Supabase Auth

PowerSync can verify Supabase JWTs directly when connected to a Supabase-hosted Postgres database.

You can implement various types of auth:

• Standard Supabase Auth

  • JavaScript example

  • Dart/Flutter example

  • Kotlin example

• Anonymous Sign-Ins

  • JavaScript Example

• Fully custom auth

  • Example

• Experimental: We've also heard from the community that Supabase's newly released support for external auth providers works, but we don't have any examples for this yet.

To implement either Supabase Auth or Anonymous Sign-Ins, enable the "Use Supabase Auth" setting on the PowerSync instance. (This is also covered in the Supabase & PowerSync integration guide)

Internally, Supabase auth signs the token using HS256, using a secret available as current_setting('app.settings.jwt_secret') on the database.

To rotate the secret, generate a new secret in the Supabase project settings. The new secret will be automatically picked up by PowerSync within 5 minutes. In this period, some authentication failures are expected.

The Supabase user UUID will be available as token_parameters.user_id. To use a different identifier as the user ID in sync rules (for example user email), use Custom authentication.