PowerSync can verify Supabase JWTs directly when connected to a Supabase-hosted database.

Only authenticated users are supported currently. For anonymous users, use custom authentication (for an example of Supabase functions for anonymous users, see here).

To enable Supabase authentication, enable the "Use Supabase Auth" setting on the instance. (This is also covered in the Supabase & PowerSync integration guide.)

Internally, Supabase auth signs the token using HS256, using a secret available as current_setting('app.settings.jwt_secret') on the database.

To rotate the secret, generate a new secret in the Supabase project settings. The new secret will be automatically picked up by PowerSync within 5 minutes. In this period, some authentication failures are expected.

The Supabase user UUID will be available as token_parameters.user_id. To use a different identifier as the user ID in sync rules (for example user email), use Custom authentication.