Third-party auth - Supabase

Supabase has first-class support for these third-party authentication providers:

You can use these providers alongside Supabase Auth, or on their own, to access the Data API (REST and GraphQL), Storage, Realtime and Functions from your existing apps.

If you already have production apps using one of these authentication providers, and would like to use a Supabase feature, you no longer need to migrate your users to Supabase Auth or use workarounds like translating JWTs into the Supabase Auth format and using your project's signing secret.

How does it work?

To use Supabase products like Data APIs for your Postgres database, Storage or Realtime, you often need to send access tokens or JWTs via the Supabase client libraries or via the REST API. Third-party auth support means that when you add a new integration with one of these providers, the API will trust JWTs issued by the provider similar to how it trusts JWTs issued by Supabase Auth.

This is made possible if the providers are using JWTs signed with asymmetric keys, which means that the Supabase APIs will be able to only verify but not create JWTs.

Limitations

There are some limitations you should be aware of when using third-party authentication providers with Supabase.

The third-party provider must use asymmetrically signed JWTs (exposed as an OIDC Issuer Discovery URL by the third-party authentication provider). The signed JWTs must have a kid header parameter to identify which key must be used. Using symmetrically signed JWTs is not possible at this time.
The JWT signing keys from the third-party provider are stored in the configuration of your project, and are checked for changes periodically. If you are rotating your keys (when supported) allow up to 30 minutes for the change to be picked up.
It is not possible to disable Supabase Auth at this time.

<$Show if="billing:all"> <$Partial path="billing/pricing/pricing_mau_third_party.mdx" /> </$Show>