Skip to main content
This is an internal endpoint used by authentication flows. It completes the Supabase OAuth or magic link flow and redirects the user. Clients do not call this endpoint directly.
  • Endpoint: GET /auth/callback
  • File Location: src/app/auth/callback/route.ts

Query parameters

code
string
OAuth authorization code from the provider. When present, the server exchanges it for a session.
token_hash
string
Supabase email/magic link token hash used with type to verify email OTP flows.
type
string
Auth flow type. Common values: signup, email, recovery.
next
string
Relative path to redirect after successful auth. Non-relative values are ignored to prevent open redirects. Defaults to /dashboard.

Behavior

  • When code exists (OAuth):
    • Exchanges code for a session.
    • If type=recovery: redirects to /reset-password.
    • If type=signup: redirects to /dashboard.
    • Otherwise: redirects to next (if relative) or /dashboard.
  • When token_hash and type exist (email/magic link):
    • Verifies OTP with the given type.
    • If type=recovery: redirects to /reset-password.
    • If type=signup or type=email: redirects to /dashboard.
    • Otherwise: redirects to next (if relative) or /dashboard.
  • On failure: redirects to /sign-in?error=auth_failed.
The next parameter only accepts relative paths. External URLs are sanitized to avoid open redirects.

Examples

Example Request (OAuth code)

curl -I 'http://localhost:3000/auth/callback?code=abc123&type=signup&next=/dashboard'

Example Response

HTTP/1.1 302 Found
Location: /dashboard

curl -I 'http://localhost:3000/auth/callback?token_hash=xyz&type=recovery'

Example Response

HTTP/1.1 302 Found
Location: /reset-password
See Authentication for full flow diagrams, UI routes, and server action usage.