{"name":"Supabase Auth","slug":"supabase-auth","category":"auth","type":"hybrid","website":"https://supabase.com/docs/guides/auth","pricing":"freemium","pricing_tiers":["Free up to 50k MAU","$25/mo Pro","Custom Enterprise"],"open_source":true,"self_hosted":true,"sdk_languages":["javascript","typescript","python","dart","swift","kotlin"],"frameworks":["langchain","vercel-ai"],"agent_features":{"agent_sdk":false,"token_delegation":false,"human_in_the_loop":false,"fga":false,"mcp_support":null,"async_authorization":false},"compliance":["soc2","gdpr","hipaa"],"best_for":"AI apps built on the Supabase BaaS stack; projects that need auth + database + storage in one platform","limitations":"Auth is tightly coupled to Supabase's ecosystem; no token delegation, no FGA, no agent SDK; auth is secondary to the BaaS offering","verified_by":"editorial","last_verified":"2026-04-17","source_urls":{"changelog":"https://supabase.com/changelog","pricing":"https://supabase.com/pricing","docs":"https://supabase.com/docs/guides/auth"},"feature_labels":{"agent_sdk":"Dedicated SDK for agentic workflows — agent sessions, token lifecycle, and authorization requests","token_delegation":"Issue scoped tokens an agent can use downstream without exposing user credentials","human_in_the_loop":"Pause agent execution and require explicit user approval before proceeding","fga":"Fine-Grained Authorization — relationship-based or attribute-based access control, not just role-based","mcp_support":"Native OAuth/OIDC authorization layer for Model Context Protocol servers","async_authorization":"Non-blocking approval workflows — agent continues and gets notified when approval is granted"},"comparisons":[{"slug":"auth0-vs-supabase-auth","title":"Auth0 vs Supabase","vs":"auth0"},{"slug":"clerk-vs-supabase-auth","title":"Clerk vs Supabase","vs":"clerk"},{"slug":"cognito-vs-supabase-auth","title":"Amazon Cognito vs Supabase","vs":"cognito"},{"slug":"descope-vs-supabase-auth","title":"Descope vs Supabase","vs":"descope"},{"slug":"firebase-auth-vs-supabase-auth","title":"Firebase Auth vs Supabase Auth","vs":"firebase-auth"},{"slug":"keycloak-vs-supabase-auth","title":"Keycloak vs Supabase Auth","vs":"keycloak"},{"slug":"ory-vs-supabase-auth","title":"Ory vs Supabase Auth","vs":"ory"},{"slug":"stytch-vs-supabase-auth","title":"Stytch vs Supabase","vs":"stytch"},{"slug":"supabase-auth-vs-workos","title":"Supabase Auth vs WorkOS","vs":"workos"}],"body":"# Supabase Auth\n\nSupabase Auth is built on GoTrue and is part of the broader Supabase Backend-as-a-Service platform. It's widely used in the AI app development community because Supabase has become the dominant BaaS for rapid AI app prototyping — the vector store, database, and auth all in one.\n\nThe auth module supports standard flows: OAuth providers, magic links, OTP, and password auth. Row-level security (RLS) in Postgres can enforce fine-grained data access rules based on the authenticated user.\n\nFor agent-specific authorization, Supabase's limitations are similar to Firebase: no token delegation, no purpose-built agent SDK, and no human-in-the-loop capabilities. The RLS model provides database-level authorization, but that's different from the agent authorization patterns (async approval, scoped delegation) that complex agents require.\n\n**Agent-specific features:**\n- JWT-based session tokens for authenticating agent requests\n- Row-level security for database authorization\n- Service role key for backend/agent-to-database access\n- Can self-host for data sovereignty requirements"}