Since the change on 3 June 2026, free-tier projects using the default email provider can no longer edit their auth email templates. The password reset template is locked to {{ .ConfirmationURL }} (a link), and there's no way to switch it to {{ .Token }} (the 6-digit OTP) without setting up a custom SMTP provider — which in turn requires a verified domain.
For mobile apps, a confirmation link is a poor UX. The user has to leave their email client, open a link, and rely on deep linking to get back into the app — which is fragile and frequently breaks across email clients and OS versions.
A 6-digit code is far better: the user just reads it and types it into the app. It's faster, more reliable, and it's the pattern users already expect from mobile authentication. The locked link-only default is essentially a web-first flow that doesn't serve mobile developers well.
Would you consider allowing the {{ .Token }} variable in the password reset template on the free tier, even with editing otherwise locked? I'm not asking to reopen full template customization — just this one variable for this one flow.
Possible ways to do this without reopening free-text editing:
{{ .Token }} instead of {{ .ConfirmationURL }}.This would keep the anti-abuse protection you're aiming for while unblocking a large, legitimate mobile use case.
I teach an online course on building mobile apps with Supabase as the backend. This change means students now have to set up custom SMTP and a domain just to get a sensible mobile password reset experience, which is a significant hurdle for beginners. Enabling token-based reset on the free tier would make a real difference for mobile developers building on Supabase.
Thanks for considering it 🙏
Adam Smaka requests the ability to use the {{ .Token }} variable in password reset templates for free-tier projects, highlighting the poor UX of link-based resets for mobile apps. He suggests alternatives to full template customization, aiming to improve mobile user experience without compromising security.