Kernia
Concepts

Email

Configure email verification, password reset, magic links, OTP, and provider-backed delivery.

Kernia treats email delivery as application infrastructure. The auth server decides when to send verification, password reset, magic-link, or OTP messages; your configured delivery function sends the actual email through SMTP, Resend, Postmark, or another provider.

Email verification

Enable email/password and require verification when new accounts should prove mailbox ownership before they can sign in.

auth.py
from kernia.types.init_options import EmailPasswordOptions

auth = init(KerniaOptions(
    database=adapter,
    secret=os.environ["KERNIA_SECRET"],
    email_and_password=EmailPasswordOptions(
        enabled=True,
        require_email_verification=True,
    ),
    advanced={
        "send_verification_email": send_verification_email,
    },
))
emails.py
async def send_verification_email(*, email: str, url: str, token: str) -> None:
    await email_client.send(
        to=email,
        subject="Verify your email",
        html=f'<a href="{url}">Verify email</a>',
    )

Password reset

The email/password routes create a verification token and call the reset sender configured by the application. Treat reset URLs as secrets: short expiration, HTTPS, and single use.

POST/api/auth/forget-password

Creates a password reset token and asks the configured sender to deliver it.

POST/api/auth/reset-password

Consumes the reset token and writes the new password hash.

The magic-link plugin sends a one-click sign-in URL. It is useful for low-friction apps but should be paired with rate limits and clear device/session management.

from kernia.plugins.magic_link import magic_link

auth = init(KerniaOptions(
    database=adapter,
    secret=os.environ["KERNIA_SECRET"],
    plugins=(magic_link(),),
    advanced={
        "magic-link": {"send_magic_link": send_magic_link},
    },
))

Email OTP

Email OTP is better when a user is expected to type a code into an existing screen. Configure code length, expiration, and the send function.

from kernia.plugins.email_otp import email_otp

advanced={
    "email-otp": {
        "send_otp": send_email_otp,
        "otp_length": 6,
        "expires_in": 300,
    },
}

Admin-configured clients

The admin config plugin stores SMTP, Resend, and Postmark configuration in the database. Secret fields are write-only and redacted on read. This is for SaaS admin UX; production systems should still keep provider credentials restricted at the infrastructure layer.

Database

Configure adapters, generate schema, and understand Kernia core and plugin tables.

Events

In-process pub/sub bus for plugin-to-plugin lifecycle signals.

On this page

Email verificationPassword resetMagic linkEmail OTPAdmin-configured clients