Passwordless login

In preview

Make the code the credential.

Get startedRead docs
Set up in:
Cursor

Passwordless login drops the password entirely: the user proves they hold a phone number or email by entering a one-time code, and that's the credential. With Bird Verify it's the same send-then-check flow — no password to store, reset, or breach, and silent network authentication on the roadmap to remove even the typing.

verify.ts
200 · pending
import { BirdClient } from "@messagebird/sdk";

const bird = new BirdClient({ apiKey: process.env.BIRD_API_KEY! });

// Send the code, then check it by recipient.
await bird.verify.verifications.create({
  to: { email_address: "ada@example.com" },
}).safe();

const { data } = await bird.verify.verifications.check({
  to:   { email_address: "ada@example.com" },
  code: userInput,
}).safe();

The code isn't a second factor here. It's the only one.

Passwordless is the Bird Verify API used as the login itself: create a verification for the address the user signs in with, then check the code they enter — verified means logged in. There's no password row to protect and no verification id to store, and which channel each user gets is configurable per country. Keep a password in front instead and the same calls power two-factor authentication.

What passwordless gets you.

Less to store, less to steal.

  1. 01

    No password to breach.

    There's no password hash to leak, no reset flow to phish, and no credential reuse across sites. The factor is possession of a channel.

  2. 02

    One flow for signup and login.

    The same create-then-check verifies a new address at signup and re-verifies it at login. One path, not two.

  3. 03

    SMS, email, or WhatsApp as the credential.

    Sign users in with the channel you already have for them (SMS, email, or WhatsApp), with voice rolling out as more options.

  4. 04

    Silent auth on the roadmap.

    Carrier-network (silent) verification, which proves the number with no code to type, is designed in as a future channel, so the friction can drop further without a rewrite.

How passwordless login works

  1. 01

    The user enters the email or phone they want to sign in with.

  2. 02

    One create call sends a one-time code to that address.

  3. 03

    The user enters the code on your screen.

  4. 04

    One check call by recipient. A verified result grants the session, with no password compared and nothing stored.

Sign in with a code, not a password.

Send the code to the address the user enters, then check it. A verified result is the login — there's no password to compare against.

passwordless.ts
200
await bird.verify.verifications.create({
  to: { email_address: input.email },
}).safe();

const { data } = await bird.verify.verifications.check({
  to:   { email_address: input.email },
  code: submitted,
}).safe();

// a true result is the login — no password to compare
if (data.result) grantSession(input.email);

Passwordless login FAQ

How is passwordless different from 2FA?+
With two-factor, the code is a second proof on top of a password. Passwordless removes the password and uses the code as the only credential. Both are the same Bird Verify send-then-check flow — what changes is whether a password sits in front of it.
Is passwordless less secure without a password?+
It removes the most-attacked credential: passwords get reused, phished, and breached. The one-time code is generated cryptographically, stored only as a hash, and guarded by attempt lockout and send caps, so possession of the channel is the factor.
Can users log in without typing a code at all?+
That's where silent (carrier-network) authentication is headed: confirming the phone number through the mobile network with no code to enter. It's designed into the Verify model as a future channel, so adopting it later won't mean re-architecting your login.
Who do my users see the code from?+
Authifly, Bird's verification brand. It's the identity on every code your users receive: email arrives from otp@verify.authifly.com or your own verified domain, and SMS and WhatsApp are Authifly-branded. authifly.com is a public page that reassures recipients Authifly sends legitimate one-time codes on a business's behalf. Bird is the platform you build on; Authifly is what the recipient sees.

Build it on the Verify platform

The channels and controls behind passwordless login.

Email OTPEmail magic-code login for users you reach by inbox, no phone required.SMS OTPPhone-number login: the code texted to the user is the credential.Channel orchestrationDecide which channel signs each user in, per country, as configuration.Anti-abuse & code securityHashed codes, attempt lockout, and the fraud layer coming next.Verify API overviewThe full Verify API: create-or-retry, check by target, and per-country config.

Drop the password. Keep the API simple.

Bird Verify is the login itself when you go passwordless — SMS and email now, with silent network auth designed in for later.

Explore the Verify platformGet started

Start with one channel.
Add the others when you're ready.

A test API key is yours immediately. Production unlocks when you add a payment method and verify a sender.

Get startedRead docs

Using Claude Code, Cursor, or Codex? Copy a setup prompt and your agent installs the Bird CLI and skills for you. Pick yours:

Cursor