Why isn't your Supabase magic link working?
A free checker for broken Supabase magic links. Paste yours and the checker finds the most likely cause, from redirects and templates to delivery and Auth settings.
- No signup
- OAuth optional
- Never opens the link
Paste the link. The checker reads it first.
Everything runs locally and the link is never opened, then you get the most likely fix.
The link is parsed locally and never opened.
Start with the automatic checkup
Connect Supabase read-only and the tool checks your real Auth settings. Optional, but the fastest way to rule out a settings problem.
Read-only OAuth. You sign in on Supabase. Only your URL config, email sign-in, sender, and template settings are read, never changed.
Check a specific symptom
No connection needed. These catch what the checkup can't see, like live delivery, your template, and how your app handles the link. Useful even if the checkup looks clean.
Prepare for launch
Verify these before shipping magic links to real users.
A short pre-flight so real users don't hit the failures above.
Redirect allow list covers every environment
Add production, preview deploys, localhost, and mobile deep-link URLs intentionally. Use globstar patterns only for preview URLs, not as a broad production fallback.
Custom SMTP or Send Email Hook is configured
The default Supabase sender is rate-limited for production. Set up custom SMTP, a Send Email Hook, or route auth emails through Dreamlit.
Email template uses the right link variable
Use ConfirmationURL for the default flow. Only use a TokenHash link if your app explicitly verifies token_hash on the server.
The page that handles the link can read the callback value
Server-side routes (like Next.js Route Handlers) can't see the part of the URL after the # symbol. Make sure sign-in completes in the browser, or use PKCE/code exchange or token_hash verification that puts server-readable values in query parameters.
Real-user delivery, not just team or test addresses
Send a magic link to an external address (Gmail, Outlook) before launch. Internal addresses often bypass deliverability problems that hit real users.
Common questions
Supabase magic link troubleshooting, answered.
Background on the failure modes the checker looks for, plus the Supabase Auth concepts that explain them.
- Why are my Supabase magic links not working?
- Supabase magic links usually fail because the redirect URL is not in your Supabase Auth allow list, the email template uses a plain SiteURL when it should use ConfirmationURL or a verified TokenHash flow, the sign-in flow your app expects doesn't match how the link was sent, or the link was already opened by an email security scanner. Paste the link into the checker above and it points you to the most likely cause.
- Why do magic links stop arriving after a few tries?
- Supabase rate-limits how often it will send magic links and password resets to the same address. After a few quick requests, new sends can be rejected or delayed, so what looks like a delivery failure is often throttling. Wait a minute and try again, and for production set up custom SMTP or a Send Email Hook so you are not capped by the default sender.
- Can a staging vs production project mismatch break my magic link?
- Yes. Check that the project reference in the link matches the project your app is actually calling. A staging link opened against production, or the reverse, fails because the token was issued by a different project. Compare the project ref in the link to the one your app uses.
- Does opening the magic link on a different device break sign-in?
- It can. PKCE stores a code verifier in the browser that requested the link, so opening the email on a different device or browser can stop the code exchange from completing. If that is your setup, open the link in the same browser that requested it, or use a server-side token_hash email flow that does not depend on the original browser session.
- How do I check a Supabase magic link without clicking it?
- Paste the URL into the checker. It parses the link locally in your browser, redacts secret values, and reads the link type, redirect host, and project ref. The checker never opens or consumes the link, which matters because Supabase magic links are single-use.
- When should I use ConfirmationURL vs TokenHash?
- Use {{ .ConfirmationURL }} for the default Supabase email link. It builds the verify URL for you and applies the redirectTo value automatically. Use a {{ .TokenHash }} link when your app explicitly verifies token_hash on the server before creating a session. Mixing a fragment-token callback with a server route is one of the most common reasons magic links break.
- How do redirect URLs work in Supabase Auth?
- Supabase only allows redirects to URLs explicitly listed in Authentication → URL Configuration → Redirect URLs. Site URL is the default callback when no redirectTo is provided. If your app passes redirectTo, add that exact URL to Redirect URLs. The checker compares the link's callback against the expected callback to surface mismatches.
- Do I need OAuth or a real email to use the Supabase Magic Link Checker?
- No. Connecting Supabase with OAuth is the fastest, most exact check, but it is optional. You can paste a magic link, callback URL, or template and run the manual checks without connecting, and without sending a real email. Live inbox delivery is opt-in too.
- What does connecting Supabase actually check?
- When you connect read-only with Supabase OAuth, the checker reads the Auth settings that decide whether a magic link works: your Site URL, your redirect URL allow list, whether email sign-in is enabled, and which sender your project uses. It never changes anything and creates nothing. This is the automatic checkup, and it is the quickest way to rule out a settings problem before you dig into delivery, templates, or how your app handles the link.
- Does the checker click Supabase magic links or send real email?
- The checker never opens or consumes a magic link. Live inbox delivery is opt-in only. You send the email yourself from your app to a throwaway address Dreamlit provides, and Dreamlit parses the received message, redacts tokens, and deletes it on a short TTL.
- Why are users being created when they just request a magic link?
- By default, supabase.auth.signInWithOtp() will auto-create a user if the email doesn't already exist. If you only want existing users to sign in, pass shouldCreateUser: false in the options. This is a separate concern from delivery. Supabase still sends a link to new email addresses unless you opt out.
Fix it with Dreamlit
Done debugging? Skip the template grind.
Dreamlit handles your Supabase auth emails end to end: branded, reliable, and ready to ship.
- Your own sender domain and branding
- No SMTP or webhooks to manage
- Delivery you can actually see