supabase/supabase
Auth
The Auth surface in Studio manages users, providers, MFA, hooks, and sign-in policies for a project's GoTrue instance. The runtime service itself lives in supabase/auth upstream.
Studio surfaces involved
| Folder | Purpose |
|---|---|
apps/studio/components/interfaces/Auth/ |
All Auth UIs (~16+ feature folders). |
apps/studio/components/interfaces/SignIn/ |
Studio's own sign-in flow (used on the hosted product). |
apps/studio/pages/sign-*.tsx |
Sign-in / sign-up / forgot-password / MFA pages. |
apps/studio/components/interfaces/JwtSecrets/ |
JWT secret rotation. |
apps/studio/components/interfaces/JwtSigningKeys/ (in data/jwt-signing-keys/) |
Asymmetric JWT signing keys. |
apps/studio/components/interfaces/APIKeys/ |
Anon and service-role keys. |
Data layer
Under apps/studio/data/auth/:
| File | Operation |
|---|---|
auth-config-query.ts / auth-config-update-mutation.ts |
Read / update GoTrue project config. |
auth-hooks-update-mutation.ts |
Update GoTrue webhook hooks. |
auth-overview-query.ts |
Aggregate dashboard stats. |
users-infinite-query.ts, users-count-query.ts |
Users list / count. |
user-search-indexes-query.ts, index-worker-status-query.ts |
Search index status. |
user-create-mutation.ts, user-invite-mutation.ts, user-update-mutation.ts, user-delete-mutation.ts |
User CRUD. |
user-send-magic-link-mutation.ts, user-send-otp-mutation.ts, user-reset-password-mutation.ts |
Outbound auth flows. |
user-delete-mfa-factors-mutation.ts |
MFA factor management. |
validate-spam-mutation.ts |
Email-spam validation hook. |
session-access-token-query.ts |
Studio's own session inspection. |
Adjacent folders cover related domains:
data/sso/— SAML / SSO providers.data/oauth*/,data/oauth-server-apps/,data/oauth-secrets/,data/oauth-custom-providers/— OAuth.data/api-keys/,data/jwt-signing-keys/,data/access-tokens/,data/scoped-access-tokens/— Project keys.data/third-party-auth/— Third-party auth integrations.
How it works
Studio talks to Auth indirectly through the management API. A typical "create user" flow:
sequenceDiagram
participant UI as Auth/Users UI
participant Mut as data/auth/user-create-mutation
participant API as Mgmt API
participant Auth as supabase/auth (GoTrue)
participant DB as Postgres (auth schema)
UI->>Mut: submit form
Mut->>API: POST /v1/projects/{ref}/auth/users
API->>Auth: forward
Auth->>DB: insert into auth.users
DB-->>Auth: row
Auth-->>API: user
API-->>Mut: user
Mut-->>UI: invalidate users-infinite-queryGoTrue itself is not built from this repo; only the dashboard surface is. Self-host installs run GoTrue as the auth service in docker/docker-compose.yml.
Sign-in to Studio itself
apps/studio/pages/sign-in.tsx (and the partner / SSO / MFA variants) drive Studio's authentication. They use:
packages/common/auth.tsxfor the auth context.packages/common/gotrue.tsfor the GoTrue client.@hcaptcha/react-hcaptchafor bot protection on sensitive forms.
Build-time auth mode is controlled by NEXT_PUBLIC_STUDIO_AUTH_MODE — supabase for the hosted dashboard, none for self-host (where Studio assumes a trusted environment behind Kong).
Integration points
- GoTrue (
supabase/auth) — the runtime auth service. - Stripe — invoiced auth-quota usage flows are in
data/stripe/. - ConfigCat — many auth features are flag-gated.
Entry points for modification
- New auth provider toggle → extend
auth-config-update-mutation.tspayload + UI inAuth/. - New MFA factor type → likely needs both upstream GoTrue support and a Studio surface in
Auth/MFA*. - New JWT key format → extend
data/jwt-signing-keys/and the correspondingJwtSigningKeysUI. - New OAuth provider → add data hooks under
data/oauth*and a settings page undercomponents/interfaces/Auth/.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.