Home

Auth

Overview#

There are two parts to every Auth system:

  • Authentication: should this person be allowed in? If yes, who are they?
  • Authorization: once they are in, what are they allowed to do?

Supabase Auth is designed to work either as a standalone product, or deeply integrated with the other Supabase products. Postgres is at the heart of everything we do, and the Auth system follows this principle. We leverage Postgres' built-in Auth functionality wherever possible.

Here's a quick, 2 minute tour of the Auth features built-in to Supabase:

Authentication#

You can authenticate your users in several ways:

  • Email & password.
  • Magic links (one-click logins).
  • Social providers.
  • Phone logins.

Providers#

We provide a suite of Providers and login methods, as well as Auth helpers.

Social Auth

Phone Auth

Configure third-party providers#

You can enable third-party providers with the click of a button by navigating to Authentication > Providers > Auth Providers and inputting your Client ID and Secret for each.

OAuth Logins.

Redirect URLs and wildcards#

When using third-party providers, the Supabase client library redirects the user to the provider. When the third-party provider successfully authenticates the user, the provider redirects the user to the Supabase Auth callback URL where they are further redirected to the URL specified in the redirectTo parameter. This parameter defaults to the SITE_URL. You can modify the SITE_URL or add additional redirect URLs.

You can use wildcard match patterns to support preview URLs from providers like Netlify and Vercel. See the full list of supported patterns. Use this tool to test your patterns.

⚠️ WARNING: While the "globstar" (**) is useful for local development and preview URLs, we recommend setting the exact redirect URL path for your site URL in production.

Netlify preview URLs

For deployments with Netlify, set the SITE_URL to your official site URL. Add the following additional redirect URLs for local development and deployment previews:

  • http://localhost:3000/**
  • https://**--my_org.netlify.app/**

Vercel preview URLs

For deployments with Vercel, set the SITE_URL to your official site URL. Add the following additional redirect URLs for local development and deployment previews:

  • http://localhost:3000/**
  • https://*-username.vercel.app/**

Vercel provides an environment variable for the URL of the deployment called NEXT_PUBLIC_VERCEL_URL. See the Vercel docs for more details. You can use this variable to dynamically redirect depending on the environment:


_18
const getURL = () => {
_18
let url =
_18
process?.env?.NEXT_PUBLIC_SITE_URL ?? // Set this to your site URL in production env.
_18
process?.env?.NEXT_PUBLIC_VERCEL_URL ?? // Automatically set by Vercel.
_18
'http://localhost:3000/';
_18
// Make sure to include `https://` when not localhost.
_18
url = url.includes('http') ? url : `https://${url}`;
_18
// Make sure to including trailing `/`.
_18
url = url.charAt(url.length - 1) === '/' ? url : `${url}/`;
_18
return url;
_18
};
_18
_18
const { data, error } = await supabase.auth.signInWithOAuth({
_18
provider: 'github'
_18
options: {
_18
redirectTo: getURL()
_18
}
_18
}

Mobile deep linking URIs

For mobile applications you can use deep linking URIs. For example for your SITE_URL you can specify something like com.supabase://login-callback/ and for additional redirect URLs something like com.supabase.staging://login-callback/ if needed.

Authorization#

When you need granular authorization rules, nothing beats PostgreSQL's Row Level Security (RLS).

Policies are PostgreSQL's rule engine. They are incredibly powerful and flexible, allowing you to write complex SQL rules which fit your unique business needs.

Get started with our Row Level Security Guides.

Row Level Security#

Authentication only gets you so far. When you need granular authorization rules, nothing beats PostgreSQL's Row Level Security (RLS). Supabase makes it simple to turn RLS on and off.

Policies#

Policies are PostgreSQL's rule engine. They are incredibly powerful and flexible, allowing you to write complex SQL rules which fit your unique business needs.

With policies, your database becomes the rules engine. Instead of repetitively filtering your queries, like this ...


_10
const loggedInUserId = 'd0714948'
_10
let { data, error } = await supabase
_10
.from('users')
_10
.select('user_id, name')
_10
.eq('user_id', loggedInUserId)
_10
_10
// console.log(data)
_10
// => { id: 'd0714948', name: 'Jane' }

... you can simply define a rule on your database table, auth.uid() = user_id, and your request will return the rows which pass the rule, even when you remove the filter from your middleware:


_10
let { data, error } = await supabase.from('users').select('user_id, name')
_10
_10
// console.log(data)
_10
// Still => { id: 'd0714948', name: 'Jane' }

How It Works#

  1. A user signs up. Supabase creates a new user in the auth.users table.
  2. Supabase returns a new JWT, which contains the user's UUID.
  3. Every request to your database also sends the JWT.
  4. Postgres inspects the JWT to determine the user making the request.
  5. The user's UID can be used in policies to restrict access to rows.

Supabase provides a special function in Postgres, auth.uid(), which extracts the user's UID from the JWT. This is especially useful when creating policies.

User Management#

Supabase provides multiple endpoints to authenticate and manage your users:

When users sign up, Supabase assigns them a unique ID. You can reference this ID anywhere in your database. For example, you might create a profiles table referencing id in the auth.users table using a user_id field.