How to Create Permanent Test Accounts for App Store Reviewers with Supabase

TLDR

If you're building a mobile app with Supabase authentication using Magic Links or OTP, App Store guidelines require you to provide a permanent demo account. Use a PostgreSQL trigger to intercept specific test email addresses and set their authentication tokens to a predictable value (123456).

Quick Setup:

1. Open Supabase SQL Editor
2. Create a trigger function that sets recovery_token for test emails
3. Provide reviewers with: Email reviewer1@example.com or reviewer2@example.com, Code 123456

The Problem

App Store guidelines require you to provide a demo account with a permanent username and password. However, if your app uses Magic Links or OTP (One-Time Password) via email, the login codes are random and expire. You can't give an Apple reviewer access to your Gmail inbox to check for a code.

The Solution

You can use a PostgreSQL Trigger in your Supabase dashboard to intercept specific "test" email addresses and force their authentication tokens to be a predictable, hardcoded value.

Here is how to set it up in 3 steps.

Step 1: Open the SQL Editor

Go to your Supabase Dashboard, open the SQL Editor, and create a new query.

Step 2: Create the Function and Trigger

Copy and paste the code below. This script listens for specific email addresses (e.g., your reviewer accounts) and manually sets their recovery_token to a predictable hash based on the email and a secret string (in this case, '123456').

It also adjusts the timestamp (recovery_sent_at) to ensure the token is considered "fresh" and valid by the system.

-- 1. Create the function to hijack the token generation
CREATE OR REPLACE FUNCTION preset_otp()
RETURNS trigger
AS $$
begin
    -- Define your test emails here
    IF (NEW.email = ANY(ARRAY['reviewer1@example.com', 'reviewer2@example.com'])) then
        -- Force the recovery token to be a hash of the email + '123456'
        NEW.recovery_token := encode(sha224(concat(NEW.email, '123456')::bytea), 'hex');
        -- Make the token appear as if it was just sent
        NEW.recovery_sent_at := NOW() - INTERVAL '2 minutes';
    END IF;
    RETURN NEW;
END;
$$ LANGUAGE plpgsql;
 
-- 2. Attach the trigger to the auth.users table
CREATE OR REPLACE TRIGGER preset_otp 
BEFORE INSERT OR UPDATE ON auth.users 
FOR EACH ROW EXECUTE PROCEDURE public.preset_otp();

Note: The emails reviewer1@example.com and reviewer2@example.com are configured to use the hardcoded code 123456.

Step 3: Update Your App Logic (Optional)

Depending on how your login screen verifies users:

1. For Magic Links: You can now construct the magic link manually because you know the token logic.
2. For OTPs: If you are verifying codes, ensure your backend or edge function handles the verification by recognizing these specific emails and accepting the hardcoded logic provided in the trigger.

Why this works

This creates a "backdoor" only for the specific emails you define. Normal users continue to get random, secure codes via email, but your App Store reviewer can log in using the credentials you provided without needing email access.

App Store Submission Templates

Here are the text templates you can copy and paste directly into App Store Connect (under App Review Information) and Google Play Console (under App Access).

Option 1: If your App asks for a 6-Digit Code (OTP)

Since you hardcoded the logic (using 123456 based on your SQL snippet), use this message to instruct the reviewer not to wait for a real email.

For App Store Connect:

Demo Account Information:
 
Username/Email: reviewer1@example.com
Verification Code: 123456
 
Notes:
This account is configured with a static One-Time Password (OTP) for review purposes. You do not need to access an external email inbox. Please enter the email above, and when prompted for the verification code, enter "123456" to log in immediately.

For Google Play Console (App Access):

1. Select "All or some functionality is restricted".
2. Click "Add new instructions".
3. Name: Test Account Login
4. Phone/Email: reviewer1@example.com
5. Password/OTP: 123456
6. Any other instructions:

   This is a pre-configured test account. The OTP code is hardcoded to "123456" for this specific email address to bypass email verification constraints during review.

Option 2: If your App uses Magic Links (No Code Input)

If your app typically requires clicking a link in an email, but you have modified the flow to accept a password or a manual entry for reviewers:

Demo Account Information:
 
Email: reviewer1@example.com
Password/Secret: 123456
 
Notes:
Our app normally uses magic links for authentication. For the review process, we have enabled a bypass for the specific email address above. 
 
Please enter the email, and if a code or password field appears (or if you are using a debug login flow), enter "123456" to proceed without checking email.

Summary

This solution allows you to:

• ✅ Provide permanent demo accounts for App Store reviewers
• ✅ Bypass email verification for specific test accounts
• ✅ Maintain security for regular users (they still get random codes)
• ✅ Use predictable credentials (reviewer1@example.com / reviewer2@example.com with code 123456)

The PostgreSQL trigger intercepts authentication token generation only for the specified test email addresses, ensuring App Store reviewers can access your app without needing to check email inboxes.