Skip to content
Auth

Which package to use

When to use supabase-js, @supabase/ssr, or @supabase/server on the server.

When you use Supabase from JavaScript on the server, there are three packages to choose from. They are not alternatives to each other — @supabase/ssr and @supabase/server both build on top of supabase-js and solve different problems. This guide helps you pick the right one.

Which package to use#

The quickest way to decide is by how the user's identity reaches your code:

  • The session lives in cookies (an SSR framework like Next.js or SvelteKit) → use @supabase/ssr.
  • Auth arrives per request in headers (Authorization: Bearer <jwt>) → use @supabase/server.
  • You want the base client, or you're handling auth yourself → use @supabase/supabase-js directly.
PackageUse it whenRuns inAuth model
@supabase/supabase-jsYou want the base client, or you manage auth yourselfBrowser and serverYou wire up auth
@supabase/ssrUser sessions are stored in cookiesSSR frameworks (Next.js, SvelteKit, TanStack Start)Cookie-based sessions, with refresh-token rotation
@supabase/serverAuth arrives per request in headersEdge Functions, Workers, Vercel, Bun, and framework APIs (Hono, H3, Elysia, NestJS)Stateless Bearer JWT + apikey

@supabase/supabase-js#

The isomorphic base client. @supabase/ssr and @supabase/server both wrap it — reach for supabase-js directly when you don't need either wrapper's auth handling.

1
import { createClient } from '@supabase/supabase-js'
2
3
const supabase = createClient(process.env.SUPABASE_URL!, process.env.SUPABASE_PUBLISHABLE_KEY!)

@supabase/ssr#

For SSR frameworks that store the user's session in cookies. It reads and writes session cookies and handles refresh-token rotation, so the same user and session are available on both the client and the server.

1
import { createServerClient } from '@supabase/ssr'
2
3
const supabase = createServerClient(
4
process.env.SUPABASE_URL!,
5
process.env.SUPABASE_PUBLISHABLE_KEY!,
6
{
7
cookies: {
8
getAll() {
9
// return the request's cookies
10
},
11
setAll(cookiesToSet) {
12
// write cookies back on the response
13
},
14
},
15
}
16
)

See the server-side rendering guide for framework-specific setup.

@supabase/server#

For stateless, header-based auth in backend runtimes — Edge Functions, Workers, and framework APIs. You declare who may call an endpoint and receive a ready-to-use context (a caller-scoped client that respects RLS, plus an admin client). It verifies JWTs and resolves the new API keys (SUPABASE_PUBLISHABLE_KEYS / SUPABASE_SECRET_KEYS) for you.

1
import { withSupabase } from '@supabase/server'
2
3
export default {
4
fetch: withSupabase({ auth: 'user' }, async (req, ctx) => {
5
// ctx.supabase is scoped to the caller and respects RLS
6
const { data } = await ctx.supabase.from('todos').select()
7
return Response.json(data)
8
}),
9
}

See the @supabase/server reference for the full API.

Advanced: Combining @supabase/server and @supabase/ssr#

In a cookie-based framework you can compose the two — let @supabase/ssr own the cookie session lifecycle and hand the resolved token to @supabase/server's primitives. This requires more setup, and deeper first-party integration is on the roadmap. See the @supabase/server SSR frameworks guide.

Next steps#