Supabase Auth
Built-in authentication system with social providers, PostgreSQL policies, and user management. No external services needed - own your data completely.
Complete authentication solution that comes built into every Supabase project, eliminating the need for external authentication services. Handle user management, social logins, and access control all in one place.
Social login integration supports major providers including Google, Facebook, GitHub, Azure, GitLab, Twitter, and Discord - enabled with just a click. No complex setup or third-party dependencies required.
PostgreSQL-powered security uses Row Level Security policies for fine-grained access control. Write authorization rules directly in SQL or through the visual dashboard, controlling exactly who can create, edit, and delete specific database rows.
Data ownership guaranteed - all user data stays in your Supabase database across 16 global locations. Never worry about third-party privacy issues or vendor lock-in with your sensitive user information.
Simple, powerful APIs work seamlessly on both client and server-side applications. Handle sign-up, sign-in, magic links, and OAuth flows with straightforward, well-documented endpoints that developers actually understand.
Supabase does not offer built-in passkey authentication but offers a third‑party integration with Corbado to support Passkeys
User sessions are long‑lived by default and can be time‑boxed or configured with inactivity timeouts on paid plans
Supabase lets developers control session duration, enforce inactivity timeouts and revoke sessions through the Admin API
Machine‑to‑machine OAuth flow are not supported by Supabase
Supabase does not host a customizable login page. You need to build your own UI or use the deprecated Auth UI component
Auth hooks allow you to execute serverless functions at key points in the authentication flow, such as sending custom emails, customizing tokens or verifying MFA
Supabase integrates with numerous providers via OAuth and offers partner integrations (e.g., Vercel, CloudFlare, Resend, Stripe) through its marketplace
Supabase supports hCaptcha and Cloudflare Turnstile to require CAPTCHA on sign‑in, sign‑up and password reset forms
You can import Users to Supabase by using Supabase Auth's admin create user method to recreate the user
Supabase allows storing custom user metadata in the raw_user_meta_data field and retrieving it via getUser. You can also add custom claims to JWTs
Roles and permissions are implemented using Postgres Row Level Security and custom claims added to tokens. You manage roles by defining your own roles table and policies
Supabase Studio includes a user impersonation feature that lets administrators simulate a user's session to test row-level policies and debug
Supabase Studio provides a Users page where admins can view, edit and delete user accounts, update metadata and manage MFA
You can export user data by querying the auth.users and auth.identities tables and exporting the results as CSV using the database UI or CLI
Supabase sets default rate limits for auth endpoints and allows customizing rate limits through the Admin API for specific paths like sign up, sign in and OTP
Log drains stream Supabase logs, including auth events, to external destinations like HTTP endpoints and Datadog on Team and Enterprise plans
Supabase CLI and Studio support managing multiple environments (local, staging, production) and migrating configuration and data between them
Enterprise plans include a 99.9% uptime service level agreement for Supabase products. Beta and Alpha features are excluded
Supabase exposes a Prometheus‑compatible metrics endpoint and provides a Grafana dashboard to monitor project health; logs can also be viewed in the Logs Explorer
GDPR
HIPAA
SOC2
