# Magic Code Auth How to add magic code auth to your Instant app. Instant supports a "magic-code" flow for auth. Users provide their email, we send them a login code on your behalf, and they authenticate with your app. Choose the platform you're building for to see a full example. - **Web**: For Next.js or other React frameworks - **Mobile**: For Expo and React Native - **Vanilla JS**: For non-react based frameworks ## Full Magic Code Example Here's a full example of magic code auth in a React app. Open up your `app/page.tsx` file, and replace the entirety of it with the following code: ```tsx 'use client'; import React, { useState } from 'react'; import { init } from '@instantdb/react'; const APP_ID = '__APP_ID__'; const db = init({ appId: APP_ID }); function App() { return ( <>
); } function Main() { const user = db.useUser(); return (

Hello {user.email}!

); } function Login() { const [sentEmail, setSentEmail] = useState(''); return (
{!sentEmail ? ( ) : ( )}
); } function EmailStep({ onSendEmail }: { onSendEmail: (email: string) => void }) { const inputRef = React.useRef(null); const handleSubmit = (e: React.FormEvent) => { e.preventDefault(); const inputEl = inputRef.current!; const email = inputEl.value; onSendEmail(email); db.auth.sendMagicCode({ email }).catch((err) => { alert('Uh oh :' + err.body?.message); onSendEmail(''); }); }; return (

Let's log you in

Enter your email, and we'll send you a verification code. We'll create an account for you too if you don't already have one.

); } function CodeStep({ sentEmail }: { sentEmail: string }) { const inputRef = React.useRef(null); const handleSubmit = (e: React.FormEvent) => { e.preventDefault(); const inputEl = inputRef.current!; const code = inputEl.value; db.auth.signInWithMagicCode({ email: sentEmail, code }).catch((err) => { inputEl.value = ''; alert('Uh oh :' + err.body?.message); }); }; return (

Enter your code

We sent an email to {sentEmail}. Check your email, and paste the code you see.

); } export default App; ``` Here's a full example of magic code auth in a React Native app. Open up your `app/index.tsx` file, and replace the entirety of it with the following code: ```tsx import React, { useState } from 'react'; import { View, Text, TextInput, Button, Alert, StyleSheet } from 'react-native'; import { init } from '@instantdb/react-native'; const APP_ID = '__APP_ID__'; const db = init({ appId: APP_ID }); function App() { const { isLoading, user, error } = db.useAuth(); if (isLoading) { return Loading...; } if (error) { return Uh oh! {error.message}; } if (user) { return
; } return ; } function Main() { const user = db.useUser(); return ( Hello {user.email}! `; document.getElementById('sign-out')!.addEventListener('click', () => { db.auth.signOut(); }); } function renderLogin() { if (!sentEmail) { renderEmailStep(); } else { renderCodeStep(); } } function renderEmailStep() { app.innerHTML = `

Let's log you in

Enter your email, and we'll send you a verification code. We'll create an account for you too if you don't already have one.

`; document.getElementById('email-form')!.addEventListener('submit', (e) => { e.preventDefault(); const email = (document.getElementById('email-input') as HTMLInputElement) .value; sentEmail = email; renderLogin(); db.auth.sendMagicCode({ email }).catch((err) => { alert('Uh oh: ' + err.body?.message); sentEmail = ''; renderLogin(); }); }); } function renderCodeStep() { app.innerHTML = `

Enter your code

We sent an email to ${sentEmail}. Check your email, and paste the code you see.

`; document.getElementById('code-form')!.addEventListener('submit', (e) => { e.preventDefault(); const codeInput = document.getElementById('code-input') as HTMLInputElement; const code = codeInput.value; db.auth.signInWithMagicCode({ email: sentEmail, code }).catch((err) => { alert('Uh oh: ' + err.body?.message); codeInput.value = ''; }); }); } db.subscribeAuth((auth) => { renderApp(auth.user); }); ``` Make sure you have a `
` element in your HTML. --- **Let's dig deeper.** We created a login flow to handle magic code auth. Of note is `auth.sendMagicCode` and `auth.signInWithMagicCode`. On successful validation, Instant's backend will return a user object with a refresh token. The client SDK will then restart the websocket connection with Instant's sync layer and provide the refresh token. When doing queries or transactions, the refresh token will be used to hydrate `auth` on the backend during permission checks. On the client, auth will now be populated with a `user` -- huzzah! ## Send a Magic Code ```javascript db.auth.sendMagicCode({ email }).catch((err) => { alert('Uh oh :' + err.body?.message); onSendEmail(''); }); ``` Use `auth.sendMagicCode` to generate a magic code on instant's backend and email it to the user. ## Sign in with Magic Code ```javascript db.auth.signInWithMagicCode({ email: sentEmail, code }).catch((err) => { inputEl.value = ''; alert('Uh oh :' + err.body?.message); }); ``` You can then use `auth.signInWithMagicCode` to authenticate the user with the magic code they provided. ## Setting properties at signup Pass `extraFields` to `signInWithMagicCode` to set custom `$users` properties when a user is first created. Fields are only written on first signup; returning users are unaffected. ```javascript const { user, created } = await db.auth.signInWithMagicCode({ email: sentEmail, code, extraFields: { nickname: 'nezaj' }, }); if (created) { // Scaffold default data for new users db.transact([ db.tx.settings[id()].update({ theme: 'light' }).link({ user: user.id }), ]); } ``` The fields must be defined as optional attributes on `$users` in your schema. A `create` rule on `$users` is also required. See [Setting properties at signup](/docs/users#setting-properties-at-signup) for the full guide. ## Test users If you need to create a user with a pre-defined code for app store review or testing, you can assign a magic code to an email from the Auth page of the Dashboard. When a test user signs in, they can use the static code instead of receiving the code an email. The static code will never expire and will always be valid until it is deleted from the dashboard.