Email Templates
Learn how to manage the email templates in Supabase.
You can customize the email messages used for the authentication flows. You can edit the following email templates:
- Confirm signup
- Invite user
- Magic Link
- Change Email Address
- Reset Password
Terminology
The templating system provides the following variables for use:
Name | Description |
---|---|
{{ .ConfirmationURL }} | Contains the confirmation URL. For example, a signup confirmation URL would look like: https://project-ref.supabase.co/auth/v1/verify?token={{ .TokenHash }}&type=signup&redirect_to=https://example.com/path . |
{{ .Token }} | Contains a 6-digit One-Time-Password (OTP) that can be used instead of the {{. ConfirmationURL }} . |
{{ .TokenHash }} | Contains a hashed version of the {{ .Token }} . This is useful for constructing your own email link in the email template. |
{{ .SiteURL }} | Contains your application's Site URL. This can be configured in your project's authentication settings. |
{{ .RedirectTo }} | Contains the redirect URL passed when signUp , signInWithOtp , signInWithOAuth , resetPasswordForEmail or inviteUserByEmail is called. The redirect URL allow list can be configured in your project's authentication settings. |
{{ .Data }} | Contains metadata from auth.users.user_metadata . Use this to personalize the email message. |
Editing email templates
On hosted Supabase projects, edit your email templates on the Email Templates page. On self-hosted projects or in local development, edit your configuration files.
Mobile deep linking
For mobile applications, you might need to link or redirect to a specific page within your app. See the Mobile Deep Linking guide to set this up.
Limitations
Email prefetching
Certain email providers may have spam detection or other security features that prefetch URL links from incoming emails (e.g. Safe Links in Microsoft Defender for Office 365).
In this scenario, the {{ .ConfirmationURL }}
sent will be consumed instantly which leads to a "Token has expired or is invalid" error.
To guard against this:
-
Use an email OTP instead by including
{{ .Token }}
in the email template. -
Create your own custom email link to redirect the user to a page where they can click on a button to confirm the action. For example, you can include the following in your email template:
_10<a href="{{ .SiteURL }}/confirm-signup?confirmation_url={{ .ConfirmationURL }}"_10>Confirm your signup_10</a>The user should be brought to a page on your site where they can confirm the action by clicking a button. The button should contain the actual confirmation link which can be obtained from parsing the
confirmation_url={{ .ConfirmationURL }}
query parameter in the URL.
Email tracking
If you are using an external email provider that enables "email tracking", the links inside the Supabase email templates will be overwritten and won't perform as expected. We recommend disabling email tracking to ensure email links are not overwritten.
Redirecting the user to a server-side endpoint
If you intend to use Server-side rendering, you might want the email link to redirect the user to a server-side endpoint to check if they are authenticated before returning the page. However, the default email link will redirect the user after verification to the redirect URL with the session in the query fragments. Since the session is returned in the query fragments by default, you won't be able to access it on the server-side.
You can customize the email link in the email template to redirect the user to a server-side endpoint successfully. For example:
_10<a_10 href="https://api.example.com/v1/authenticate?token_hash={{ .TokenHash }}&type=invite&redirect_to={{ .RedirectTo }}"_10 >Accept the invite_10</a>
When the user clicks on the link, the request will hit https://api.example.com/v1/authenticate
and you can grab the token_hash
, type
and redirect_to
query parameters from the URL. Then, you can call the verifyOtp
method to get back an authenticated session before redirecting the user back to the client. Since the verifyOtp
method makes a POST
request to Supabase Auth to verify the user, the session will be returned in the response body, which can be read by the server. For example:
_10const { token_hash, type } = Object.fromEntries(new URLSearchParams(window.location.search))_10const {_10 data: { session },_10 error,_10} = await supabase.auth.verifyOtp({ token_hash, type })_10_10// subsequently redirect the user back to the client using the redirect_to param_10// ...
Customization
Supabase Auth makes use of Go Templates. This means it is possible to conditionally render information based on template properties.
Send different email to early access users
Send a different email to users who signed up via an early access domain (https://www.earlyaccess.trial.com
).
_14{{ if eq .Data.Domain "https://www.example.com" }}_14<h1>Welcome to Our Database Service!</h1>_14 <p>Dear Developer,</p>_14 <p>Welcome to Billy, the scalable developer platform!</p>_14 <p>Best Regards,<br>_14Billy Team</p>_14{{ else if eq .Data.Domain "https://www.earlyaccess.trial.com" }}_14<h1>Welcome to Our Database Service!</h1>_14 <p>Dear Developer,</p>_14 <p>Welcome Billy, the scalable developer platform!</p>_14 <p> As an early access member, you have access to select features like Point To Space Restoration.</p>_14 <p>Best Regards,<br>_14Billy Team</p>_14{{ end }}