Supabase Auth API

Supabase's open-source auth sub-system (GoTrue) providing user signup/login, OAuth social providers, magic links, MFA, and JWT issuance tightly integrated with Postgres row-level security.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Other auth authentication supabase jwt oauth2 oidc row-level-security open-source postgres
⚙ Agent Friendliness
59
/ 100
Can an agent use this?
🔒 Security
84
/ 100
Is it safe for agents?
⚡ Reliability
81
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
85
Error Messages
80
Auth Simplicity
78
Rate Limits
68

🔒 Security

TLS Enforcement
100
Auth Strength
85
Scope Granularity
72
Dep. Hygiene
85
Secret Handling
80

TLS enforced. service_role key is a high-privilege credential with no scope restriction — the lack of granular service key scoping is the main security weakness. JWT RS256 signing. Open-source GoTrue codebase is publicly auditable. SOC2 Type II certified for hosted platform.

⚡ Reliability

Uptime/SLA
85
Version Stability
82
Breaking Changes
78
Error Recovery
80
AF Security Reliability

Best When

You are already using Supabase as your database and want auth that integrates natively with Postgres row-level security policies and the Supabase JS/Python client.

Avoid When

You need auth as a standalone service decoupled from your database, or require advanced enterprise features like SCIM provisioning out of the box.

Use Cases

  • Authenticating users for a Supabase-backed application and obtaining JWTs for row-level-security enforcement
  • Implementing passwordless magic-link or OTP login flows via the Admin API
  • Programmatically creating, listing, and deleting users from an agent using the Admin REST endpoints
  • Configuring social OAuth providers (GitHub, Google) and managing linked identities
  • Issuing and revoking user sessions as part of automated account lifecycle management

Not For

  • Applications not using Supabase (the auth system is designed to integrate tightly with Supabase Postgres and RLS)
  • Standalone enterprise SSO requirements without a broader Supabase stack
  • Teams needing dedicated auth SLA guarantees independent of Supabase platform SLAs

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
Yes
OpenAPI Spec ↗

Authentication

Methods: api_key jwt
OAuth: Yes Scopes: No

Admin operations use the service_role key (full privileges — treat as root credential). User-facing operations use the anon key plus user JWT. Agents should use the service_role key only for admin Auth API calls and never expose it client-side.

Pricing

Model: freemium
Free tier: Yes
Requires CC: No

Auth is bundled with Supabase; pricing is per-project not per-auth-operation. Self-hosting GoTrue directly is free but requires infrastructure management.

Agent Metadata

Pagination
offset
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • service_role key bypasses ALL row-level security — using it in agent code risks unintentional full data exposure if a bug occurs
  • JWT expiry defaults to 1 hour; agents must refresh tokens using the refresh token before expiry or face 401 errors mid-workflow
  • The Admin API (/auth/v1/admin/users) endpoint requires the full REST API base URL which differs from the Supabase client SDK base URL
  • Soft-deleted users can block re-registration with the same email until hard-deleted via the Admin API
  • MFA enrollment state is not returned in the standard user object — requires a separate /auth/v1/factors call to check MFA status

Alternatives

kinde-api auth0-api clerk-api cognito-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Supabase Auth API.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5176
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered