apps/docs/content/guides/auth/architecture.mdx
There are four major layers to Supabase Auth:
<Image alt="Diagram showing the architecture of Supabase. The Kong API gateway sits in front of 7 services: GoTrue, PostgREST, Realtime, Storage, pg_meta, Functions, and pg_graphql. All the services talk to a single Postgres instance." src={{ dark: '/docs/img/supabase-architecture.svg', light: '/docs/img/supabase-architecture--light.svg', }} width={1600} height={767} />
The client layer runs in your app. This could be running in many places, including:
The client layer provides the functions that you use to sign in and manage users. We recommend using the Supabase client SDKs, which handle:
But at its core, this layer manages the making of HTTP calls, so you could write your own client layer if you wanted to.
See the Client SDKs for more information:
The Auth service is an Auth API server written and maintained by Supabase. It is a fork of the GoTrue project, originally created by Netlify.
When you deploy a new Supabase project, we deploy an instance of this server alongside your database, and inject your database with the required Auth schema.
The Auth service is responsible for:
Supabase Auth uses the auth schema in your Postgres database to store user tables and other information. For security, this schema is not exposed on the auto-generated API.
You can connect Auth information to your own objects using database triggers and foreign keys. Make sure that any views you create for Auth data are adequately protected by enabling RLS or revoking grants.
<Admonition type="danger">Make sure any views you create for Auth data are protected.
Starting in Postgres version 15, views inherit the RLS policies of the underlying tables if created with security_invoker. Views in earlier versions, or those created without security_invoker, inherit the permissions of the owner, who can bypass RLS policies.