For specific information and migration guidance, visit theDynamic Links Deprecation FAQ.

You can useFirebase Authentication to sign in a user by sending them an emailcontaining a link, which they can click to sign in. In the process, the user'semail address is also verified.

There are numerous benefits to signing in by email:

• Low friction sign-up and sign-in.
• Lower risk of password reuse across applications, which can undermine securityof even well-selected passwords.
• The ability to authenticate a user while also verifying that the user is thelegitimate owner of an email address.
• A user only needs an accessible email account to sign in. No ownership of aphone number or social media account is required.
• A user can sign in securely without the need to provide (or remember) apassword, which can be cumbersome on a mobile device.
• An existing user who previously signed in with an email identifier (passwordor federated) can be upgraded to sign in with just the email. For example, auser who has forgotten their password can still sign in without needing toreset their password.

Before you begin

Set up your Android project

1. If you haven't already,add Firebase to your Android project.

2. In yourmodule (app-level) Gradle file(usually<project>/<app-module>/build.gradle.kts or<project>/<app-module>/build.gradle),add the dependency for theFirebase Authentication library for Android. We recommend using theFirebase Android BoMto control library versioning.

   Also, as part of setting upFirebase Authentication, you need to add theGoogle Play services SDK to your app.

   dependencies{// Import theBoM for the Firebase platformimplementation(platform("com.google.firebase:firebase-bom:34.9.0"))// Add the dependency for theFirebase Authentication library// When using theBoM, you don't specify versions in Firebase library dependenciesimplementation("com.google.firebase:firebase-auth")
   // Also add the dependency for the Google Play services library and specify its versionimplementation("com.google.android.gms:play-services-auth:21.5.1")}

   By using theFirebase Android BoM, your app will always use compatible versions of Firebase Android libraries.

   (Alternative)  Add Firebase library dependencies without using theBoM

   If you choose not to use theFirebase BoM, you must specify each Firebase library version in its dependency line.

   Note that if you usemultiple Firebase libraries in your app, we strongly recommend using theBoM to manage library versions, which ensures that all versions are compatible.

   dependencies{// Add the dependency for theFirebase Authentication library// When NOT using theBoM, you must specify versions in Firebase library dependenciesimplementation("com.google.firebase:firebase-auth:24.0.1")
   // Also add the dependency for the Google Play services library and specify its versionimplementation("com.google.android.gms:play-services-auth:21.5.1")}

Enable Email Link sign-in for your Firebase project

To sign in users by email link, you must first enable the Email provider andEmail link sign-in method for your Firebase project:

1. In theFirebase console, open theAuth section.
2. On theSign in method tab, enable theEmail/Password provider. Notethat email/password sign-in must be enabled to use email link sign-in.
3. In the same section, enableEmail link (passwordless sign-in) sign-inmethod.
4. ClickSave.

Send an authentication link to the user's email address

To initiate the authentication flow, present the user with an interface thatprompts the user to provide their email address and then callsendSignInLinkToEmail to request that Firebase send the authentication link tothe user's email.

1. Construct theActionCodeSettingsobject, which provides Firebase with instructions on how to construct theemail link. Set the following fields:

   • url: The deep link to embed and any additional state to be passed along.The link's domain has to be whitelisted in the Firebase Console list ofauthorized domains, which can be found by going to the Sign-in method tab(Authentication -> Sign-in method). The link will redirect the user tothis URL if the app is not installed on their device and the app was notable to be installed.
   Important: In projects created after April 28, 2025,Firebase Authenticationno longer includeslocalhost as an authorized domain by default. Googlestrongly discourages the use oflocalhost in production projects. If youchoose to authorizelocalhost, you can manually add it in theSettingspage, inAuthorized Domains, by clickingAdd Domain.
   • androidPackageName andiOSBundleId: HelpsFirebase Authentication determineif it should create a web-only or mobile link which is opened on anAndroid or Apple device.
   • handleCodeInApp: Set to true. The sign-in operation has to always becompleted in the app unlike other out of band email actions (passwordreset and email verifications). This is because, at the end of the flow,the user is expected to be signed in and their Auth state persisted withinthe app.
   • linkDomain: When customHosting link domains are defined for aproject, specify which one to use when the link is to be opened by aspecified mobile app. Otherwise, the default domain is automaticallyselected (for example,PROJECT_ID.firebaseapp.com).
   • dynamicLinkDomain: Deprecated. Don't specify this parameter.

   Kotlin

   valactionCodeSettings=actionCodeSettings{// URL you want to redirect back to. The domain (www.example.com) for this// URL must be whitelisted in the Firebase Console.url="https://www.example.com/finishSignUp?cartId=1234"// This must be truehandleCodeInApp=truesetIOSBundleId("com.example.ios")setAndroidPackageName("com.example.android",true,// installIfNotAvailable"12",// minimumVersion)}
   MainActivity.kt

   Java

   ActionCodeSettingsactionCodeSettings=ActionCodeSettings.newBuilder()// URL you want to redirect back to. The domain (www.example.com) for this// URL must be whitelisted in the Firebase Console..setUrl("https://www.example.com/finishSignUp?cartId=1234")// This must be true.setHandleCodeInApp(true).setIOSBundleId("com.example.ios").setAndroidPackageName("com.example.android",true,/* installIfNotAvailable */"12"/* minimumVersion */).build();
   MainActivity.java

   To learn more on ActionCodeSettings, refer to thePassing State in Email Actionssection.

2. Ask the user for their email.

3. Send the authentication link to the user's email, and save the user's emailin case the user completes the email sign-in on the same device.

   Kotlin

   Firebase.auth.sendSignInLinkToEmail(email,actionCodeSettings).addOnCompleteListener{task->if(task.isSuccessful){Log.d(TAG,"Email sent.")}}
   MainActivity.kt

   Java

   FirebaseAuthauth=FirebaseAuth.getInstance();auth.sendSignInLinkToEmail(email,actionCodeSettings).addOnCompleteListener(newOnCompleteListener<Void>(){@OverridepublicvoidonComplete(@NonNullTask<Void>task){if(task.isSuccessful()){Log.d(TAG,"Email sent.");}}});
   MainActivity.java

Complete sign in with the email link

Security concerns

To prevent a sign-in link from being used to sign in as an unintended user or onan unintended device,Firebase Authentication requires the user's email address to beprovided when completing the sign-in flow. For sign-in to succeed, this emailaddress must match the address to which the sign-in link was originally sent.

You can streamline this flow for users who open the sign-in link on the samedevice they request the link, by storing their email address locally - forinstance using SharedPreferences - when you send the sign-in email. Then,use this address to complete the flow.Do not pass the user’s email in the redirect URL parameters and re-use it asthis may enable session injections.

After sign-in completion, any previous unverified mechanism of sign-in will beremoved from the user and any existing sessions will be invalidated.For example, if someone previously created an unverified account with the sameemail and password, the user’s password will be removed to prevent theimpersonator who claimed ownership and created that unverified account fromsigning in again with the unverified email and password.

Also make sure you use an HTTPS URL in production to avoid your link beingpotentially intercepted by intermediary servers.

Completing sign-in in an Android App

Firebase Authentication usesFirebase Hosting to send the email link to amobile device. For sign-in completion via mobile application, the applicationhas to be configured to detect the incoming application link, parse theunderlying deep link and then complete the sign-in. To learn more, seeAndroidApp Links documentation.

ConfigureFirebase Hosting

Firebase Authentication usesFirebase Hosting domains whencreating and sending a link that is meant to be opened in a mobile application.A defaultFirebase Hosting domain has already been configured for you.

1. ConfigureFirebase Hosting domains:

   In theFirebase console, open theHosting section.

   • If you want to use the default domain for the email link that opens inmobile applications, go to your default site and take note of your defaultHosting domain. A defaultHosting domain typically looks likethis:PROJECT_ID.firebaseapp.com.

     You'll need this value when you configure your app to intercept theincoming link.

   • If you want to use a custom domain for the email link, you canregister one withFirebase Hostingand use that for the link's domain.

2. Configuring Android applications:

   In order to handle these links from your Android application, your app'spackage name needs to be specified in theFirebase consoleproject settings. In addition, the SHA-1 and SHA-256 of the applicationcertificate need to be provided.

   If you want these links to redirect to a specific activity, you will need toconfigure an intent filter in yourAndroidManifest.xml file. The intentfilter should catch email links of your domain. InAndroidManifest.xml:

   <intent-filterandroid:autoVerify="true"><actionandroid:name="android.intent.action.VIEW"/><categoryandroid:name="android.intent.category.BROWSABLE"/><categoryandroid:name="android.intent.category.DEFAULT"/><dataandroid:scheme="https"android:host="<PROJECT_ID>.firebaseapp.comoryourcustomdomain"android:pathPrefix="/__/auth/links"/></intent-filter>

   When users open a hosting link with the/__/auth/links path and the schemeand host you specify, your app will start the activity with this intentfilter tohandle the link.

Verify link and sign in

After you receive the link as described above, verify that it is meant for emaillink authentication and complete the sign in.

valauth=Firebase.authvalintent=intentvalemailLink=intent.data.toString()// Confirm the link is a sign-in with email link.if(auth.isSignInWithEmailLink(emailLink)){// Retrieve this from wherever you stored itvalemail="someemail@domain.com"// The client SDK will parse the code from the link for you.auth.signInWithEmailLink(email,emailLink).addOnCompleteListener{task->if(task.isSuccessful){Log.d(TAG,"Successfully signed in with email link!")valresult=task.result// You can access the new user via result.getUser()// Additional user info profile *not* available via:// result.getAdditionalUserInfo().getProfile() == null// You can check if the user is new or existing:// result.getAdditionalUserInfo().isNewUser()}else{Log.e(TAG,"Error signing in with email link",task.exception)}}}
MainActivity.kt

FirebaseAuthauth=FirebaseAuth.getInstance();Intentintent=getIntent();StringemailLink=intent.getData().toString();// Confirm the link is a sign-in with email link.if(auth.isSignInWithEmailLink(emailLink)){// Retrieve this from wherever you stored itStringemail="someemail@domain.com";// The client SDK will parse the code from the link for you.auth.signInWithEmailLink(email,emailLink).addOnCompleteListener(newOnCompleteListener<AuthResult>(){@OverridepublicvoidonComplete(@NonNullTask<AuthResult>task){if(task.isSuccessful()){Log.d(TAG,"Successfully signed in with email link!");AuthResultresult=task.getResult();// You can access the new user via result.getUser()// Additional user info profile *not* available via:// result.getAdditionalUserInfo().getProfile() == null// You can check if the user is new or existing:// result.getAdditionalUserInfo().isNewUser()}else{Log.e(TAG,"Error signing in with email link",task.getException());}}});}
MainActivity.java

To learn more on how to handle sign-in with email link in an Apple application,refer to theApple platforms guide.

To learn about how to handle sign-in with email link in a web application, referto theWeb guide.

Linking/re-authentication with email link

You can also link this method of authentication to an existing user. For examplea user previously authenticated with another provider, such as a phone number,can add this method of sign-in to their existing account.

The difference would be in the second half of the operation:

// Construct the email link credential from the current URL.valcredential=EmailAuthProvider.getCredentialWithLink(email,emailLink)// Link the credential to the current user.Firebase.auth.currentUser!!.linkWithCredential(credential).addOnCompleteListener{task->if(task.isSuccessful){Log.d(TAG,"Successfully linked emailLink credential!")valresult=task.result// You can access the new user via result.getUser()// Additional user info profile *not* available via:// result.getAdditionalUserInfo().getProfile() == null// You can check if the user is new or existing:// result.getAdditionalUserInfo().isNewUser()}else{Log.e(TAG,"Error linking emailLink credential",task.exception)}}
MainActivity.kt

// Construct the email link credential from the current URL.AuthCredentialcredential=EmailAuthProvider.getCredentialWithLink(email,emailLink);// Link the credential to the current user.auth.getCurrentUser().linkWithCredential(credential).addOnCompleteListener(newOnCompleteListener<AuthResult>(){@OverridepublicvoidonComplete(@NonNullTask<AuthResult>task){if(task.isSuccessful()){Log.d(TAG,"Successfully linked emailLink credential!");AuthResultresult=task.getResult();// You can access the new user via result.getUser()// Additional user info profile *not* available via:// result.getAdditionalUserInfo().getProfile() == null// You can check if the user is new or existing:// result.getAdditionalUserInfo().isNewUser()}else{Log.e(TAG,"Error linking emailLink credential",task.getException());}}});
MainActivity.java

This can also be used to re-authenticate an email link user before running asensitive operation.

// Construct the email link credential from the current URL.valcredential=EmailAuthProvider.getCredentialWithLink(email,emailLink)// Re-authenticate the user with this credential.Firebase.auth.currentUser!!.reauthenticateAndRetrieveData(credential).addOnCompleteListener{task->if(task.isSuccessful){// User is now successfully reauthenticated}else{Log.e(TAG,"Error reauthenticating",task.exception)}}
MainActivity.kt

// Construct the email link credential from the current URL.AuthCredentialcredential=EmailAuthProvider.getCredentialWithLink(email,emailLink);// Re-authenticate the user with this credential.auth.getCurrentUser().reauthenticateAndRetrieveData(credential).addOnCompleteListener(newOnCompleteListener<AuthResult>(){@OverridepublicvoidonComplete(@NonNullTask<AuthResult>task){if(task.isSuccessful()){// User is now successfully reauthenticated}else{Log.e(TAG,"Error reauthenticating",task.getException());}}});
MainActivity.java

However, as the flow could end up on a different device where the original userwas not logged in, this flow might not be completed. In that case, an error canbe shown to the user to force them to open the link on the same device. Somestate can be passed in the link to provide information on the type of operationand the user uid.

Deprecated:Firebase Dynamic Links based verification

Email link authentication previously relied onFirebase Dynamic Links, which will beshut down on August 25, 2025.

We've published an alternative solution in theFirebase Authentication Android SDKv23.2.0+ andFirebase BoM v33.9.0+.

If your app uses the old style links, you shouldmigrate your app to the newFirebase Hosting basedsystem.

Deprecated: Differentiating email-password from email link

If you created your project on or after September 15, 2023, email enumerationprotection is enabled by default. This feature improves the security of yourproject's user accounts, but it disables thefetchSignInMethodsForEmail()method, which we formerly recommended to implement identifier-first flows.

Although you can disable email enumeration protection for your project, werecommend against doing so.

See the documentation onemail enumeration protectionfor more details.

Next steps

After a user signs in for the first time, a new user account is created andlinked to the credentials—that is, the user name and password, phonenumber, or auth provider information—the user signed in with. This newaccount is stored as part of your Firebase project, and can be used to identifya user across every app in your project, regardless of how the user signs in.

• In your apps, you can get the user's basic profile information from theFirebaseUser object. SeeManage Users.

• In yourFirebase Realtime Database andCloud StorageSecurity Rules, you can get the signed-in user's unique user ID from theauth variable, and use it to control what data a user can access.

You can allow users to sign in to your app using multiple authenticationproviders bylinking auth provider credentials to anexisting user account.

To sign out a user, callsignOut:

Firebase.auth.signOut()
MainActivity.kt

FirebaseAuth.getInstance().signOut();
MainActivity.java