Skip to main content

View Authentication settings

To open the authentication settings for your project’s database, follow these steps: Screenshot of Authentication Settings in Bolt
  1. Log in to your Bolt project.
  2. Click the database icon in the top center of your screen.
  3. Click Authentication in the left menu.

Email authentication

This option allows your project’s users to sign up using their email address. Clicking Email in the Authentication settings opens the Email Provider Settings window, where you can enable or disable the following options:
  • Allow or block email-based signup and login
  • Require users to confirm their email after signing up
  • Require confirmation from the old address before changing an email
  • Require recent login (reauthentication) before changing a password
  • Prevent signups with weak or commonly used passwords
You can also edit your email templates, as discussed in the section below.

Edit email templates

Bolt lets you edit the email templates used to communicate with users. To edit your templates, follow these steps:
  1. Click the database icon in the top center of your screen.
  2. Click Authentication.
  3. Click the Email row.
  4. Click Edit email templates.
  5. Choose the template you want to edit from the top menu.
  6. Change the subject line or message body as needed.
Click the Preview button to see what the email with your changes will look like to your recipients.

Reset email templates to default

If you have updated your email templates and want to return to the original versions, click reset all templates to their default. This link appears in blue at the bottom of the editing window.
Screenshot of Edit Email Templates window in Database settings.
This will reset all templates to their original state.

Email template terminology

The templating system provides the following variables for use:
NameDescription
{{ .ConfirmationURL }}Contains the confirmation URL. For example, a signup confirmation URL would look like: https://project-ref.bolt.host/auth/v1/verify?token={{ .TokenHash }}&type=email&redirect_to=https://example.com/path .
{{ .Token }}Contains a 6-digit One-Time-Password (OTP) that can be used instead of the {{. ConfirmationURL }} .
{{ .TokenHash }}Contains a hashed version of the {{ .Token }}. This is useful for constructing your own email link in the email template.
{{ .SiteURL }}Contains your application’s Site URL. This can be configured in your project’s authentication settings.
{{ .RedirectTo }}Contains the redirect URL passed when signUp, signInWithOtp, signInWithOAuth, resetPasswordForEmail or inviteUserByEmail is called. The redirect URL allow list can be configured in your project’s authentication settings.
{{ .Data }}Contains metadata from auth.users.user_metadata. Use this to personalize the email message.
{{ .Email }}Contains the original email address of the user. Empty when trying to link an email address to an anonymous user.
{{ .NewEmail }}Contains the new email address of the user. This variable is only supported in the “Change Email Address” template.
Bolt Database email templates are powered by Supabase technology. If you want a deeper look at topics like mobile deep linking, email prefetching, routing signups through a server endpoint, or tailoring emails based on signup method, see the Supabase Email Templates documentation.

Advanced Authentication options

Site URL This field represents the main URL for your application. It is used whenever a redirect address is not provided during sign-in or password reset flows. URI allow list Sometimes, authentication providers need more than one redirect location. The allow list lets you enter a comma-separated list of valid redirect URL patterns for your project. You can use wildcards if you support multiple paths. Example:https://bolt-native-database-ocg0.bolt.host/**
You can use the URI allow list to add Reset Password flows to your Bolt project.
Automatic updates You don’t need to manage these URLs manually in most cases. Bolt will automatically update these values when needed. If you need to override these values, you can. Bolt will respect your manual changes.

Google authentication

This option allows your project’s users to sign up using Google Secure Sign-On (SSO), meaning they can log in with their Google accounts instead of signing up with an email and password.
For a full Google SSO setup guide, see Google SSO authentication.
Clicking Continue with Google in the Authentication settings opens the Google Provider Settings window, where you can set the following:
  • Allow or block Google sign-in
  • Enter your Google Client ID
  • Enter your Google OAuth Client Secret
You’ll also be able to find the origin and redirect URIs you’ll need to set up your Google Cloud Console project, as shown in the example screenshot below:
Screenshot of Google SSO authorization settings in Bolt.

Google OAuth verification and custom domain setup

If your Bolt app uses Google sign-in, completing Google’s OAuth verification process helps ensure users see your product name and branding during authentication. This guide walks through the required steps to verify your domain and configure a custom OAuth experience.

Prerequisites

Before starting Google OAuth verification and custom domain setup, make sure the following requirements are in place. Completing these items ahead of time helps avoid delays during Google’s review process. A Google Cloud project You need an active Google Cloud project where OAuth is configured.
  • The project must be accessible to you with Owner or Editor permissions.
  • APIs and Services must be enabled for the project.
  • The OAuth consent screen must be available for editing.
If the project is newly created, allow a few minutes for all settings to become available in the console.
A verified primary domain Your application must have a domain that you control.
  • The domain should be publicly accessible.
  • You must be able to verify ownership using Google’s domain verification methods.
  • The verified domain must match the domain used in your authentication flow and any redirect URLs.
Authentication configured You should already have set up Google authentication in Bolt as described earlier on this page.
  • Redirect URIs must be finalized.
  • Authorized domains must be known ahead of time.
  • Third-party authentication vendors should already be selected and configured.
Changing these values after verification may require reapproval.
Public policy pages Google requires transparency around user data usage.
  • A Privacy Policy must be live and publicly accessible.
  • A Terms of Service page must also be available.
  • Both links should clearly describe how user data is handled during authentication.
Draft or placeholder pages may result in verification delays.
Branding assets Prepare basic branding materials in advance, including an application name that matches your product and a logo image that meets Google’s size and format requirements.

Step-by-step instructions for verifying your project

1

Open the OAuth consent screen

  1. Sign in to Google Cloud Console.
  2. Navigate to APIs & Services, then select OAuth consent screen.
  3. Set the App name to your product name.
  4. Upload your application logo to match your brand.
Saving these details typically starts Google’s verification workflow.
2

Watch for the verification email

After updating the consent screen, Google sends a verification email to the project owner. This message requests confirmation of the domains listed in your OAuth configuration.Keep this email handy, as you will respond to it in the next steps.
3

Verify your primary domain

  1. Follow Google’s domain verification instructions for your own domain.
  2. Use Google’s domain verification tools to confirm ownership.
  3. Once verified, ensure the domain appears in the Authorized domains list in the OAuth consent screen.
4

(If necessary) Confirm third-party domains

Some authentication setups rely on trusted vendors such as Supabase.For these domains:
  1. Reply directly to the Google verification email.
  2. Explain that the listed domains belong to authentication providers used by your application.
  3. Clarify that they are required for sign-in and user management.
5

Add required policy links

Before verification can be completed, your OAuth consent screen must include:
  • A link to your Privacy Policy
  • A link to your Terms of Service
These links should be publicly accessible and reflect how user data is handled.
Once verification is approved, Google’s OAuth dialog displays your application name and branding during sign-in.