Client Authentication
PowerSync clients (i.e. apps used by your users that embed the PowerSync Client SDK) authenticate against the server-side PowerSync Service using JWTs (signed tokens).
Client Authentication Options
Development & Testing
For a quick way to get up and running during development, you can generate Development Tokens directly from the PowerSync Dashboard (PowerSync Cloud) or locally with a self-hosted setup.
Proper Authentication Integration (Needed for Production)
Use Existing JWT from Auth Provider: Some authentication providers already generate JWTs for users which PowerSync can verify directly — see Common Authentication Providers below.
Custom Auth Integration: Generate JWTs: For others, some backend code must be added to your application backend to generate the JWTs needed for PowerSync — see Custom authentication.
Common Authentication Providers
PowerSync supports JWT-based authentication from various providers. The table below shows commonly used authentication providers, their JWKS URLs, and any specific configuration requirements.
Scroll the table horizontally.
| Provider | Configuration Notes | Documentation | JWKS URL |
|---|
| Supabase | Uses Supabase’s JWT Secret | Supabase Auth Setup | Direct integration available |
| Firebase Auth / GCP Identity Platform | JWT Audience: Firebase project ID | Firebase Auth Setup | https://www.googleapis.com/service_accounts/v1/jwk/[email protected] |
| Auth0 | JWT Audience: PowerSync instance URL | Auth0 Setup | https://{auth0-domain}/.well-known/jwks.json |
| Clerk | Additional configuration may be required | Clerk Documentation | https://{yourClerkDomain}/.well-known/jwks.json |
| Stytch | Additional configuration may be required | Stytch Documentation | https://{live_or_test}.stytch.com/v1/sessions/jwks/{project-id} |
| Keycloak | Additional configuration may be required | Keycloak Documentation | https://{your-keycloak-domain}/auth/realms/{realm-name}/protocol/openid-connect/certs |
| Amazon Cognito | Additional configuration may be required | Cognito Documentation | https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json |
| Azure AD | Additional configuration may be required | Azure AD Documentation | https://login.microsoftonline.com/{tenantId}/discovery/v2.0/keys |
| Google Identity | Additional configuration may be required | Google Identity Documentation | https://www.googleapis.com/oauth2/v3/certs |
| SuperTokens | Additional configuration may be required | SuperTokens Documentation | https://{YOUR_SUPER_TOKENS_CORE_CONNECTION_URI}/.well-known/jwks.json |
| WorkOS | Additional configuration may be required | WorkOS Documentation | https://api.workos.com/sso/jwks/{YOUR_CLIENT_ID} |
| Custom JWT | See custom auth requirements | Custom Auth Setup | Your own JWKS endpoint |
