Start free

Three steps: allow your destinations, generate a protected link, then paste into your email templates.

1) Allow your destinations

Set these in your worker config (e.g. wrangler.toml or Secrets). The rail only redirects to hosts you allow.

Exact hosts (comma-separated)

ALLOWED_DEST_HOSTS="YOURPROJECT.supabase.co,app.yourdomain.com"

Optional: host suffixes (e.g. all Supabase projects)

ALLOWED_DEST_HOST_SUFFIXES=".supabase.co"

2) Generate your protected link

Enter the destination URL (e.g. your Supabase confirmation URL). We'll output a protected link and a snippet you can use server-side.

Testing without Supabase? Create a test destination (e.g. app.suqram.com), add it to your allowlist, then generate a link to it and click through to confirm the flow works.

Destination URL

Rail base URL (your domain)

3) Paste into Supabase templates

Use the same pattern for Magic Link, Invite, and Password Reset: build the rail link server-side (with the snippet above) and put it in the email body instead of the raw confirmation URL.

Magic Link — use rail link in place of {{ .ConfirmationURL }}
Invite — wrap your invite URL in the rail link format
Password Reset — use rail link in place of the default reset URL

Full Supabase snippets and setup →

Run a real inbox test →