import { NoAuth } from "@noauth/browser";

const noauth = new NoAuth({ apiKey: "your-api-key" });

await noauth.otp.create("[email protected]");

There are 2 ways to validate a user's OTP:

2.a. Sign In with OTP

Once the user receives the OTP, they must start the authentication process by adding the OTP as the second parameter of the signin function. This method will ask for credentials.

await noauth.signin("[email protected]", "123456");

2.b. Validate via Access Token

Once the user receives the OTP, you can validate it using an existing access token.

// Previously signed in
const { accessToken } = await noauth.signin("[email protected]");

// Verify the OTP code
const verified = await noauth.otp.verify(accessToken, "123456");

In both cases, this will create a new credential for the user associated with the device they are using and return a new access token.

OTP Delivery

The OTP can be delivered to the user via two options. You can configure which option to use in your application settings.

• Email managed by noauth.sh (recommended for most cases)
  The OTP is automatically sent to the user using noauth.sh's email servers. This option includes rate limiting to prevent abuse and is the simplest to implement.
  
  

  sequenceDiagram
      autoNumber
      participant U as User
      participant N as noauth.sh
      participant S as Your server
  
      U->>N: Request account recovery
      activate N
      N->>U: Emails OTP
      deactivate N
      activate U
      U->>N: Authentication process with OTP
      deactivate U
  

  
  
• Custom webhook (for advanced cases)
  You can delegate the notification via webhooks, which gives you complete freedom to use any notification method (SMS, custom email, push notifications, etc.) and completely control the delivery flow. Note: To use this option, you must configure a webhook in the noauth.sh console.
  
  

  sequenceDiagram
      autoNumber
      participant U as User
      participant N as noauth.sh
      participant S as Your server
  
      U->>N: Request account recovery
      activate N
      N->>S: Send OTP<br>Webhook
      deactivate N
      activate S
      S->>U: OTP delivered (SMS, email, etc.)
      deactivate S
      activate U
      U->>N: Authentication process with OTP
      deactivate U