Email & Password Authentication
Email and password authentication is enabled with required email verification and password reset support.
Email and password authentication is enabled in the starter. New password accounts must verify their email address before they can sign in.
Configuration
It is configured in packages/backend/convex/auth.ts:
emailAndPassword: {
enabled: true,
requireEmailVerification: true,
sendResetPassword: async ({ user, url }) => {
// Sends Better Auth's reset URL through the email facade.
},
},
emailVerification: {
sendVerificationEmail: async ({ user, url }) => {
// Sends Better Auth's verification URL through the email facade.
},
sendOnSignIn: true,
},Email Verification
On signup, Better Auth creates the account without a session and sends a verification email. The product app shows a "check your email" state and lets the user resend the verification email. If an unverified password user tries to sign in, Better Auth denies the login and sends another verification email.
Verification links use Better Auth's built-in /verify-email route and token
handling. The app does not parse or store verification tokens itself.
Password Reset
The login form includes a forgot-password flow. Users request a reset email,
Better Auth sends a provider-generated reset URL, and that URL redirects back
to the localized /reset-password page with a validated token.
The app submits the new password through Better Auth's /reset-password
endpoint. It does not create custom reset tokens.
Required Email Setup
Password signup verification, password reset, magic-link sign-in, and invitations require Resend auth email configuration:
RESEND_API_KEY=
RESEND_AUTH_FROM_EMAIL=Use a verified sender/domain in production.
Existing Accounts
Existing unverified password accounts remain unable to sign in until their email is verified. They can request a fresh verification email from the login flow.
Authentication Methods
The application supports multiple authentication methods out-of-the-box, giving your users flexibility in how they access your product. You can enable or disable these.
Magic Links
Magic links provide a passwordless authentication experience. Users enter their email address, and the application sends them a secure, single-use link. Clicking the link authenticates the user.