September 12, 2022

Protecting your Supabase app with SuperTokens authentication.

When building an app with Supabase you will have to choose an authentication solution. Here are some reasons why you should choose SuperTokens as you auth provider and why it pairs so well with Supabase

By Joel CoutinhoSoftware Developer at SuperTokens

Table of Contents


So you’re creating a web app and have decided to use Supabase. You now face the decision of how you want to implement authentication.

Supabase comes with its own authentication solution, based on a fork of Netlify’s goTrue.

Netlify goTrue

It provides authentication flows like email-password, social login, and phone number based OTP and is ideal for quickly building out authentication for many use cases.

However, if your app is going to scale to a large number of users or have non-standard requirements, it may make sense to consider alternatives since GoTrue has some limitations:

For example:

  • For B2C apps: Features like account linking only link accounts that share the same email.
  • For B2B apps: There is currently no support for multi factor authentication.

Now that we know the limitations, lets dive deeper into when to use Supabase auth and when to consider other solutions:

Use Supabase Auth if:

  • You need to quickly setup an app with Email-Password, Social Login or Phone number based authentication methods.
  • Your app does not need a custom flow or you do not require multi-factor authentication.

Consider alternative solutions if:

  • You’re building a high growth startup that will have a large numbers of users or will be selling to big companies.
  • Require features such as: language translations, multi-factor authentication and field validators.
  • You require a custom flow - For example: You are building a streaming service and would like to limit the number of active sessions for a user or maybe you need to verify a users email before a user enters their password during sign up.

So what third-party options are available that offer the flexibility you need and, are easy to use? We have a blog that compares some of the most popular solutions out there, but today we are looking at SuperTokens, how it can adapt to accommodate your custom requirements and why it pairs so well with Supabase.

What is SuperTokens?

SuperTokens Logo

SuperTokens is an Open Source Authentication solution. We have a managed service, but if you prefer to handle your own data, you can use our self-hosted solution. We built SuperTokens from the ground up to be easy to use and customizable.

Note: SuperTokens requires you to have an api layer. If your app does not require a discrete api layer, Supabase auth is a more viable option.

What does SuperTokens offer?

  • All popular sign up methods such as passwordless (with email or SMS), email and password, social login.
  • A Pre-built UI that is hosted on your domain itself.
  • SDKs that will handle automatically create and manage user’s session tokens (access & refresh tokens).
  • Hosted and self hosted options that enable you to manage your own data.
  • 2FA, user roles, SAML and more on the way!
  • The ability to easily customise the end user experience or the backend auth logic within your API layer: This is what makes SuperTokens really powerful.

You can learn more about SuperTokens architecture and how customizations work from our guide.

Examples of some customizations you can make with SuperTokens:

Here is a list of possible use cases and how SuperTokens can help you achieve them.

  • Restrict signups to work emails: If your app requires users to sign up with their work-related emails or Google workspace-associated domains, you can use the SuperTokens email validator functions to enforce the check.

  • Collect more information on signup: Collect user’s name and age on the Sign Up or Sign In pages.

  • Use your own SMS / email sending service: Don’t like the default email and SMS templates? Create your own email and SMS content! You can also choose your own delivery method if you don’t want to use the default service.

  • Migration: SuperTokens allows you to migrate users from other auth providers to SuperTokens and preserve the users’ original userId. This allows you to continue to use any data you had mapped to the previous provider’s userId.

Example apps with custom flows

Here are some examples of custom flows we’ve already built:

Verify a users email before they enter their password during Sign Up.

Say you have a custom requirement where you want to verify a user’s ownership of an email before they type in a password during sign-up.

Verify a users email before you enter your password during Sign Up

Email Verification with OTP

Instead of having the user click a link during email verification, maybe you would like them to enter an OTP.

Verify a users email with OTP

Login with Phone number Password

In this flow, users create an account using their phone number and password.

Phone number with password based login

These are just some of the use cases that SuperTokens supports. If you have a custom requirement, feel free to join our discord. We are passionate about Auth and would love to discuss your use case.

Integrating SuperTokens into Supabase

We provide a guide on how to secure you Supabase app with SuperTokens. The guide details the process of leveraging Supabase’s Row Level Security feature to create powerful authorization policies so only authorized users can access data.


In the end, the authentication solution you choose depends on your use case.

  • For apps where you need to quickly setup simple authentication flows, Supabase Auth is a great choice.
  • For startups or mid-level organisations looking for an open-source authentication solution that can grow with their organisation, SuperTokens is a great choice.

Software dev and content lead at SuperTokens. Contributed to the SuperTokens core, backend SDKs, and developer documentation.