WEDNESDAY, JULY 1, 2026 48° E  /  GLOBAL TECH · SUMMARISED SUBSCRIBE
AI, business, devices, policy — global tech, summarised every 30 minutes.
Dev Tools · 2h ago

Supabase OTP Bug: Hardcoded 6-Digit Regex Rejects Valid 8-Digit Codes

By Meridian48 News Desk · Summarised from DEV Community ·

A developer's client-side regex assumed OTPs are always six digits, but Supabase's GoTrue can emit eight-digit codes depending on configuration. This caused valid codes to be rejected before reaching the server, with a misleading error message. The fix is to use a loose regex that never rejects a real code, relying on server-side verification.

Meridian48 take
A cautionary tale: client-side validation should never be stricter than the server's actual token format, or you'll silently break auth for real users.
Read the full reporting
Your OTP regex assumes six digits. Supabase magic links don't. →
DEV Community
supabaseotp-validation
More dev tools briefs
Go deeper on dev tools
AllAIStartupsBusinessDevicesPolicySecurityDev ToolsPakistan