Authentication Setup
Overview
PowerSync clients (i.e. apps used by your users that embed the PowerSync Client SDK) authenticate against the server-side PowerSync Service using JWTs (signed tokens) that are generated by your application backend.
Before using PowerSync, an application’s existing architecture may look like this:
.png)
The PowerSync Service uses database native credentials and authenticates directly against the backend database using the configured credentials:
.png)
When the PowerSync client SDK is included in an app project, it uses existing app-to-backend authentication to retrieve a JSON Web Token (JWT):
.png)
The PowerSync client SDK uses the retrieved JWT to authenticate directly against the PowerSync Service:
.png)
Users are not persisted in PowerSync, and there is no server-to-server communication used for client authentication.
Common Authentication Providers
PowerSync supports JWT-based authentication from various providers. The table below shows commonly used authentication providers, their JWKS URLs, and any specific configuration requirements.
Scroll the table horizontally.
| Provider | JWKS URL | Configuration Notes | Documentation |
|---|---|---|---|
| Supabase | Direct integration available | Uses Supabase’s JWT Secret | Supabase Auth Setup |
| Firebase Auth / GCP Identity Platform | https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com | JWT Audience: Firebase project ID | Firebase Auth Setup |
| Auth0 | https://{auth0-domain}/.well-known/jwks.json | JWT Audience: PowerSync instance URL | Auth0 Setup |
| Clerk | https://{yourClerkDomain}/.well-known/jwks.json | Additional configuration may be required | Clerk Documentation |
| Stytch | https://{live_or_test}.stytch.com/v1/sessions/jwks/{project-id} | Additional configuration may be required | Stytch Documentation |
| Keycloak | https://{your-keycloak-domain}/auth/realms/{realm-name}/protocol/openid-connect/certs | Additional configuration may be required | Keycloak Documentation |
| Amazon Cognito | https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json | Additional configuration may be required | Cognito Documentation |
| Azure AD | https://login.microsoftonline.com/{tenantId}/discovery/v2.0/keys | Additional configuration may be required | Azure AD Documentation |
| Google Identity | https://www.googleapis.com/oauth2/v3/certs | Additional configuration may be required | Google Identity Documentation |
| SuperTokens | https://{YOUR_SUPER_TOKENS_CORE_CONNECTION_URI}/.well-known/jwks.json | Additional configuration may be required | SuperTokens Documentation |
| WorkOS | https://api.workos.com/sso/jwks/{YOUR_CLIENT_ID} | Additional configuration may be required | WorkOS Documentation |
| Custom JWT | Your own JWKS endpoint | See custom auth requirements | Custom Auth Setup |
Authentication Options
Some authentication providers already generate JWTs for users which PowerSync can verify directly — see the documentation for individual providers (e.g. Supabase Auth, Firebase Auth).
For others, some backend code must be added to your application backend to generate the JWTs needed for PowerSync — see Custom authentication.
For a quick way to get up and running during development, you can generate Development Tokens directly from the PowerSync Dashboard (PowerSync Cloud) or locally with a self-hosted setup.