Skip to main content
Sublay’s built-in authentication lets you register and sign in users with an email address and password without building your own auth backend. The SDK’s useAuth hook exposes all the actions you need.

Sign Up

Call signUpWithEmailAndPassword with at minimum an email and password. Additional profile fields are optional.

Optional Profile Fields

You can pass additional profile data at registration time:
If you supply both avatar (URL) and avatarFile (file upload), the file takes precedence and the URL is ignored.

Sign In

Sign Out

signOut revokes the current session’s entire token family on the server and clears local auth state.

Change Password

Users who signed up with email/password can change their password while authenticated. The current password must be provided for verification.

Password Reset

Users who forget their password can request a reset email. Sublay sends a link to the registered email address. The link expires after 1 hour.
The API always responds with a success message regardless of whether the email address is registered, to prevent user enumeration.

Auth State

Check whether the SDK has finished initializing and whether a user is currently signed in:

Email Verification

After sign-up, you can prompt users to verify their email address. Sublay sends a short-lived token (5 minutes) via email. There are two delivery modes: a code the user types back into your app, or a link they click to verify automatically.

Send a verification email

By default this sends a hex token. You can customise the token format and delivery mode:

Verify with a code

When using mode: "code", collect the token from the user and call useVerifyEmail:
On success, user.isVerified is updated immediately in the local Redux store — no refetch needed. When using mode: "link", the email contains a button the user clicks. The server verifies the token and either:
  • Redirects to the redirectUrl you provided with ?verified=true appended, or
  • Renders a hosted success page if no redirectUrl was given.
The user.isVerified field will be true the next time the user’s session is loaded (e.g. on next sign-in or token refresh). There is no SDK callback for link-mode verification since it happens outside the app’s JS context.
The verification token is valid for 5 minutes and can only be used once. Calling sendVerificationEmail while a previous token is still valid will generate a new token — the old one remains valid until it expires or the new one is used.

See Also