Building
How to Build Auth Without Passwords
Email verification codes, HMAC-signed cookies, 30-day sessions. Simpler than OAuth, more secure than passwords. One file, four functions.
April 11, 2026
🔐
The problem
Passwords are broken. Users forget them. Developers store them insecurely. Support teams reset them.
55,000 customers needed to migrate from Shopify to a new platform. Zero friction. No re-purchasing. No password creation.
The answer: email verification codes. No password field anywhere on the site.
How it works
- Enter email
- Get a 6-digit code (10-minute expiry)
- Enter code
- Signed cookie set (30 days)
No password. No OAuth. No "forgot password" flow. Nothing to forget.