Email Auth

One channel. Three ways in.

OTP, magic link, and social login behind a single API — one verified user, one token. Delivered from a warm, authenticated domain that reaches the inbox, not the spam folder.

Talk to our team See the modes
Primary Social Promotions
Delivered to Primary
a
Acme Security
[email protected]
now
Your sign-in link for Acme

Tap below to sign in. This link works once and expires in 10 minutes — no password needed.

Sign in to Acme →
Prefer a code? 842 197
Magic link · single-use expires in 10:00
3
Ways in, one API
99.6%
Inbox delivery rate
<8s
Median to Gmail & Outlook
0
Carrier limits, global
Three ways in

One channel. Three ways in.

Pick the mode, or let the user pick. Every path resolves to the same verified user and the same signed token — your backend sees one shape.

01 · OTP
Six-digit code.
The familiar default — sent from a verified domain on a warm pool, with SPF, DKIM, and DMARC pre-configured. Works cross-device, every client.
median <8s to Gmail & Outlook
02 · Magic link
Tap to sign in.
No code to copy. Links are single-use, time-bound, and cryptographically signed — open from any device and the session flows back to the originating browser.
single-use · signed · 10 min
03 · Social
Google, Apple & more.
Google, Apple, Microsoft, GitHub — one button per provider, one OAuth dance. We normalise the claims so your backend sees the same verified user regardless of source.
claims normalised
Deliverability

The inbox is the hard part.

Sending an email is easy. Landing it in the Primary inbox — not Spam, not Promotions — is the engineering. That's the difference between a login and a support ticket.

Every send leaves a warm, dedicated IP pool on your authenticated domain — SPF, DKIM, and DMARC configured for you. Reputation is monitored continuously, and traffic shifts across providers before placement ever slips.

Email Auth · inbox placement
SPF DKIM DMARC Warm pool
OTPless · authenticated domainPrimary · 99.6%
Cold domain · shared IPSpam · ~41%
warm dedicated pools · reputation monitored · multi-provider failover
Integration

One call. Three modes, one token.

Pass an email and the modes you allow. OTPless delivers, verifies, and returns one signed user — whichever way they came in.

auth.ts web · javascript 
// Pick the mode, or let the user pick.
const result = await otpless.emailAuth({
  email:  "[email protected]",
  modes:  ["otp", "magic_link", "google", "apple"],
  prefer: "magic_link",   // returning user? promote to passkey next
});

if (result.verified) {
  signIn(result.token);     // one shape, every mode
}
// install  npm i @otpless/web
emailAuth · resolved
280ms
auth · verified user
methodMAGIC_LINK
statusVERIFIED
deliveredIn280ms
inboxPrimary
delivery
domainacme.com
spf · dkimpass
dmarcpass
poolwarm
link · single-use · signed region: in
Customer Outcomes

The numbers our customers ship with.

* Metrics measured against pre-OTPless baselines.

25M+
Logins / month
"OTPless completely transformed how users log in at Meesho — fast, effortless, and frustration-free. Over 25 million seamless logins every month and a 10% boost in conversion."
AV
Arjit Verma
Associate Director · Meesho
98%+
Login success
"Astrotalk partnered with OTPless to simplify login, reduce operational complexity, and support international scale. Zero-touch flows and intelligent routing delivered measurable impact on conversion, cost, and experience."
Siddharth Singh · CTO · Astrotalk
94.1%
Login success
Ankit Bhatia
Product Head · Seekho
6M+
Logins / month
Vishesh Upparamani
PM · Classplus
Frequently asked

Common questions.

What is OTPless Email Auth?
Email Auth unifies three ways to sign in with an email address — six-digit OTP, magic link, and social login (Google, Apple, Microsoft, GitHub) — behind a single API. Every path returns the same verified user and one signed token, so your backend handles one shape.
How do magic links stay secure?
Each link is single-use, time-bound (default 10 minutes), and cryptographically signed. Open it from any device and the verified session flows back to the originating browser — so a forwarded or intercepted link can't hijack a session.
How do you make email land in the inbox?
Every send leaves a warm, dedicated IP pool on your authenticated domain, with SPF, DKIM, and DMARC configured for you. Reputation is monitored continuously and traffic shifts across providers before placement slips — keeping mail in Primary, not Spam.
Can it send from our own domain and branding?
Yes. Mail is sent from your verified domain with your sender name and branded templates, so the OTP or magic link looks like it came from you — with the deliverability of a warm, authenticated pool behind it.
Which social providers are supported?
Google, Apple, Microsoft, and GitHub out of the box. OTPless normalises each provider's claims, so a social sign-in returns the same verified-user shape as OTP or magic link.
How fast and reliable is delivery?
99.6% delivery, with median delivery under 8 seconds to Gmail and Outlook. Magic links typically resolve in well under a second once tapped.
Start with Email Auth

Three ways in. One token.

Stop bolting three providers together. Email Auth gives you OTP, magic link, and social behind a single integration — on a domain that actually reaches the inbox.

Talk to our team Read the docs
SOC 2 · ISO 27001 · 500M+ logins / quarter