Checking the email or phone before sending a verification code

You can call a function to check the entered email or phone before we send a verification code or magic link.

Use case

  • You only allow specific list of pre-screened phone numbers or emails

  • You want to know if the user is already registered, and redirect them to a Login page instead

  • You want to check if the email is from a certain domain

Check out this example code that only allows business email to login.


var cotter = new Cotter("<YOUR_API_KEY_ID>"); 

  .signInWithLink(myOnBeginFunction) // 👈 Pass in your function here
  .then(payload => {})
  .catch(payload => {});

The OnBegin function specification

This function will be invoked before we send the verification code or magic link. You will receive the following payload as a parameter to your function

Payload passed into your OnBegin function

var payload = {
  identifier: "+12345678910",
  identifier_type: "PHONE",
  device_type: "BROWSER",
  device_name: "Chrome ...",
  client_json: { // This is available if you set up AdditionalFields
    "name": "Hello World",
    "address": "Street Address"

You can do a check against the identifier here before the form is submitted.

If you include OnBegin key, you have to either return an error string, or return null if you want to continue the authentication process:

A. If you want to continue submission:

return null;

B. If you want to stop submission with an error:

return "Your error message";

Example with sync function:

 const myOnBeginFunction = payload => {
  if (payload.identifier != "+12345678910") {
    return "Phone Number is not allowed";
  // No error, continue submission
  return null;

Example with async function:

 const myOnBeginFunction = async (payload)=> {
    try {
     let allowed = await checkIfPhoneAllowed(payload.identifier);
     if (!allowed) {
       return "Phone Number is not allowed";
    } catch (e) {
     return e.message; // Make sure this is a string!
    // No error, continue submission
    return null;

You should also check the email when Verifying the JWT Token

When a user logs in to Cotter, the SDK generates an access_token that you can send to your backend API to authorize a request. This access token contains the user's email or phone number. You should check if the email or phone number is allowed to log in in your backend server when validating the JWT token in addition to the OnBegin function.

Last updated