From 465e9d731dfdb1acadf7d6c6cf5cb7edc96d091e Mon Sep 17 00:00:00 2001
From: Suryansh Pandey <suryanshp991@gmail.com>
Date: Sat, 27 Jun 2026 13:03:50 +0530
Subject: [PATCH] fix(otp): improve error messages for phone provider not
 configured and missing fields
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When phone auth is not enabled, the previous error 'Unsupported phone provider'
gave developers no actionable information about how to fix the issue.

This change improves two error messages in otp.go:
1. Phone provider disabled: now tells the developer exactly where to go in the
   dashboard to enable it (Authentication → Providers → Phone)
2. Missing email/phone field: now explains E.164 format requirement for phone

This directly addresses the confusion reported in supabase/supabase#46570
where users receive no verification code and developers have no clear error
to debug.
---
 internal/api/otp.go | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/internal/api/otp.go b/internal/api/otp.go
index 5f12b0bbe3..472f352bc8 100644
--- a/internal/api/otp.go
+++ b/internal/api/otp.go
@@ -91,7 +91,12 @@ func (a *API) Otp(w http.ResponseWriter, r *http.Request) error {
 		return a.SmsOtp(w, r)
 	}
 
-	return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "One of email or phone must be set")
+	return apierrors.NewBadRequestError(
+    apierrors.ErrorCodeValidationFailed,
+    "One of 'email' or 'phone' must be provided in the request body. "+
+        "If you are using email OTP, ensure the 'email' field is set. "+
+        "If you are using SMS OTP, ensure the 'phone' field is set in E.164 format (e.g. +19998887777).",
+)
 }
 
 type SmsOtpResponse struct {
@@ -105,8 +110,13 @@ func (a *API) SmsOtp(w http.ResponseWriter, r *http.Request) error {
 	config := a.config
 
 	if !config.External.Phone.Enabled {
-		return apierrors.NewBadRequestError(apierrors.ErrorCodePhoneProviderDisabled, "Unsupported phone provider")
-	}
+    return apierrors.NewBadRequestError(
+        apierrors.ErrorCodePhoneProviderDisabled,
+        "SMS/phone authentication is not enabled for this project. "+
+            "To fix this, go to your Supabase Dashboard → Authentication → Providers → Phone, "+
+            "enable Phone Auth, and configure a provider such as Twilio or Vonage.",
+    )
+}
 	var err error
 
 	params := &SmsParams{}