Supabase Auth: Bring-your-own Auth0, Cognito, or Firebase

14 Aug 2024

4 minute read

Today we have 3 new announcements for Supabase Auth:

  1. Support for third-party Auth providers
  2. Phone-based Multi-factor Authentication (SMS and Whatsapp)
  3. New Auth Hooks for SMS and email

Let's dive into each new feature.

Support for third-party Auth providers

The headline feature today is third-party Authentication.

Supabase is a modular platform. We've been designing it so that you can choose which products you use with Postgres. You can use our own products (like Supabase Auth) or external products (like Auth0), and in theory the experience should be just-as-delightful.

Until today, using third-party auth products required developers to translate JWTs into a format compatible with Supabase Auth. This is difficult and unmaintainable.

So we fixed it. Today we're adding first-class support for the following third-party authentication products:

  1. Auth0
  2. AWS Cognito (standalone or via AWS Amplify)
  3. Firebase Auth

Migrating auth providers can be costly and technically challenging, especially for applications with large user bases. You can use Supabase's native auth offering alongside your third-party authentication provider to achieve a disruption-free migration.

All of the third-party providers are supported in the Supabase CLI, so you can evaluate, test, and develop your integration for free.

The Supabase client supports third-party auth like this:


_10
import { createClient } from '@supabase/supabase-js'
_10
_10
const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
_10
accessToken: async () => {
_10
const accessToken = await auth0.getTokenSilently()
_10
return accessToken
_10
},
_10
})

Phone-based multi-factor authentication

We've extended MFA to support SMS and WhatsApp.

We have a strong conviction that all applications should have access to an open and secure authentication provider. Secure-by-default should not be a luxury: developers should have affordable access to security best-practices.

Almost two years ago we launched MFA with TOTP (app authenticator) free of charge. Since then, we've heard a common complaint from developers: app authenticators can be hard to adopt for non-techies. Phone-based MFA is for those developers who want to provide a more accessible MFA experience for their users.

The code looks like this:


_14
// Send an SMS or WhatsApp message to the user
_14
const { data: { challengeId } } = await supabase.auth.mfa.challenge({
_14
factorId,
_14
})
_14
_14
// To verify the code received by the user
_14
await supabase.auth.mfa.verify({
_14
factorId,
_14
challengeId,
_14
code: '123456',
_14
})
_14
_14
// The user's `aal` claim in the JWT
_14
// will be upgraded to aal2

Auth Hooks for SMS and Email

We've added a few new Auth Hooks, which supports HTTP endpoints as a webhook now.

Email Hooks

We've heard the (rather loud) feedback that the built-in email templates (based on the Go templating language) can be limiting. There's been a lot of development in email rendering libraries like Resend's React Email. To help make this available for developers, we've added a "Send Email" Auth Hook, which you can use to customize your emails and how they are sent.

SMS Hooks

Supabase Auth has built-in support for popular SMS sending providers like Twilio, Messagebird, Textlocal and Vonage, but we realize this choice can be limiting.

Today we're launching a new "Send SMS" Auth Hook. You no longer need to use the built-in provider - you can implement your own by specifying a HTTP endpoint that receives a POST request when a message needs to be sent.

Getting started

Check out the docs for more details on how to get started:

Share this article

Build in a weekend, scale to millions