Supabase + AuthKit

Learn how to use AuthKit with your Supabase application.

Introduction

This guide outlines the steps to use WorkOS as a Supabase third-party auth provider. This will allow you to authenticate users with AuthKit and use AuthKit access tokens to access Supabase’s REST and GraphQL APIs in your app.

1. Add a WorkOS third-party auth integration

Configure a WorkOS integration in the Supabase dashboard.

Your issuer URL is:

WorkOS Issuer

 https://api.workos.com/user_management/client_123456789

2. Set up a JWT Template

Supabase RLS policies expect a role claim in the access token that corresponds to a database role. WorkOS already adds a role claim corresponding to the user’s role in an organization. Set up a JWT template in the WorkOS dashboard (Authentication → Sessions) so that the role works with Supabase:

 {
  "role": "authenticated",
  "user_role": {{organization_membership.role}}
}

We add a user_role claim so that your application can still determine the role assigned to that user.

3. Pass the access token to Supabase APIs

That’s it! Supabase will now accept the access tokens returned by AuthKit.