Skip to main content

Overview

Studley AI uses Supabase authentication to provide secure account management with email verification, session handling, and multi-factor authentication (MFA) support.

Creating an Account

1

Navigate to Sign Up

Go to /signup or click “Sign up here” from the login page.
2

Enter Your Information

Fill out the registration form:
  • First Name: Your first name
  • Last Name: Your last name
  • Email: A valid email address
  • Password: At least 6 characters
  • Confirm Password: Must match your password
3

Agree to Terms

Check the box to agree to the Terms of Service and Privacy Policy. This is required to create an account.
4

Submit Registration

Click “Create Account” to submit your registration. The system will:
  • Create your Supabase Auth account
  • Insert your profile into the users table
  • Send a welcome email to your inbox
5

Verify Your Email

After registration, you’ll be shown a verification screen. Check your email inbox for a 6-digit verification code.Enter the 6-digit code in the verification form and click “Verify Email”.
6

Access Dashboard

Once verified, you’ll be automatically redirected to /dashboard with a confirmation flag.
Welcome emails are sent asynchronously and won’t block the signup process. If you don’t receive the email, check your spam folder.

Logging In

1

Navigate to Login

Go to /login to access the login page.
2

Enter Credentials

Provide your email and password in the login form.
3

Submit Login

Click “Sign In” to authenticate. The system will:
  • Verify your credentials with Supabase Auth
  • Check if MFA is enabled on your account
  • Create a session if successful
4

Complete MFA (If Enabled)

If you have MFA enabled:
  1. The system creates an MFA challenge
  2. You’ll be prompted to enter your 6-digit authenticator code
  3. Enter the code from your authenticator app (Google Authenticator, Authy, etc.)
  4. Click “Verify Code” to complete authentication
5

Access Dashboard

After successful authentication, you’re redirected to /dashboard.

Alternative Login Methods

In addition to email/password, you can sign in using:
  • Google OAuth: Click “Continue with Google” to authenticate using your Google account
  • Clever SSO: For students and educators, click “Login with Clever” for single sign-on

Email Verification

Verification Flow

Email verification happens immediately after signup:
  1. Code Generation: Supabase generates a 6-digit OTP (one-time password)
  2. Email Delivery: The code is sent to your registered email address
  3. Code Entry: Enter the code on the verification page within the time limit
  4. Account Activation: Once verified, your account is fully activated

Verification Requirements

  • Verification codes are time-sensitive
  • You must verify your email before accessing most features
  • Unverified accounts may have limited functionality
If you close the verification page, you can request a new code by attempting to log in again.

Session Management

Session Creation

When you log in successfully, Studley AI creates a secure session:
  • Technology: JWT (JSON Web Tokens) signed with HS256
  • Duration: 7 days from login
  • Storage: Secure HTTP-only cookie named session
  • Cookie Settings:
    • httpOnly: true - Prevents JavaScript access
    • secure: true (production) - HTTPS only
    • sameSite: lax - CSRF protection
    • maxAge: 7 days

Session Data

Your session token contains: 
interface SessionData {
  userId: string        // Your unique user ID
  username: string      // Your username
  isAdmin?: boolean     // Admin status (if applicable)
}

Session Validation

The session is automatically validated:
  • Client-side: On every page load
  • Server-side: On every API request
  • Middleware: Protects dashboard routes (/dashboard/*)

Session Expiration

Sessions expire after 7 days. When your session expires:
  1. You’re automatically redirected to /login
  2. Your previous page is saved for redirect after login
  3. You’ll need to log in again to continue

Logging Out

To end your session:
1

Access Settings

Navigate to /dashboard/settings or click your profile in the sidebar.
2

Click Logout

Scroll to the “Danger Zone” section and click the “Logout” button.
3

Session Cleared

The system will:
  • Delete your session cookie
  • Sign you out from Supabase Auth
  • Redirect you to /login

Multi-Factor Authentication (MFA)

MFA Support

Studley AI supports TOTP (Time-based One-Time Password) authentication:
  • Compatible with Google Authenticator, Authy, 1Password, etc.
  • Adds an extra layer of security to your account
  • Required after password verification when enabled

MFA Login Flow

  1. Enter email and password as normal
  2. System checks for verified TOTP factors
  3. If MFA is enabled, a challenge is created
  4. Enter your 6-digit authenticator code
  5. System verifies the code and grants access
MFA setup is currently managed through Supabase. Contact support if you need to enable or disable MFA on your account.

Security Best Practices

  • Strong Passwords: Use at least 6 characters (longer is better)
  • Unique Passwords: Don’t reuse passwords from other sites
  • Enable MFA: Add two-factor authentication for extra security
  • Secure Devices: Log out from shared or public computers
  • Monitor Activity: Check your recent activity regularly

Authentication API Endpoints

Signup

  • Endpoint: POST /api/auth/signup
  • Body: { email, firstName, lastName, password }
  • Response: { success: true, user: { id, email, firstName, lastName } }

Login

  • Endpoint: POST /api/auth/login
  • Body: { email, password } or { email, password, mfaCode, challengeId }
  • Response: { success: true, user: { id, email, name } } or { mfaRequired: true, challengeId }

Verify Email

  • Endpoint: POST /api/auth/verify
  • Body: { email, otp }
  • Response: { success: true }

Logout

  • Endpoint: POST /api/auth/logout
  • Response: { success: true }

Troubleshooting

Can’t receive verification email?

  • Check your spam/junk folder
  • Verify you entered the correct email address
  • Wait a few minutes and try again
  • Contact support if the issue persists

Forgot password?

  • Currently, password reset is handled through email
  • Contact support at [email protected] for assistance

MFA code not working?

  • Ensure your device’s time is synchronized
  • Try the previous or next code (accounts for clock drift)
  • Contact support if you’ve lost access to your authenticator

Session expired unexpectedly?

  • Sessions last 7 days - you may need to log in again
  • Clear your browser cookies and try logging in fresh
  • Check if you’re using private/incognito mode (cookies don’t persist)

Build docs developers (and LLMs) love

Get started for freeTalk to us