Send OTP & SMS from Supabase Edge Functions
Add SMS authentication to your Supabase project with our open-source Edge Function. Send OTP verification codes, enable phone-based login, and replace expensive providers like Twilio with cost-effective Australian SMS delivery.
The DataFlows Supabase SMS Hook is an open-source Edge Function that enables SMS-based authentication for your Supabase project. It intercepts phone authentication requests from Supabase Auth and delivers OTP codes via the DataFlows SMS API.
Unlike traditional SMS providers that require complex setup and expensive pricing tiers, this integration deploys in minutes and costs a fraction of alternatives like Twilio. The entire codebase is available on GitHub under the MIT license, giving you full transparency and customization control.
Everything you need to implement SMS authentication in your Supabase application
Enable secure phone number verification for your Supabase Auth users. Send one-time passwords (OTP) via SMS for user registration, login, and two-factor authentication with industry-standard security.
Deploy directly to Supabase Edge Functions with zero configuration complexity. Our TypeScript-based hook integrates seamlessly with Supabase's serverless infrastructure for low-latency SMS delivery worldwide.
Built-in webhook signature validation ensures only legitimate requests from your Supabase project trigger SMS sends. Protect against unauthorized API usage with cryptographic verification.
Replace expensive SMS providers like Twilio with DataFlows' competitive pricing. Send Australian SMS from just 3.5¢ per message with no monthly fees, contracts, or hidden charges.
Optimized for Australian businesses with local number support, plus international SMS delivery to 200+ countries. Perfect for APAC-focused applications requiring reliable SMS infrastructure.
Personalize your OTP messages with custom templates. Configure sender IDs, message content, and branding to match your application's identity and user experience requirements.
Common scenarios where SMS authentication enhances your Supabase application
Allow users to sign in with their phone number instead of email. Perfect for mobile-first applications where phone verification provides better user experience and higher conversion rates.
Verify user phone numbers during registration to reduce fake accounts and improve security. Essential for marketplaces, financial apps, and platforms requiring identity verification.
Add an extra layer of security with SMS-based 2FA. Protect user accounts from unauthorized access by requiring both password and OTP verification for sensitive operations.
Extend beyond authentication to send order confirmations, appointment reminders, delivery updates, and other critical notifications directly from your Supabase backend.
Deploy the Supabase SMS Hook to your project in 6 simple steps
Sign up for a DataFlows account and retrieve your API Token and Sender ID from the Developer Settings page.
Copy the Edge Function code from our GitHub repository to your Supabase project's functions directory.
supabase functions new send-sms-hook
# Copy the function code from GitHubSet up the required environment variables for secure API communication with DataFlows.
supabase secrets set DATAFLOWS_API_KEY=your_api_key
supabase secrets set DATAFLOWS_SENDER_ID=your_sender_id
supabase secrets set SEND_SMS_HOOK_SECRET=your_webhook_secretDeploy your Edge Function to Supabase's global edge network for low-latency execution.
supabase functions deploy send-sms-hookIn your Supabase Dashboard, navigate to Authentication → Hooks → Send SMS and register your function URL.
Go to Authentication → Providers → Phone and select 'Hook' as the SMS delivery method. Generate and save the webhook secret.
Integrate SMS authentication into your Supabase client application
Send a one-time password to the user's phone number
// Request OTP for phone authentication
const { data, error } = await supabase.auth.signInWithOtp({
phone: '+61412345678'
})
if (error) {
console.error('Error sending OTP:', error.message)
} else {
console.log('OTP sent successfully!')
}Validate the code entered by the user
// Verify the OTP code
const { data, error } = await supabase.auth.verifyOtp({
phone: '+61412345678',
token: '123456',
type: 'sms'
})
if (error) {
console.error('Verification failed:', error.message)
} else {
console.log('User verified:', data.user)
}Personalize your OTP messages with custom branding
// Environment variable for custom OTP template
OTP_MESSAGE_TEMPLATE="Your {{app_name}} code is: {{otp}}"
// Default template if not specified
"Your verification code is: {otp}"Why developers choose DataFlows as their Supabase SMS provider
| Feature | DataFlows | Twilio | Savings |
|---|---|---|---|
| Australian SMS | 3.5¢ | 7.5¢+ | 53% |
| Monthly Fee | None | $0-15+ | 100% |
| Inbound SMS | Free | 0.75¢+ | 100% |
| Setup Time | Minutes | Hours | - |
| Contract Required | No | Sometimes | - |
The Edge Function is free. You only pay for SMS sent.
When a user requests phone authentication in your Supabase app, Supabase Auth triggers the Edge Function webhook. The function receives the phone number and OTP, validates the webhook signature for security, then sends the SMS via DataFlows API. The entire process happens in milliseconds.
Yes! This integration serves as a cost-effective alternative to Twilio for Supabase SMS authentication. You get the same functionality—OTP delivery, phone verification, and SMS authentication—at a fraction of the cost, especially for Australian traffic.
Absolutely. While the primary use case is Supabase Auth OTP delivery, you can call the DataFlows API directly from any Edge Function or server-side code to send transactional SMS, notifications, alerts, and marketing messages.
The integration supports E.164 international format (e.g., +61412345678 for Australian numbers). All major country codes are supported, with optimized routing for Australian, New Zealand, and APAC destinations.
Set the OTP_MESSAGE_TEMPLATE environment variable with your custom message. Use {otp} as a placeholder for the verification code. For example: 'Your AppName verification code is: {otp}. Valid for 10 minutes.'
Yes. The Edge Function validates every incoming request using HMAC-SHA256 signature verification. Only requests signed with your Supabase webhook secret are processed, preventing unauthorized SMS sends.
The Edge Function returns appropriate error responses to Supabase Auth, which handles retry logic. DataFlows provides delivery status callbacks and dashboard visibility so you can monitor success rates and troubleshoot issues.
Yes! Use the Supabase CLI to run Edge Functions locally with environment variables in a .env file. This allows you to test the integration without affecting production users.
Deploy the open-source Edge Function in minutes and start sending OTP messages to your users today.