# Auth Configuration

> Auth sign-in methods — Email, Phone, or Both

Configure which sign-in methods are available in your project: **Dashboard → Auth → Configuration**.

## Sign-in methods

| Method | Description | Use when |
|--------|-------------|----------|
| **Email + Password** | Traditional sign-up/sign-in with email and password | Web apps, B2B, forms |
| **Email OTP** | Passwordless sign-in via 6-digit code to email | Mobile apps, modern SaaS |
| **Phone OTP** | Passwordless sign-in via SMS code | Consumer apps, emerging markets |
| **Both** | Email+password and/or OTP on email or phone | Maximum flexibility |

## Email only

Available endpoints:
- `POST /auth/register` — `email`, `password`, `name`, `customFields`
- `POST /auth/login` — `email`, `password`
- `POST /auth/otp/send` — `email` (if OTP enabled)
- `POST /auth/otp/verify` — `email` + `code`

Example register with custom fields:

```json
{
  "email": "user@example.com",
  "password": "StrongPassword123!",
  "name": "Jane Doe",
  "customFields": {
    "company": "Acme Inc",
    "role": "Developer"
  }
}
```

## Phone only

Available endpoints:
- `POST /auth/otp/send` — `phone`
- `POST /auth/otp/verify` — `phone` + `code`

Phone-only users receive a placeholder email internally. Use the returned `token` for all authenticated requests.

Example:

```json
{ "phone": "+919876543210" }
// → verify with code
{ "phone": "+919876543210", "code": "123456" }
```

## Both (email and phone)

Available endpoints:
- All of the above
- `POST /auth/otp/send` accepts either `email` or `phone`

```json
// Passwordless via phone
{ "phone": "+919876543210" }

// Passwordless via email
{ "email": "user@example.com" }
```

## Custom registration fields

Add custom fields in **Dashboard → Auth → Custom Registration Fields**. These are stored in `profile_extras` and returned via `GET /me`:

```json
// Register
{
  "email": "user@example.com",
  "password": "password",
  "customFields": { "plan": "pro", "company": "Acme" }
}

// GET /me response
{
  "id": "uuid",
  "email": "user@example.com",
  "profile_extras": { "plan": "pro", "company": "Acme" }
}
```

## Email verification

Toggle **Require email verification** in the dashboard. When enabled, `signUp` returns `requiresVerification: true` and no token is issued until the email is confirmed.

See [Email Verification](/features/auth/email-verification) for handling this in your app.

## Redirect URLs

Configure these in **Dashboard → Auth → Configuration**:

| Setting | Description |
|---------|-------------|
| **Email Verification URL** | Your app's `/verify-email` route — Aerostack appends `?token=...` |
| **Password Reset URL** | Your app's `/reset-password` route — Aerostack appends `?token=...` |