> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getsabo.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth Callback

> Handles Supabase OAuth and magic link callbacks, exchanges tokens, and redirects.

<Info>
  This is an internal endpoint used by authentication flows. It completes the Supabase OAuth or magic link flow and redirects the user. Clients do not call this endpoint directly.
</Info>

* **Endpoint**: `GET /auth/callback`
* **File Location**: `src/app/auth/callback/route.ts`

## Query parameters

<ParamField query="code" type="string">
  OAuth authorization code from the provider. When present, the server exchanges it for a session.
</ParamField>

<ParamField query="token_hash" type="string">
  Supabase email/magic link token hash used with <code>type</code> to verify email OTP flows.
</ParamField>

<ParamField query="type" type="string">
  Auth flow type. Common values: <code>signup</code>, <code>email</code>, <code>recovery</code>.
</ParamField>

<ParamField query="next" type="string">
  Relative path to redirect after successful auth. Non-relative values are ignored to prevent open redirects. Defaults to <code>/dashboard</code>.
</ParamField>

## Behavior

* When <code>code</code> exists (OAuth):
  * Exchanges code for a session.
  * If <code>type=recovery</code>: redirects to <code>/reset-password</code>.
  * If <code>type=signup</code>: redirects to <code>/dashboard</code>.
  * Otherwise: redirects to <code>next</code> (if relative) or <code>/dashboard</code>.

* When <code>token\_hash</code> and <code>type</code> exist (email/magic link):
  * Verifies OTP with the given type.
  * If <code>type=recovery</code>: redirects to <code>/reset-password</code>.
  * If <code>type=signup</code> or <code>type=email</code>: redirects to <code>/dashboard</code>.
  * Otherwise: redirects to <code>next</code> (if relative) or <code>/dashboard</code>.

* On failure: redirects to <code>/sign-in?error=auth\_failed</code>.

<Warning>
  The <code>next</code> parameter only accepts relative paths. External URLs are sanitized to avoid open redirects.
</Warning>

## Examples

#### Example Request (OAuth code)

```bash theme={null}
curl -I 'http://localhost:3000/auth/callback?code=abc123&type=signup&next=/dashboard'
```

#### Example Response

```http theme={null}
HTTP/1.1 302 Found
Location: /dashboard
```

#### Example Request (Magic link)

```bash theme={null}
curl -I 'http://localhost:3000/auth/callback?token_hash=xyz&type=recovery'
```

#### Example Response

```http theme={null}
HTTP/1.1 302 Found
Location: /reset-password
```

<Note>
  See <a href="/core-features/authentication">Authentication</a> for full flow diagrams, UI routes, and server action usage.
</Note>
