Create account / verify email
Use an email verification link
Use this for first registration, email verification, recovery, or a passwordless fallback. The link must complete through the Supabase Auth callback before a session is stored.
Secure Supabase Auth
Sign in to AI Campaign OS
Choose the path that matches your account. Authentication confirms who you are; workspace access still requires an existing workspace member mapping, accepted invite, or approved operator setup.
1. VerifyNew users start with an email verification link.
2. Sign inRegistered users can use email and password.
3. WorkspaceAccess comes from membership, not login alone.
Registered users
Sign in with email and password
Use this for everyday login after your Supabase Auth account is already registered and verified. Passwords are submitted only to Supabase Auth and are not stored by AI Campaign OS.
Easy login
Continue with Google
Google login uses Supabase Auth and the same hosted identity setup. Redirect login remains available when OAuth is configured, and Google One Tap can be enabled separately as an optional easier login for registered users.
Google One Tap is optional for registered users. Email/password and verification links remain available.
No Google client secret belongs in the repository, UI, verifier output, or logs. OAuth tokens, Google ID tokens, Supabase session tokens, cookies, and provider payloads must not be displayed here. One Tap posts the Google credential to a same-origin server route, which exchanges it with Supabase Auth and stores the same httpOnly session cookies as email/password login.
Access boundary
Login does not grant workspace access by itself
After sign-in, AI Campaign OS still checks the existing workspace member mapping and role before showing workspace, Campaign Fixer, billing, media, or reviewer actions. Wrong-workspace and unmapped users remain blocked.
If sign-in succeeds but no workspace appears, ask an owner or manager for an invite or mapping review. Trying another auth method will not create workspace access by itself.
Production links should use the owned app domain after domain, sender, Supabase redirect, and Google provider sign-off are complete.