PowerSync clients (i.e. apps used by your users that embed the PowerSync Client SDK) authenticate against the server-side PowerSync Service using JWTs (signed tokens) that are generated by your application backend.

Before using PowerSync, an application’s existing architecture may look like this:

The PowerSync Service uses database native credentials and authenticates directly against the backend database using the configured credentials:

When the PowerSync client SDK is included in an app project, it uses existing app-to-backend authentication to retrieve a JSON Web Token (JWT):

The PowerSync client SDK uses the retrieved JWT to authenticate directly against the PowerSync Service:

Users are not persisted in PowerSync, and there is no server-to-server communication used for client authentication.

Some authentication providers already generate JWTs for users which PowerSync can verify directly — see the documentation for individual providers (e.g. Supabase Auth, Firebase Auth)

For others, some backend code must be added to your application backend to generate the JWTs needed for PowerSync — see Custom authentication.

For a quick way to get up and running during development, you can generate Development Tokens directly from the PowerSync Dashboard (PowerSync Cloud) or locally with a self-hosted setup.