software

Build 'Sign in with Your App' using Supabase Auth

Published: (December 24, 2025 at 10:45 AM EST)
5 min read
Source: Dev.to

Source: Dev.to

Cover image for Build "Sign in with Your App" using Supabase Auth

You’ve used “Sign in with Google” and “Sign in with GitHub” countless times.
But what if your Supabase project could be the identity provider? Today, we’re adding OAuth 2.1 and OpenID Connect server capabilities to Supabase Auth, turning your project into a full‑fledged identity provider.

This opens up powerful new possibilities:

  • AI agents authenticating through your app via the Model Context Protocol (MCP)
  • Third‑party developers building on your platform
  • Partner integrations accessing your APIs securely
  • Enterprise single sign‑on

All using the same battle‑tested auth infrastructure you already rely on.

Why We Built This

The immediate catalyst? Model Context Protocol (MCP) authentication. As AI agents and LLM tools become ubiquitous, they need a standardized way to authenticate with services. MCP has emerged as that standard, and it’s built on OAuth 2.1. Your Supabase project can now be the identity provider these AI tools authenticate against.

But the applications extend far beyond AI:

  • Third‑party developer ecosystems – let partners build apps that integrate with your platform
  • Partner API access – grant secure access to external services
  • “Powered by [Your App]” – enable users to use their existing account on your platform to sign into partner applications
  • Enterprise SSO – full OpenID Connect support with ID tokens, UserInfo endpoint, and organizational single sign‑on

If you’re building a platform where other developers or services need secure access to user data, OAuth 2.1 server capabilities are now baked into your Supabase project.

What You Can Build

With Supabase Auth as an OAuth 2.1 provider, you can:

For AI and Automation

  • MCP servers that authenticate users through your Supabase project
  • AI agents that securely access user data with proper authorization
  • LLM tools integrated into your application ecosystem

For Developer Platforms

  • Third‑party apps offering “Sign in with [Your App]”
  • Partner integrations with granular access control
  • Developer API access with OAuth tokens
  • Marketplace apps built on your platform

For Enterprise

  • OpenID Connect single sign‑on (SSO) with ID tokens and UserInfo endpoint
  • Centralized identity management across services
  • Standards‑compliant enterprise authentication
  • Compliance‑friendly audit trails

How It Works: The Big Picture

Supabase Auth implements OAuth 2.1 with OpenID Connect (OIDC), the modern, secure standards for authentication and identity. At its core is the authorization code flow with PKCE (Proof Key for Code Exchange).

  • Authorization code flow – the most secure OAuth flow for server‑side apps and native applications.
  • PKCE – protects against authorization‑code interception attacks.
  • Access tokens – JWTs containing standard Supabase claims (user_id, role) plus OAuth‑specific claims like client_id.
  • ID tokens – standardized identity tokens with user profile information (for OIDC flows).
  • UserInfo endpoint – lets clients retrieve user data.
  • Refresh tokens – enable long‑lived sessions without re‑authentication.
  • JWKS endpoint – provides public‑key infrastructure for third parties to validate tokens.

The best part? Your existing Supabase security model extends naturally to OAuth: Row‑Level Security (RLS) policies apply to OAuth access tokens just like they do to regular session tokens.

Works with Your Existing Auth Stack

One of the most powerful aspects of this implementation is how seamlessly it integrates with Supabase Auth features you’re already using. When users authenticate through the OAuth flow, you can still use all of Supabase Auth’s existing methods:

  • Password authentication
  • Magic links
  • Social providers (Google, GitHub, etc.)
  • Multi‑factor authentication (MFA)
  • Phone authentication

Your third‑party integrations get the benefit of your existing authentication security without having to rebuild anything.

Custom Access Token Hooks

Already using Custom Access Token Hooks to add custom claims to user tokens? They work with OAuth tokens too. You can inject client‑specific claims, add custom permissions, or implement any token‑customization logic you need. The flexibility you have with regular auth tokens extends to OAuth.

RLS Policies with OAuth Tokens

Your RLS policies automatically apply to OAuth access tokens. The tokens include the standard user_id and role claims you’re used to, plus a client_id claim that identifies which OAuth client is making the request.

-- Grant your mobile app access to user profiles
CREATE POLICY "Mobile app can read profiles"
ON profiles FOR SELECT
USING (
  (auth.uid() = user_id)
  AND ((auth.jwt() ->> 'client_id') = 'mobile-app-client-id')
);

-- Grant a third‑party analytics dashboard read‑only access to metrics
CREATE POLICY "Analytics dashboard can read metrics"
ON user_metrics FOR SELECT
USING (
  (auth.uid() = user_id)
  AND ((auth.jwt() ->> 'client_id') = 'analytics-dashboard-client-id')
);

MCP Authentication

Supabase Auth fully complies with the Model Context Protocol’s OAuth 2.1 authentication spec. Your Supabase project exposes standard OAuth authorization‑server metadata at /.well-known/oauth-authorization-server, enabling automatic discovery of your authorization endpoints, token endpoints, and capabilities. MCP clients can register themselves dynamically using OAuth 2.1 dynamic client registration.

Ready to turn your Supabase project into an identity provider? 🚀

MCP Integration (no manual configuration required)

Here’s what this means in practice: point an MCP‑compatible AI tool at your Supabase project’s auth URL, and it handles the rest. The tool discovers your endpoints, registers itself as a client, initiates the OAuth flow, and obtains tokens. The AI agent authenticates as the user, with all your RLS policies enforced automatically. Users see your consent screen, approve access, and the AI tool operates on their behalf with exactly the permissions you’ve defined. No passwords exposed, no custom API wrappers needed.

We’re just getting started with MCP. We’re working on making it even easier to build MCP servers directly in Supabase, bringing the same developer experience you love to AI‑agent integrations.

Getting Started

Setting up OAuth 2.1 in your Supabase project starts with registering OAuth clients through the Supabase dashboard or Management API.

  1. Register a client – configure allowed redirect URIs and receive a client_id.
  2. Build the authorization flow – create an endpoint that receives OAuth authorization requests, authenticates users (using existing Supabase Auth methods), presents a consent UI, and confirms approvals with Supabase Auth.
  3. Update Row‑Level Security policies – ensure your RLS rules consider the client_id claim when granting access.

Once configured, your Supabase project can serve as a full‑featured OAuth 2.1 and OpenID Connect provider for AI agents, third‑party apps, and enterprise SSO solutions.

Back to Blog

Related posts

Read more »

Entendendo o JSON Web Token (JWT)

Em algum momento, ao criar uma aplicação web, precisamos desenvolver uma solução de autenticação para o sistema. Existem várias estratégias para isso, como aute...

Custom auth in Payload

!Cover image for Custom auth in Payloadhttps://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads...