Overview

PowerSync clients (i.e. apps used by your users that embed the PowerSync Client SDK) authenticate against the server-side PowerSync Service using JWTs (signed tokens) that are generated by your application backend. Before using PowerSync, an application’s existing architecture may look like this:
The PowerSync Service uses database native credentials and authenticates directly against the backend database using the configured credentials:
When the PowerSync client SDK is included in an app project, it uses existing app-to-backend authentication to retrieve a JSON Web Token (JWT):
The PowerSync client SDK uses the retrieved JWT to authenticate directly against the PowerSync Service:
Users are not persisted in PowerSync, and there is no server-to-server communication used for client authentication.

Common Authentication Providers

PowerSync supports JWT-based authentication from various providers. The table below shows commonly used authentication providers, their JWKS URLs, and any specific configuration requirements.
Scroll the table horizontally.
ProviderJWKS URLConfiguration NotesDocumentation
SupabaseDirect integration availableUses Supabase’s JWT SecretSupabase Auth Setup
Firebase Auth / GCP Identity Platformhttps://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.comJWT Audience: Firebase project IDFirebase Auth Setup
Auth0https://{auth0-domain}/.well-known/jwks.jsonJWT Audience: PowerSync instance URLAuth0 Setup
Clerkhttps://{yourClerkDomain}/.well-known/jwks.jsonAdditional configuration may be requiredClerk Documentation
Stytchhttps://{live_or_test}.stytch.com/v1/sessions/jwks/{project-id}Additional configuration may be requiredStytch Documentation
Keycloakhttps://{your-keycloak-domain}/auth/realms/{realm-name}/protocol/openid-connect/certsAdditional configuration may be requiredKeycloak Documentation
Amazon Cognitohttps://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.jsonAdditional configuration may be requiredCognito Documentation
Azure ADhttps://login.microsoftonline.com/{tenantId}/discovery/v2.0/keysAdditional configuration may be requiredAzure AD Documentation
Google Identityhttps://www.googleapis.com/oauth2/v3/certsAdditional configuration may be requiredGoogle Identity Documentation
SuperTokenshttps://{YOUR_SUPER_TOKENS_CORE_CONNECTION_URI}/.well-known/jwks.jsonAdditional configuration may be requiredSuperTokens Documentation
WorkOShttps://api.workos.com/sso/jwks/{YOUR_CLIENT_ID}Additional configuration may be requiredWorkOS Documentation
Custom JWTYour own JWKS endpointSee custom auth requirementsCustom Auth Setup

Authentication Options

Some authentication providers already generate JWTs for users which PowerSync can verify directly — see the documentation for individual providers (e.g. Supabase Auth, Firebase Auth). For others, some backend code must be added to your application backend to generate the JWTs needed for PowerSync — see Custom authentication. For a quick way to get up and running during development, you can generate Development Tokens directly from the PowerSync Dashboard (PowerSync Cloud) or locally with a self-hosted setup.