Open-Source Wikis

/

Supabase

/

Features

/

Auth

supabase/supabase

Auth

The Auth surface in Studio manages users, providers, MFA, hooks, and sign-in policies for a project's GoTrue instance. The runtime service itself lives in supabase/auth upstream.

Studio surfaces involved

Folder Purpose
apps/studio/components/interfaces/Auth/ All Auth UIs (~16+ feature folders).
apps/studio/components/interfaces/SignIn/ Studio's own sign-in flow (used on the hosted product).
apps/studio/pages/sign-*.tsx Sign-in / sign-up / forgot-password / MFA pages.
apps/studio/components/interfaces/JwtSecrets/ JWT secret rotation.
apps/studio/components/interfaces/JwtSigningKeys/ (in data/jwt-signing-keys/) Asymmetric JWT signing keys.
apps/studio/components/interfaces/APIKeys/ Anon and service-role keys.

Data layer

Under apps/studio/data/auth/:

File Operation
auth-config-query.ts / auth-config-update-mutation.ts Read / update GoTrue project config.
auth-hooks-update-mutation.ts Update GoTrue webhook hooks.
auth-overview-query.ts Aggregate dashboard stats.
users-infinite-query.ts, users-count-query.ts Users list / count.
user-search-indexes-query.ts, index-worker-status-query.ts Search index status.
user-create-mutation.ts, user-invite-mutation.ts, user-update-mutation.ts, user-delete-mutation.ts User CRUD.
user-send-magic-link-mutation.ts, user-send-otp-mutation.ts, user-reset-password-mutation.ts Outbound auth flows.
user-delete-mfa-factors-mutation.ts MFA factor management.
validate-spam-mutation.ts Email-spam validation hook.
session-access-token-query.ts Studio's own session inspection.

Adjacent folders cover related domains:

  • data/sso/ — SAML / SSO providers.
  • data/oauth*/, data/oauth-server-apps/, data/oauth-secrets/, data/oauth-custom-providers/ — OAuth.
  • data/api-keys/, data/jwt-signing-keys/, data/access-tokens/, data/scoped-access-tokens/ — Project keys.
  • data/third-party-auth/ — Third-party auth integrations.

How it works

Studio talks to Auth indirectly through the management API. A typical "create user" flow:

sequenceDiagram
    participant UI as Auth/Users UI
    participant Mut as data/auth/user-create-mutation
    participant API as Mgmt API
    participant Auth as supabase/auth (GoTrue)
    participant DB as Postgres (auth schema)

    UI->>Mut: submit form
    Mut->>API: POST /v1/projects/{ref}/auth/users
    API->>Auth: forward
    Auth->>DB: insert into auth.users
    DB-->>Auth: row
    Auth-->>API: user
    API-->>Mut: user
    Mut-->>UI: invalidate users-infinite-query

GoTrue itself is not built from this repo; only the dashboard surface is. Self-host installs run GoTrue as the auth service in docker/docker-compose.yml.

Sign-in to Studio itself

apps/studio/pages/sign-in.tsx (and the partner / SSO / MFA variants) drive Studio's authentication. They use:

  • packages/common/auth.tsx for the auth context.
  • packages/common/gotrue.ts for the GoTrue client.
  • @hcaptcha/react-hcaptcha for bot protection on sensitive forms.

Build-time auth mode is controlled by NEXT_PUBLIC_STUDIO_AUTH_MODEsupabase for the hosted dashboard, none for self-host (where Studio assumes a trusted environment behind Kong).

Integration points

  • GoTrue (supabase/auth) — the runtime auth service.
  • Stripe — invoiced auth-quota usage flows are in data/stripe/.
  • ConfigCat — many auth features are flag-gated.

Entry points for modification

  • New auth provider toggle → extend auth-config-update-mutation.ts payload + UI in Auth/.
  • New MFA factor type → likely needs both upstream GoTrue support and a Studio surface in Auth/MFA*.
  • New JWT key format → extend data/jwt-signing-keys/ and the corresponding JwtSigningKeys UI.
  • New OAuth provider → add data hooks under data/oauth* and a settings page under components/interfaces/Auth/.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Auth – Supabase wiki | Factory