- Standard Supabase Auth
-
Anonymous Sign-Ins
- JavaScript Example
- Fully custom auth
- Experimental: We’ve also heard from the community that Supabase’s newly released support for external auth providers works, but we don’t have any examples for this yet.
Supabase JWT Signing Keys
Supabase supports two types of JWT signing keys:| Type | Algorithm | Description |
|---|---|---|
| Legacy JWT signing keys | HS256 (symmetric) | Uses a shared secret to sign and verify tokens. This is the original method. |
| New JWT signing keys | RS256 (asymmetric) | Uses public/private key pairs. Supabase signs tokens with a private key, and PowerSync verifies them using a public key fetched via JWKS. |
To check which signing keys your Supabase project uses, go to Project Settings > JWT in your Supabase Dashboard.
PowerSync Cloud
When using PowerSync Cloud with a Supabase-hosted database, PowerSync can auto-detect your Supabase project from the database connection string and configure authentication automatically.- New JWT Signing Keys (Recommended)
- Legacy JWT Signing Keys
- Manual JWKS Configuration
Using New JWT Signing Keys
This is the recommended approach for Supabase projects using asymmetric JWT signing keys.- In the PowerSync Dashboard, select your project and instance and go to the Client Auth view.
- Enable the “Use Supabase Auth” checkbox.
- Leave the “Supabase JWT Secret” field empty (it’s not needed for new keys).
- Click Save and Deploy.
PowerSync auto-detects your Supabase project from the database connection string and configures the JWKS URI (
https://<project-ref>.supabase.co/auth/v1/.well-known/jwks.json) and audience (authenticated) automatically.Self-Hosted PowerSync
For self-hosted PowerSync instances, configure authentication in yourconfig.yaml.
- New JWT Signing Keys (Recommended)
- Legacy JWT Signing Keys
- Manual JWKS Configuration
Using New JWT Signing Keys
When using a standard Supabase connection string, PowerSync auto-detects your Supabase project:- JWKS URI:
https://<project-ref>.supabase.co/auth/v1/.well-known/jwks.json - Audience:
authenticated
Migrating from Legacy to New JWT Signing Keys
If you’re migrating your Supabase project from legacy JWT signing keys to the new asymmetric keys:Step 1: Complete the Supabase Migration
Follow all steps in Supabase’s JWT Signing Keys migration guide, including the “Rotate to asymmetric JWTs” step.Step 2: Update PowerSync Configuration
For PowerSync Cloud and self-hosted with standard Supabase connections:- No changes required, PowerSync auto-detects and uses the new JWKS endpoint.
- If you previously provided a legacy JWT secret, you can remove it (it’s no longer needed).
- Ensure your
jwks_uripoints to your Supabase JWKS endpoint. - Verify the
authenticatedaudience is configured.
Step 3: Clear Cached Tokens
Have all users sign out and sign back in. This ensures they receive new tokens signed with the asymmetric keys.Troubleshooting
PSYNC_S2101: Could not find an appropriate key in the keystore
This error indicates PowerSync cannot verify the JWT signature. Common causes:| Cause | Solution |
|---|---|
| Incomplete Supabase migration | Complete the “Rotate to asymmetric JWTs” step in Supabase’s migration guide. |
| Cached tokens | Have users sign out and sign back in to get fresh tokens. |
| Non-standard connection string | PowerSync couldn’t auto-detect your Supabase project. Use manual JWKS configuration. |
| Wrong JWT secret | For legacy keys, verify the JWT secret matches your Supabase project settings. |
PSYNC_S2105: JWT payload is missing a required claim “aud”
This error occurs when using manual JWKS configuration without specifying an audience. Addauthenticated to your audience configuration.
Auto-detection not working
If PowerSync logs this warning:Sync Rules
The Supabase user UUID will be available asrequest.user_id() in Sync Rules. To use a different identifier as the user ID in Sync Rules (for example user email), use Custom authentication.