A user in Supabase Auth is someone with a user ID, stored in the Auth schema. Once someone is a user, they can be issued an Access Token, which can be used to access Supabase endpoints. The token is tied to the user, so you can restrict access to resources via RLS policies.

Permanent and anonymous users

Supabase distinguishes between permanent and anonymous users.

  • Permanent users are tied to a piece of Personally Identifiable Information (PII), such as an email address, a phone number, or a third-party identity. They can use these identities to sign back into their account after signing out.
  • Anonymous users aren't tied to any identities. They have a user ID and a personalized Access Token, but they have no way of signing back in as the same user if they are signed out.

Anonymous users are useful for:

  • E-commerce applications, to create shopping carts before checkout
  • Full-feature demos without collecting personal information
  • Temporary or throw-away accounts

See the Anonymous Signins guide to learn more about anonymous users.

The user object

The user object stores all the information related to a user in your application. The user object can be retrieved using one of these methods:

  1. supabase.auth.getUser()
  2. Retrieve a user object as an admin using supabase.auth.admin.getUserById()

A user can sign in with one of the following methods:

  • Password-based method (with email or phone)
  • Passwordless method (with email or phone)
  • OAuth

An identity describes the authentication method that a user can use to sign in. A user can have multiple identities. These are the types of identities supported:

  • Email
  • Phone
  • OAuth
  • SAML

The user object contains the following attributes:

idstringThe unique id of the identity of the user.
audstringThe audience claim.
rolestringThe role claim used by Postgres to perform Row Level Security (RLS) checks.
emailstringThe user's email address.
email_confirmed_atstringThe timestamp that the user's email was confirmed. If null, it means that the user's email is not confirmed.
phonestringThe user's phone number.
phone_confirmed_atstringThe timestamp that the user's phone was confirmed. If null, it means that the user's phone is not confirmed.
confirmed_atstringThe timestamp that either the user's email or phone was confirmed. If null, it means that the user does not have a confirmed email address and phone number.
last_sign_in_atstringThe timestamp that the user last signed in.
app_metadataobjectThe provider attribute indicates the first provider that the user used to sign up with. The providers attribute indicates the list of providers that the user can use to login with.
user_metadataobjectDefaults to the first provider's identity data but can contain additional custom user metadata if specified. Refer to User Identity for more information about the identity object.
identitiesUserIdentity[]Contains an object array of identities linked to the user.
created_atstringThe timestamp that the user was created.
updated_atstringThe timestamp that the user was last updated.
is_anonymousbooleanIs true if the user is an anonymous user.