User
Enters email, generates code_verifier locally
Magic Link
One-time token, SHA-256 hashed, 10min expiry
PKCE Token
code_verifier + auth_code exchanged
Supabase Auth
Validates verifier against challenge hash
Session
Authenticated in the original client only
1
Client generates PKCE pair. Random code_verifier stored locally; SHA-256 code_challenge sent with magic link request.
2
Email sent with one-time link. Token hashed before DB storage. 10-minute expiry, single use.
3
User clicks link, returns to app. Universal links (iOS) / App links (Android) ensure return to original app.
4
Code exchange completes login. Only the original client has the code_verifier, so only it can get the session JWT.