{"id":13615237,"url":"https://github.com/supabase/auth","last_synced_at":"2026-04-02T14:53:07.985Z","repository":{"id":36980171,"uuid":"279488921","full_name":"supabase/auth","owner":"supabase","description":"A JWT based API for managing users and issuing JWT tokens","archived":false,"fork":false,"pushed_at":"2026-03-26T15:09:21.000Z","size":22863,"stargazers_count":2375,"open_issues_count":215,"forks_count":638,"subscribers_count":29,"default_branch":"master","last_synced_at":"2026-03-26T18:48:07.788Z","etag":null,"topics":["auth","authentication","authorization","client-auth","go","jwt","supabase"],"latest_commit_sha":null,"homepage":"https://supabase.com/docs/guides/auth","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"netlify/gotrue","license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/supabase.png","metadata":{"funding":{"github":["supabase"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null},"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-07-14T05:14:31.000Z","updated_at":"2026-03-26T15:01:19.000Z","dependencies_parsed_at":"2023-09-23T05:09:24.257Z","dependency_job_id":"3fd9baaf-6813-45f1-97d7-4cfe855b2699","html_url":"https://github.com/supabase/auth","commit_stats":{"total_commits":1662,"total_committers":107,"mean_commits":"15.532710280373832","dds":0.7340553549939832,"last_synced_commit":"77d58976ae624dbb7f8abee041dd4557aab81109"},"previous_names":["supabase/auth","supabase/gotrue"],"tags_count":919,"template":false,"template_full_name":null,"purl":"pkg:github/supabase/auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supabase%2Fauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supabase%2Fauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supabase%2Fauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supabase%2Fauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/supabase","download_url":"https://codeload.github.com/supabase/auth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supabase%2Fauth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31308447,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","authentication","authorization","client-auth","go","jwt","supabase"],"created_at":"2024-08-01T20:01:10.927Z","updated_at":"2026-04-02T14:53:07.966Z","avatar_url":"https://github.com/supabase.png","language":"Go","readme":"# Auth - Authentication and User Management by Supabase\n\n[![Coverage Status](https://coveralls.io/repos/github/supabase/auth/badge.svg?branch=master)](https://coveralls.io/github/supabase/auth?branch=master)\n\nAuth is a user management and authentication server written in Go that powers\n[Supabase](https://supabase.com)'s features such as:\n\n- Issuing JWTs\n- Row Level Security with PostgREST\n- User management\n- Sign in with email, password, magic link, phone number\n- Sign in with external providers (Google, Apple, Facebook, Discord, ...)\n\nIt is originally based on the excellent\n[GoTrue codebase by Netlify](https://github.com/netlify/gotrue), however both have diverged significantly in features and capabilities.\n\nIf you wish to contribute to the project, please refer to the [contributing guide](/CONTRIBUTING.md).\n\n## Table of Contents\n\n- [Quick Start](#quick-start)\n- [Running in Production](#running-in-production)\n- [Configuration](#configuration)\n- [Endpoints](#endpoints)\n\n## Quick Start\n\nCreate a `.env` file to store your own custom environment variables. See [`example.env`](example.env)\n\n1. Start the local Postgres database in a Postgres container: `docker-compose -f docker-compose-dev.yml up postgres`\n2. Build the auth binary: `make build` . You should see an output like this:\n\n```bash\ngo build -ldflags \"-X github.com/supabase/auth/cmd.Version=`git rev-parse HEAD`\"\nGOOS=linux GOARCH=arm64 go build -ldflags \"-X github.com/supabase/auth/cmd.Version=`git rev-parse HEAD`\" -o gotrue-arm64\n```\n\n3. Execute the auth binary: `./auth`\n\n### If you have Docker installed\n\nCreate a `.env.docker` file to store your own custom env vars. See [`example.docker.env`](example.docker.env)\n\n1. `make build`\n2. `make dev`\n3. `docker ps` should show two Docker containers (`auth-auth-1` and `auth-postgres-1`)\n4. That's it! Visit the [health check endpoint](http://localhost:9999/health) to confirm that auth is running.\n\n## Running in production\n\nRunning an authentication server in production is not an easy feat. We\nrecommend using [Supabase Auth](https://supabase.com/auth) which gets regular\nsecurity updates.\n\nOtherwise, please make sure you set up a process to promptly update to the\nlatest version. You can do that by following this repository, specifically the\n[Releases](https://github.com/supabase/auth/releases) and [Security\nAdvisories](https://github.com/supabase/auth/security/advisories) sections.\n\n### Backward compatibility\n\nAuth uses the [Semantic Versioning](https://semver.org) scheme. Here are some\nfurther clarifications on backward compatibility guarantees:\n\n**Go API compatibility**\n\nAuth is not meant to be used as a Go library. There are no guarantees on\nbackward API compatibility when used this way regardless of which version \nnumber changes.\n\n**Patch**\n\nChanges to the patch version guarantees backward compatibility with:\n\n- Database objects (tables, columns, indexes, functions).\n- REST API\n- JWT structure\n- Configuration\n\nGuaranteed examples:\n\n- A column won't change its type.\n- A table won't change its primary key.\n- An index will not be removed.\n- A uniqueness constraint will not be removed.\n- A REST API will not be removed.\n- Parameters to REST APIs will work equivalently as before (or better, if a bug\n  has been fixed).\n- Configuration will not change.\n\nNot guaranteed examples:\n\n- A table may add new columns.\n- Columns in a table may be reordered.\n- Non-unique constraints may be removed (database level checks, null, default\n  values).\n- JWT may add new properties.\n\n**Minor**\n\nChanges to minor version guarantees backward compatibility with:\n\n- REST API\n- JWT structure\n- Configuration\n\nExceptions to these guarantees will be made only when serious security issues\nare found that can't be remedied in any other way.\n\nGuaranteed examples:\n\n- Existing APIs may be deprecated but continue working for the next few minor\n  version releases.\n- Configuration changes may become deprecated but continue working for the next\n  few minor version releases.\n- Already issued JWTs will be accepted, but new JWTs may be with a different\n  structure (but usually similar).\n\nNot guaranteed examples:\n\n- Removal of JWT fields after a deprecation notice.\n- Removal of certain APIs after a deprecation notice.\n- Removal of sign-in with external providers, after a deprecation notice.\n- Deletion, truncation, significant schema changes to tables, indexes, views,\n  functions.\n\nWe aim to provide a deprecation notice in execution logs for at least two major\nversion releases or two weeks if multiple releases go out. Compatibility will\nbe guaranteed while the notice is live.\n\n**Major**\n\nChanges to the major version do not guarantee any backward compatibility with\nprevious versions.\n\n### Inherited features\n\nCertain inherited features from the Netlify codebase are not supported by\nSupabase and they may be removed without prior notice in the future. This is a\ncomprehensive list of those features:\n\n1. Multi-tenancy via the `instances` table i.e. `GOTRUE_MULTI_INSTANCE_MODE`\n   configuration parameter.\n2. System user (zero UUID user).\n3. Super admin via the `is_super_admin` column.\n4. Group information in JWTs via `GOTRUE_JWT_ADMIN_GROUP_NAME` and other\n   configuration fields.\n5. JWT signing. Supabase Auth supports asymmetric keys (RS256 by default;\n   ECC/Ed25519 optional). HS256 is still supported for compatibility, but\n   migrating to asymmetric keys is recommended for easier validation and\n   rotation. Future deprecations will be announced in the changelog. See the\n   [JWT Signing Keys](https://supabase.com/docs/guides/auth/signing-keys) and\n   [JWTs guide](https://supabase.com/docs/guides/auth/jwts) for details.\n\nNote that this is not an exhaustive list and it may change.\n\n### Best practices when self-hosting\n\nThese are some best practices to follow when self-hosting to ensure backward\ncompatibility with Auth:\n\n1. Do not modify the schema managed by Auth. You can see all of the\n   migrations in the `migrations` directory.\n2. Do not rely on the schema and the structure of data in the database. Always use\n   Auth APIs and JWTs to infer information about users.\n3. Always run Auth behind a TLS-capable proxy such as a load balancer, CDN,\n   nginx or other similar software.\n\n## Configuration\n\nYou may configure Auth using either a configuration file named `.env`,\nenvironment variables, or a combination of both. Environment variables are prefixed with `GOTRUE_`, and will always have precedence over values provided via file.\n\n### Top-Level\n\n```properties\nGOTRUE_SITE_URL=https://example.netlify.com/\n```\n\n`SITE_URL` - `string` **required**\n\nThe base URL your site is located at. Currently used in combination with other settings to construct URLs used in emails. Any URI that shares a host with `SITE_URL` is a permitted value for `redirect_to` params (see `/authorize` etc.).\n\n`URI_ALLOW_LIST` - `string`\n\nA comma-separated list of URIs (e.g. `\"https://foo.example.com,https://*.foo.example.com,https://bar.example.com\"`) which are permitted as valid `redirect_to` destinations. Defaults to []. Supports wildcard matching through globbing. e.g. `https://*.foo.example.com` will allow `https://a.foo.example.com` and `https://b.foo.example.com` to be accepted. Globbing is also supported on subdomains. e.g. `https://foo.example.com/*` will allow `https://foo.example.com/page1` and `https://foo.example.com/page2` to be accepted.\n\nFor more common glob patterns, check out the [following link](https://pkg.go.dev/github.com/gobwas/glob#Compile).\n\n`OPERATOR_TOKEN` - `string` _Multi-instance mode only_\n\nThe shared secret with an operator (usually Netlify) for this microservice. Used to verify requests have been proxied through the operator and\nthe payload values can be trusted.\n\n`DISABLE_SIGNUP` - `bool`\n\nWhen signup is disabled the only way to create new users is through invites. Defaults to `false`, all signups enabled.\n\n`GOTRUE_EXTERNAL_EMAIL_ENABLED` - `bool`\n\nUse this to disable email signups (users can still use external OAuth providers to sign up / sign in)\n\n`GOTRUE_EXTERNAL_PHONE_ENABLED` - `bool`\n\nUse this to disable phone signups (users can still use external OAuth providers to sign up / sign in)\n\n`GOTRUE_RATE_LIMIT_HEADER` - `string`\n\nHeader on which to rate limit the `/token` endpoint.\n\n`GOTRUE_RATE_LIMIT_EMAIL_SENT` - `string`\n\nRate limit the number of emails sent per hour on the following endpoints: `/signup`, `/invite`, `/magiclink`, `/recover`, `/otp`, \u0026 `/user`.\n\n`GOTRUE_PASSWORD_MIN_LENGTH` - `int`\n\nMinimum password length, defaults to 6.\n\n`GOTRUE_PASSWORD_REQUIRED_CHARACTERS` - a string of character sets separated by `:`. A password must contain at least one character of each set to be accepted. To use the `:` character escape it with `\\`.\n\n`GOTRUE_SECURITY_REFRESH_TOKEN_ROTATION_ENABLED` - `bool`\n\nIf refresh token rotation is enabled, auth will automatically detect malicious attempts to reuse a revoked refresh token. When a malicious attempt is detected, GoTrue immediately revokes all tokens that descended from the offending token.\n\n`GOTRUE_SECURITY_REFRESH_TOKEN_REUSE_INTERVAL` - `string`\n\nThis setting is only applicable if `GOTRUE_SECURITY_REFRESH_TOKEN_ROTATION_ENABLED` is enabled. The reuse interval for a refresh token allows for exchanging the refresh token multiple times during the interval to support concurrency or offline issues. During the reuse interval, auth will not consider using a revoked token as a malicious attempt and will simply return the child refresh token.\n\nOnly the previous revoked token can be reused. Using an old refresh token way before the current valid refresh token will trigger the reuse detection.\n\n### API\n\n```properties\nGOTRUE_API_HOST=localhost\nPORT=9999\nAPI_EXTERNAL_URL=http://localhost:9999\n```\n\n`API_HOST` - `string`\n\nHostname to listen on.\n\n`PORT` (no prefix) / `API_PORT` - `number`\n\nPort number to listen on. Defaults to `8081`.\n\n`API_ENDPOINT` - `string` _Multi-instance mode only_\n\nControls what endpoint Netlify can access this API on.\n\n`API_EXTERNAL_URL` - `string` **required**\n\nThe URL on which GoTrue might be accessed at.\n\n`REQUEST_ID_HEADER` - `string`\n\nIf you wish to inherit a request ID from the incoming request, specify the name in this value.\n\n### Database\n\n```properties\nGOTRUE_DB_DRIVER=postgres\nDATABASE_URL=root@localhost/auth\n```\n\n`DB_DRIVER` - `string` **required**\n\nChooses what dialect of database you want. Must be `postgres`.\n\n`DATABASE_URL` (no prefix) / `DB_DATABASE_URL` - `string` **required**\n\nConnection string for the database.\n\n`GOTRUE_DB_MAX_POOL_SIZE` - `int`\n\nSets the maximum number of open connections to the database. Defaults to 0 which is equivalent to an \"unlimited\" number of connections.\n\n`DB_NAMESPACE` - `string`\n\nAdds a prefix to all table names.\n\n**Migrations Note**\n\nMigrations are applied automatically when you run `./auth`. However, you also have the option to rerun the migrations via the following methods:\n\n- If built locally: `./auth migrate`\n- Using Docker: `docker run --rm auth gotrue migrate`\n\n### Logging\n\n```properties\nLOG_LEVEL=debug # available without GOTRUE prefix (exception)\nGOTRUE_LOG_FILE=/var/log/go/auth.log\n```\n\n`LOG_LEVEL` - `string`\n\nControls what log levels are output. Choose from `panic`, `fatal`, `error`, `warn`, `info`, or `debug`. Defaults to `info`.\n\n`LOG_FILE` - `string`\n\nIf you wish logs to be written to a file, set `log_file` to a valid file path.\n\n### Observability\n\nAuth has basic observability built in. It is able to export\n[OpenTelemetry](https://opentelemetry.io) metrics and traces to a collector.\n\n#### Tracing\n\nTo enable tracing configure these variables:\n\n`GOTRUE_TRACING_ENABLED` - `bool`\n\n`GOTRUE_TRACING_EXPORTER` - `string` only `opentelemetry` supported\n\nMake sure you also configure the [OpenTelemetry\nExporter](https://opentelemetry.io/docs/reference/specification/protocol/exporter/)\nconfiguration for your collector or service.\n\nFor example, if you use\n[Honeycomb.io](https://docs.honeycomb.io/getting-data-in/opentelemetry/go-distro/#using-opentelemetry-without-the-honeycomb-distribution)\nyou should set these standard OpenTelemetry OTLP variables:\n\n```\nOTEL_SERVICE_NAME=auth\nOTEL_EXPORTER_OTLP_PROTOCOL=grpc\nOTEL_EXPORTER_OTLP_ENDPOINT=https://api.honeycomb.io:443\nOTEL_EXPORTER_OTLP_HEADERS=\"x-honeycomb-team=\u003cAPI-KEY\u003e,x-honeycomb-dataset=auth\"\n```\n\n#### Metrics\n\nTo enable metrics configure these variables:\n\n`GOTRUE_METRICS_ENABLED` - `boolean`\n\n`GOTRUE_METRICS_EXPORTER` - `string` only `opentelemetry` and `prometheus`\nsupported\n\nMake sure you also configure the [OpenTelemetry\nExporter](https://opentelemetry.io/docs/reference/specification/protocol/exporter/)\nconfiguration for your collector or service.\n\nIf you use the `prometheus` exporter, the server host and port can be\nconfigured using these standard OpenTelemetry variables:\n\n`OTEL_EXPORTER_PROMETHEUS_HOST` - IP address, default `0.0.0.0`\n\n`OTEL_EXPORTER_PROMETHEUS_PORT` - port number, default `9100`\n\nThe metrics are exported on the `/` path on the server.\n\nIf you use the `opentelemetry` exporter, the metrics are pushed to the\ncollector.\n\nFor example, if you use\n[Honeycomb.io](https://docs.honeycomb.io/getting-data-in/opentelemetry/go-distro/#using-opentelemetry-without-the-honeycomb-distribution)\nyou should set these standard OpenTelemetry OTLP variables:\n\n```\nOTEL_SERVICE_NAME=auth\nOTEL_EXPORTER_OTLP_PROTOCOL=grpc\nOTEL_EXPORTER_OTLP_ENDPOINT=https://api.honeycomb.io:443\nOTEL_EXPORTER_OTLP_HEADERS=\"x-honeycomb-team=\u003cAPI-KEY\u003e,x-honeycomb-dataset=auth\"\n```\n\nNote that Honeycomb.io requires a paid plan to ingest metrics.\n\nIf you need to debug an issue with traces or metrics not being pushed, you can\nset `DEBUG=true` to get more insights from the OpenTelemetry SDK.\n\n#### Custom resource attributes\n\nWhen using the OpenTelemetry tracing or metrics exporter you can define custom\nresource attributes using the [standard `OTEL_RESOURCE_ATTRIBUTES` environment\nvariable](https://opentelemetry.io/docs/reference/specification/resource/sdk/#specifying-resource-information-via-an-environment-variable).\n\nA default attribute `auth.version` is provided containing the build version.\n\n#### Tracing HTTP routes\n\nAll HTTP calls to the Auth API are traced. Routes use the parametrized\nversion of the route, and the values for the route parameters can be found as\nthe `http.route.params.\u003croute-key\u003e` span attribute.\n\nFor example, the following request:\n\n```\nGET /admin/users/4acde936-82dc-4552-b851-831fb8ce0927/\n```\n\nwill be traced as:\n\n```\nhttp.method = GET\nhttp.route = /admin/users/{user_id}\nhttp.route.params.user_id = 4acde936-82dc-4552-b851-831fb8ce0927\n```\n\n#### Go runtime and HTTP metrics\n\nAll of the Go runtime metrics are exposed. Some HTTP metrics are also collected\nby default.\n\n### JSON Web Tokens (JWT)\n\n```properties\nGOTRUE_JWT_SECRET=supersecretvalue\nGOTRUE_JWT_EXP=3600\nGOTRUE_JWT_AUD=netlify\n```\n\n`JWT_SECRET` - `string` **required**\n\nThe secret used to sign JWT tokens with.\n\n`JWT_EXP` - `number`\n\nHow long tokens are valid for, in seconds. Defaults to 3600 (1 hour).\n\n`JWT_AUD` - `string`\n\nThe default JWT audience. Use audiences to group users.\n\n`JWT_ADMIN_GROUP_NAME` - `string`\n\nThe name of the admin group (if enabled). Defaults to `admin`.\n\n`JWT_DEFAULT_GROUP_NAME` - `string`\n\nThe default group to assign all new users to.\n\n### External Authentication Providers\n\nWe support `apple`, `azure`, `bitbucket`, `discord`, `facebook`, `figma`, `github`, `gitlab`, `google`, `keycloak`, `linkedin`, `notion`, `snapchat`, `spotify`, `slack`, `twitch`, `twitter` and `workos` for external authentication.\n\nUse the names as the keys underneath `external` to configure each separately.\n\n```properties\nGOTRUE_EXTERNAL_GITHUB_ENABLED=true\nGOTRUE_EXTERNAL_GITHUB_CLIENT_ID=myappclientid\nGOTRUE_EXTERNAL_GITHUB_SECRET=clientsecretvaluessssh\nGOTRUE_EXTERNAL_GITHUB_REDIRECT_URI=http://localhost:3000/callback\n```\n\nNo external providers are required, but you must provide the required values if you choose to enable any.\n\n`EXTERNAL_X_ENABLED` - `bool`\n\nWhether this external provider is enabled or not\n\n`EXTERNAL_X_CLIENT_ID` - `string` **required**\n\nThe OAuth2 Client ID registered with the external provider.\n\n`EXTERNAL_X_SECRET` - `string` **required**\n\nThe OAuth2 Client Secret provided by the external provider when you registered.\n\n`EXTERNAL_X_REDIRECT_URI` - `string` **required**\n\nThe URI a OAuth2 provider will redirect to with the `code` and `state` values.\n\n`EXTERNAL_X_URL` - `string`\n\nThe base URL used for constructing the URLs to request authorization and access tokens. Used by `gitlab` and `keycloak`. For `gitlab` it defaults to `https://gitlab.com`. For `keycloak` you need to set this to your instance, for example: `https://keycloak.example.com/realms/myrealm`\n\n#### Apple OAuth\n\nTo try out external authentication with Apple locally, you will need to do the following:\n\n1. Remap localhost to \\\u003cmy_custom_dns \\\u003e in your `/etc/hosts` config.\n2. Configure auth to serve HTTPS traffic over localhost by replacing `ListenAndServe` in [api.go](internal/api/api.go) with:\n\n   ```\n      func (a *API) ListenAndServe(hostAndPort string) {\n        log := logrus.WithField(\"component\", \"api\")\n        path, err := os.Getwd()\n        if err != nil {\n          log.Println(err)\n        }\n        server := \u0026http.Server{\n          Addr:    hostAndPort,\n          Handler: a.handler,\n        }\n        done := make(chan struct{})\n        defer close(done)\n        go func() {\n          waitForTermination(log, done)\n          ctx, cancel := context.WithTimeout(context.Background(), time.Minute)\n          defer cancel()\n          server.Shutdown(ctx)\n        }()\n        if err := server.ListenAndServeTLS(\"PATH_TO_CRT_FILE\", \"PATH_TO_KEY_FILE\"); err != http.ErrServerClosed {\n          log.WithError(err).Fatal(\"http server listen failed\")\n        }\n    }\n   ```\n\n3. Generate the crt and key file. See [here](https://www.freecodecamp.org/news/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec/) for more information.\n4. Generate the `GOTRUE_EXTERNAL_APPLE_SECRET` by following this [post](https://medium.com/identity-beyond-borders/how-to-configure-sign-in-with-apple-77c61e336003)!\n\n### Email\n\nSending email is not required, but highly recommended for password recovery.\nIf enabled, you must provide the required values below.\n\n```properties\nGOTRUE_SMTP_HOST=smtp.mandrillapp.com\nGOTRUE_SMTP_PORT=587\nGOTRUE_SMTP_USER=smtp-delivery@example.com\nGOTRUE_SMTP_PASS=correcthorsebatterystaple\nGOTRUE_SMTP_ADMIN_EMAIL=support@example.com\nGOTRUE_MAILER_SUBJECTS_CONFIRMATION=\"Please confirm\"\n```\n\n`SMTP_ADMIN_EMAIL` - `string` **required**\n\nThe `From` email address for all emails sent.\n\n`SMTP_HOST` - `string` **required**\n\nThe mail server hostname to send emails through.\n\n`SMTP_PORT` - `number` **required**\n\nThe port number to connect to the mail server on.\n\n`SMTP_USER` - `string`\n\nIf the mail server requires authentication, the username to use.\n\n`SMTP_PASS` - `string`\n\nIf the mail server requires authentication, the password to use.\n\n`SMTP_MAX_FREQUENCY` - `number`\n\nControls the minimum amount of time that must pass before sending another signup confirmation or password reset email. The value is the number of seconds. Defaults to 900 (15 minutes).\n\n`SMTP_SENDER_NAME` - `string`\n\nSets the name of the sender. Defaults to the `SMTP_ADMIN_EMAIL` if not used.\n\n`MAILER_AUTOCONFIRM` - `bool`\n\nIf you do not require email confirmation, you may set this to `true`. Defaults to `false`.\n\n`MAILER_OTP_EXP` - `number`\n\nControls the duration an email link or OTP is valid for.\n\n`MAILER_URLPATHS_INVITE` - `string`\n\nURL path to use in the user invite email. Defaults to `/verify`.\n\n`MAILER_URLPATHS_CONFIRMATION` - `string`\n\nURL path to use in the signup confirmation email. Defaults to `/verify`.\n\n`MAILER_URLPATHS_RECOVERY` - `string`\n\nURL path to use in the password reset email. Defaults to `/verify`.\n\n`MAILER_URLPATHS_EMAIL_CHANGE` - `string`\n\nURL path to use in the email change confirmation email. Defaults to `/verify`.\n\n`MAILER_SUBJECTS_INVITE` - `string`\n\nEmail subject to use for user invite. Defaults to `You have been invited`.\n\n`MAILER_SUBJECTS_CONFIRMATION` - `string`\n\nEmail subject to use for signup confirmation. Defaults to `Confirm Your Signup`.\n\n`MAILER_SUBJECTS_RECOVERY` - `string`\n\nEmail subject to use for password reset. Defaults to `Reset Your Password`.\n\n`MAILER_SUBJECTS_MAGIC_LINK` - `string`\n\nEmail subject to use for magic link email. Defaults to `Your Magic Link`.\n\n`MAILER_SUBJECTS_EMAIL_CHANGE` - `string`\n\nEmail subject to use for email change confirmation. Defaults to `Confirm Email Change`.\n\n`MAILER_SUBJECTS_PASSWORD_CHANGED_NOTIFICATION` - `string`\n\nEmail subject to use for password changed notification. Defaults to `Your password has been changed`.\n\n`MAILER_SUBJECTS_EMAIL_CHANGED_NOTIFICATION` - `string`\n\nEmail subject to use for email changed notification. Defaults to `Your email address has been changed`.\n\n`GOTRUE_MAILER_SUBJECTS_MFA_FACTOR_ENROLLED_NOTIFICATION` - `string`\n\nEmail subject to use for MFA factor enrolled notification. Defaults to `A new MFA factor has been enrolled`.\n\n`GOTRUE_MAILER_SUBJECTS_MFA_FACTOR_UNENROLLED_NOTIFICATION` - `string`\n\nEmail subject to use for MFA factor unenrolled notification. Defaults to `An MFA factor has been unenrolled`.\n\n`MAILER_TEMPLATES_INVITE` - `string`\n\nURL path to an email template to use when inviting a user. (e.g. `https://www.example.com/path-to-email-template.html`)\n`SiteURL`, `Email`, and `ConfirmationURL` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eYou have been invited\u003c/h2\u003e\n\n\u003cp\u003e\n  You have been invited to create a user on {{ .SiteURL }}. Follow this link to\n  accept the invite:\n\u003c/p\u003e\n\u003cp\u003e\u003ca href=\"{{ .ConfirmationURL }}\"\u003eAccept the invite\u003c/a\u003e\u003c/p\u003e\n```\n\n`MAILER_TEMPLATES_CONFIRMATION` - `string`\n\nURL path to an email template to use when confirming a signup. (e.g. `https://www.example.com/path-to-email-template.html`)\n`SiteURL`, `Email`, and `ConfirmationURL` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eConfirm your signup\u003c/h2\u003e\n\n\u003cp\u003eFollow this link to confirm your user:\u003c/p\u003e\n\u003cp\u003e\u003ca href=\"{{ .ConfirmationURL }}\"\u003eConfirm your mail\u003c/a\u003e\u003c/p\u003e\n```\n\n`MAILER_TEMPLATES_RECOVERY` - `string`\n\nURL path to an email template to use when resetting a password. (e.g. `https://www.example.com/path-to-email-template.html`)\n`SiteURL`, `Email`, and `ConfirmationURL` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eReset Password\u003c/h2\u003e\n\n\u003cp\u003eFollow this link to reset the password for your user:\u003c/p\u003e\n\u003cp\u003e\u003ca href=\"{{ .ConfirmationURL }}\"\u003eReset Password\u003c/a\u003e\u003c/p\u003e\n```\n\n`MAILER_TEMPLATES_MAGIC_LINK` - `string`\n\nURL path to an email template to use when sending magic link. (e.g. `https://www.example.com/path-to-email-template.html`)\n`SiteURL`, `Email`, and `ConfirmationURL` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eMagic Link\u003c/h2\u003e\n\n\u003cp\u003eFollow this link to login:\u003c/p\u003e\n\u003cp\u003e\u003ca href=\"{{ .ConfirmationURL }}\"\u003eLog In\u003c/a\u003e\u003c/p\u003e\n```\n\n`MAILER_TEMPLATES_EMAIL_CHANGE` - `string`\n\nURL path to an email template to use when confirming the change of an email address. (e.g. `https://www.example.com/path-to-email-template.html`)\n`SiteURL`, `Email`, `NewEmail`, and `ConfirmationURL` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eConfirm Change of Email\u003c/h2\u003e\n\n\u003cp\u003e\n  Follow this link to confirm the update of your email from {{ .Email }} to {{\n  .NewEmail }}:\n\u003c/p\u003e\n\u003cp\u003e\u003ca href=\"{{ .ConfirmationURL }}\"\u003eChange Email\u003c/a\u003e\u003c/p\u003e\n```\n\n`MAILER_TEMPLATES_PASSWORD_CHANGED_NOTIFICATION` - `string`\n\nURL path to an email template to use when notifying a user that their password has been changed. (e.g. `https://www.example.com/path-to-email-template.html`)\n`Email` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eYour password has been changed\u003c/h2\u003e\n\n\u003cp\u003e\n  This is a confirmation that the password for your account {{ .Email }} has\n  just been changed. If you did not make this change, please contact support\n  immediately.\n\u003c/p\u003e\n\u003cp\u003eIf you did not make this change, please contact support.\u003c/p\u003e\n```\n\n`GOTRUE_MAILER_NOTIFICATIONS_PASSWORD_CHANGED_ENABLED` - `bool`\n\nWhether to send a notification email when a user's password is changed. Defaults to `false`.\n\n`MAILER_TEMPLATES_EMAIL_CHANGED_NOTIFICATION` - `string`\n\nURL path to an email template to use when notifying a user that their email has been changed. (e.g. `https://www.example.com/path-to-email-template.html`)\n`Email` and `OldEmail` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eYour email address has been changed\u003c/h2\u003e\n\n\u003cp\u003e\n  The email address for your account has been changed from {{ .OldEmail }} to {{\n  .Email }}.\n\u003c/p\u003e\n\u003cp\u003eIf you did not make this change, please contact support.\u003c/p\u003e\n```\n\n`GOTRUE_MAILER_NOTIFICATIONS_EMAIL_CHANGED_ENABLED` - `bool`\n\nWhether to send a notification email when a user's email is changed. Defaults to `false`.\n\n`GOTRUE_MAILER_TEMPLATES_PHONE_CHANGED_NOTIFICATION` - `string`\n\nURL path to an email template to use when notifying a user that their phone number has been changed. (e.g. `https://www.example.com/path-to-email-template.html`)\n`Email`, `Phone`, and `OldPhone` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eYour phone number has been changed\u003c/h2\u003e\n\n\u003cp\u003e\n  The phone number for your account {{ .Email }} has been changed from {{\n  .OldPhone }} to {{ .Phone }}.\n\u003c/p\u003e\n\u003cp\u003eIf you did not make this change, please contact support immediately.\u003c/p\u003e\n```\n\n`GOTRUE_MAILER_NOTIFICATIONS_PHONE_CHANGED_ENABLED` - `bool`\n\nWhether to send a notification email when a user's phone number is changed. Defaults to `false`.\n\n`GOTRUE_MAILER_TEMPLATES_IDENTITY_LINKED_NOTIFICATION` - `string`\n\nURL path to an email template to use when notifying a user that a new identity has been linked to their account. (e.g. `https://www.example.com/path-to-email-template.html`)\n`Email` and `Provider` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eA new identity has been linked\u003c/h2\u003e\n\n\u003cp\u003e\n  A new identity ({{ .Provider }}) has been linked to your account {{ .Email }}.\n\u003c/p\u003e\n\u003cp\u003eIf you did not make this change, please contact support immediately.\u003c/p\u003e\n```\n\n`GOTRUE_MAILER_NOTIFICATIONS_IDENTITY_LINKED_ENABLED` - `bool`\n\nWhether to send a notification email when a new identity is linked to a user's account. Defaults to `false`.\n\n`GOTRUE_MAILER_TEMPLATES_IDENTITY_UNLINKED_NOTIFICATION` - `string`\n\nURL path to an email template to use when notifying a user that an identity has been unlinked from their account. (e.g. `https://www.example.com/path-to-email-template.html`)\n`Email` and `Provider` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eAn identity has been unlinked\u003c/h2\u003e\n\n\u003cp\u003e\n  An identity ({{ .Provider }}) has been unlinked from your account {{ .Email\n  }}.\n\u003c/p\u003e\n\u003cp\u003eIf you did not make this change, please contact support immediately.\u003c/p\u003e\n```\n\n`GOTRUE_MAILER_NOTIFICATIONS_IDENTITY_UNLINKED_ENABLED` - `bool`\n\nWhether to send a notification email when an identity is unlinked from a user's account. Defaults to `false`.\n\n`GOTRUE_MAILER_TEMPLATES_MFA_FACTOR_ENROLLED_NOTIFICATION` - `string`\n\nURL path to an email template to use when notifying a user that they have enrolled in a new MFA factor. (e.g. `https://www.example.com/path-to-email-template.html`)\n`Email` and `FactorType` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eMFA factor has been enrolled\u003c/h2\u003e\n\n\u003cp\u003e\n  A new factor ({{ .FactorType }}) has been enrolled for your account {{ .Email\n  }}.\n\u003c/p\u003e\n\u003cp\u003eIf you did not make this change, please contact support immediately.\u003c/p\u003e\n```\n\n`GOTRUE_MAILER_NOTIFICATIONS_MFA_FACTOR_ENROLLED_ENABLED` - `bool`\n\nWhether to send a notification email when a user enrolls in a new MFA factor. Defaults to `false`.\n\n`GOTRUE_MAILER_TEMPLATES_MFA_FACTOR_UNENROLLED_NOTIFICATION` - `string`\n\nURL path to an email template to use when notifying a user that they have unenrolled from an MFA factor. (e.g. `https://www.example.com/path-to-email-template.html`)\n`Email` and `FactorType` variables are available.\n\nDefault Content (if template is unavailable):\n\n```html\n\u003ch2\u003eMFA factor has been unenrolled\u003c/h2\u003e\n\n\u003cp\u003e\n  A factor ({{ .FactorType }}) has been unenrolled for your account {{ .Email\n  }}.\n\u003c/p\u003e\n\u003cp\u003eIf you did not make this change, please contact support immediately.\u003c/p\u003e\n```\n\n`GOTRUE_MAILER_NOTIFICATIONS_MFA_FACTOR_UNENROLLED_ENABLED` - `bool`\n\nWhether to send a notification email when a user unenrolls from an MFA factor. Defaults to `false`.\n\n### Phone Auth\n\n`SMS_AUTOCONFIRM` - `bool`\n\nIf you do not require phone confirmation, you may set this to `true`. Defaults to `false`.\n\n`SMS_MAX_FREQUENCY` - `number`\n\nControls the minimum amount of time that must pass before sending another SMS OTP. The value is the number of seconds. Defaults to 60 (1 minute).\n\n`SMS_OTP_EXP` - `number`\n\nControls the duration an SMS OTP is valid for.\n\n`SMS_OTP_LENGTH` - `number`\n\nControls the number of digits of the SMS OTP sent.\n\n`SMS_PROVIDER` - `string`\n\nAvailable options are: `twilio`, `messagebird`, `textlocal`, and `vonage`\n\nThen you can use your [twilio credentials](https://www.twilio.com/docs/usage/requests-to-twilio#credentials):\n\n- `SMS_TWILIO_ACCOUNT_SID`\n- `SMS_TWILIO_AUTH_TOKEN`\n- `SMS_TWILIO_MESSAGE_SERVICE_SID` - can be set to your twilio sender mobile number\n\nOr Messagebird credentials, which can be obtained in the [Dashboard](https://dashboard.messagebird.com/en/developers/access):\n\n- `SMS_MESSAGEBIRD_ACCESS_KEY` - your Messagebird access key\n- `SMS_MESSAGEBIRD_ORIGINATOR` - SMS sender (your Messagebird phone number with + or company name)\n\n### CAPTCHA\n\n- If enabled, CAPTCHA will check the request body for the `captcha_token` field and make a verification request to the CAPTCHA provider.\n\n`SECURITY_CAPTCHA_ENABLED` - `string`\n\nWhether captcha middleware is enabled\n\n`SECURITY_CAPTCHA_PROVIDER` - `string`\n\nfor now the only options supported are: hCaptcha and Turnstile\n\n- `SECURITY_CAPTCHA_SECRET` - `string`\n- `SECURITY_CAPTCHA_TIMEOUT` - `string`\n\nRetrieve from hcaptcha or turnstile account\n\n### Reauthentication\n\n`SECURITY_UPDATE_PASSWORD_REQUIRE_REAUTHENTICATION` - `bool`\n\nEnforce reauthentication on password update.\n\n### Anonymous Sign-Ins\n\n`GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED` - `bool`\n\nUse this to enable/disable anonymous sign-ins.\n\n### IP address forwarding\n\n`GOTRUE_SECURITY_SB_FORWARDED_FOR_ENABLED` - `bool`\n\nEnable IP address forwarding using the `Sb-Forwarded-For` HTTP request header. When enabled, Auth will parse the first value of this header as an IP address and use it for IP address tracking and rate limiting. Make sure this header is fully trusted before enabling this feature by only passing it from trustworthy clients or proxies.\n\n## Endpoints\n\nAuth exposes the following endpoints:\n\n### **GET /settings**\n\nReturns the publicly available settings for this auth instance.\n\n```json\n{\n  \"external\": {\n    \"apple\": true,\n    \"azure\": true,\n    \"bitbucket\": true,\n    \"discord\": true,\n    \"facebook\": true,\n    \"figma\": true,\n    \"github\": true,\n    \"gitlab\": true,\n    \"google\": true,\n    \"keycloak\": true,\n    \"linkedin\": true,\n    \"notion\": true,\n    \"slack\": true,\n    \"snapchat\": true,\n    \"spotify\": true,\n    \"twitch\": true,\n    \"twitter\": true,\n    \"workos\": true\n  },\n  \"disable_signup\": false,\n  \"autoconfirm\": false\n}\n```\n\n### **POST, PUT /admin/users/\u003cuser_id\u003e**\n\nCreates (POST) or Updates (PUT) the user based on the `user_id` specified. The `ban_duration` field accepts the following time units: \"ns\", \"us\", \"ms\", \"s\", \"m\", \"h\". See [`time.ParseDuration`](https://pkg.go.dev/time#ParseDuration) for more details on the format used.\n\n```js\nheaders:\n{\n  \"Authorization\": \"Bearer eyJhbGciOiJI...M3A90LCkxxtX9oNP9KZO\" // requires a role claim that can be set in the GOTRUE_JWT_ADMIN_ROLES env var\n}\n\nbody:\n{\n  \"role\": \"test-user\",\n  \"email\": \"email@example.com\",\n  \"phone\": \"12345678\",\n  \"password\": \"secret\", // only if type = signup\n  \"email_confirm\": true,\n  \"phone_confirm\": true,\n  \"user_metadata\": {},\n  \"app_metadata\": {},\n  \"ban_duration\": \"24h\" or \"none\" // to unban a user\n}\n```\n\n### **POST /admin/generate_link**\n\nReturns the corresponding email action link based on the type specified. Among other things, the response also contains the query params of the action link as separate JSON fields for convenience (along with the email OTP from which the corresponding token is generated).\n\n```js\nheaders:\n{\n  \"Authorization\": \"Bearer eyJhbGciOiJI...M3A90LCkxxtX9oNP9KZO\" // admin role required\n}\n\nbody:\n{\n  \"type\": \"signup\" or \"magiclink\" or \"recovery\" or \"invite\" or \"email_change_current\" or \"email_change_new\",\n  \"email\": \"email@example.com\",\n  \"password\": \"secret\", // only if type = signup\n  \"data\": {\n    ...\n  }, // only if type = signup\n  \"redirect_to\": \"https://supabase.io\" // Redirect URL to send the user to after an email action. Defaults to SITE_URL.\n\n}\n```\n\nReturns\n\n```js\n{\n  \"action_link\": \"http://localhost:9999/verify?token=TOKEN\u0026type=TYPE\u0026redirect_to=REDIRECT_URL\",\n  \"email_otp\": \"EMAIL_OTP\",\n  \"hashed_token\": \"TOKEN\",\n  \"verification_type\": \"TYPE\",\n  \"redirect_to\": \"REDIRECT_URL\",\n  ...\n}\n```\n\n### **POST /signup**\n\nRegister a new user with an email and password.\n\n```json\n{\n  \"email\": \"email@example.com\",\n  \"password\": \"secret\"\n}\n```\n\nreturns:\n\n```js\n{\n  \"id\": \"11111111-2222-3333-4444-5555555555555\",\n  \"email\": \"email@example.com\",\n  \"confirmation_sent_at\": \"2016-05-15T20:49:40.882805774-07:00\",\n  \"created_at\": \"2016-05-15T19:53:12.368652374-07:00\",\n  \"updated_at\": \"2016-05-15T19:53:12.368652374-07:00\"\n}\n\n// if sign up is a duplicate then faux data will be returned\n// as to not leak information about whether a given email\n// has an account with your service or not\n```\n\nRegister a new user with a phone number and password.\n\n```js\n{\n  \"phone\": \"12345678\", // follows the E.164 format\n  \"password\": \"secret\"\n}\n```\n\nReturns:\n\n```js\n{\n  \"id\": \"11111111-2222-3333-4444-5555555555555\", // if duplicate sign up, this ID will be faux\n  \"phone\": \"12345678\",\n  \"confirmation_sent_at\": \"2016-05-15T20:49:40.882805774-07:00\",\n  \"created_at\": \"2016-05-15T19:53:12.368652374-07:00\",\n  \"updated_at\": \"2016-05-15T19:53:12.368652374-07:00\"\n}\n```\n\nif AUTOCONFIRM is enabled and the sign up is a duplicate, then the endpoint will return:\n\n```json\n{\n  \"code\": 400,\n  \"msg\": \"User already registered\"\n}\n```\n\n### **POST /resend**\n\nAllows a user to resend an existing signup, sms, email_change or phone_change OTP.\n\n```json\n{\n  \"email\": \"user@example.com\",\n  \"type\": \"signup\"\n}\n```\n\n```json\n{\n  \"phone\": \"12345678\",\n  \"type\": \"sms\"\n}\n```\n\nreturns:\n\n```json\n{\n  \"message_id\": \"msgid123456\"\n}\n```\n\n### **POST /invite**\n\nInvites a new user with an email.\nThis endpoint requires the `service_role` or `supabase_admin` JWT set as an Auth Bearer header:\n\ne.g.\n\n```js\nheaders: {\n  \"Authorization\" : \"Bearer eyJhbGciOiJI...M3A90LCkxxtX9oNP9KZO\"\n}\n```\n\n```json\n{\n  \"email\": \"email@example.com\"\n}\n```\n\nReturns:\n\n```json\n{\n  \"id\": \"11111111-2222-3333-4444-5555555555555\",\n  \"email\": \"email@example.com\",\n  \"confirmation_sent_at\": \"2016-05-15T20:49:40.882805774-07:00\",\n  \"created_at\": \"2016-05-15T19:53:12.368652374-07:00\",\n  \"updated_at\": \"2016-05-15T19:53:12.368652374-07:00\",\n  \"invited_at\": \"2016-05-15T19:53:12.368652374-07:00\"\n}\n```\n\n### **POST /verify**\n\nVerify a registration or a password recovery. Type can be `signup`, `recovery`, `invite`, `magiclink`, `email_change`, `sms`, or `phone_change`\nand the `token` is a token returned from either `/signup` or `/recover`.\n\n```json\n{\n  \"type\": \"signup\",\n  \"token\": \"confirmation-code-delivered-in-email\"\n}\n```\n\n`password` is required for signup verification if no existing password exists.\n\nReturns:\n\n```json\n{\n  \"access_token\": \"jwt-token-representing-the-user\",\n  \"token_type\": \"bearer\",\n  \"expires_in\": 3600,\n  \"refresh_token\": \"a-refresh-token\",\n  \"type\": \"signup | recovery | invite | magiclink | email_change | sms | phone_change\"\n}\n```\n\nVerify a phone signup or SMS OTP. Type should be set to `sms`.\n\n```json\n{\n  \"type\": \"sms\",\n  \"token\": \"confirmation-otp-delivered-in-sms\",\n  \"redirect_to\": \"https://supabase.io\",\n  \"phone\": \"phone-number-sms-otp-was-delivered-to\"\n}\n```\n\nReturns:\n\n```json\n{\n  \"access_token\": \"jwt-token-representing-the-user\",\n  \"token_type\": \"bearer\",\n  \"expires_in\": 3600,\n  \"refresh_token\": \"a-refresh-token\"\n}\n```\n\n### **GET /verify**\n\nVerify a registration or a password recovery. Type can be `signup`, `recovery`, `magiclink`, `invite`, or `email_change`\nand the `token` is a token returned from either `/signup` or `/recover` or `/magiclink`.\n\nquery params:\n\n```json\n{\n  \"type\": \"signup\",\n  \"token\": \"confirmation-code-delivered-in-email\",\n  \"redirect_to\": \"https://supabase.io\"\n}\n```\n\nUser will be logged in and redirected to:\n\n```\nSITE_URL/#access_token=jwt-token-representing-the-user\u0026token_type=bearer\u0026expires_in=3600\u0026refresh_token=a-refresh-token\u0026type=invite\n```\n\nYour app should detect the query params in the fragment and use them to set the session (supabase-js does this automatically)\n\nYou can use the `type` param to redirect the user to a password set form in the case of `invite` or `recovery`,\nor show an account confirmed/welcome message in the case of `signup`, or direct them to some additional onboarding flow\n\n### **POST /otp**\n\nOne-Time-Password. Will deliver a magic link or SMS OTP to the user depending on whether the request body contains an \"email\" or \"phone\" key.\n\nIf `\"create_user\": true`, user will not be automatically signed up if the user doesn't exist.\n\n```js\n{\n  \"phone\": \"12345678\" // follows the E.164 format\n  \"create_user\": true\n}\n```\n\nOR\n\n```js\n// exactly the same as /magiclink\n{\n  \"email\": \"email@example.com\"\n  \"create_user\": true\n}\n```\n\nReturns:\n\n```json\n{}\n```\n\n### **POST /magiclink** (recommended to use /otp instead. See above.)\n\nMagic Link. Will deliver a link (e.g. `/verify?type=magiclink\u0026token=fgtyuf68ddqdaDd`) to the user based on\nemail address which they can use to redeem an access_token.\n\nBy default Magic Links can only be sent once every 60 seconds\n\n```json\n{\n  \"email\": \"email@example.com\"\n}\n```\n\nReturns:\n\n```json\n{}\n```\n\nWhen the magic link is clicked, it will redirect to `\u003cSITE_URL\u003e#access_token=x\u0026refresh_token=y\u0026expires_in=z\u0026token_type=bearer\u0026type=magiclink` (see `/verify` above)\n\n### **POST /recover**\n\nPassword recovery. Will deliver a password recovery mail to the user based on\nemail address.\n\nBy default recovery links can only be sent once every 60 seconds\n\n```json\n{\n  \"email\": \"email@example.com\"\n}\n```\n\nReturns:\n\n```json\n{}\n```\n\n### **POST /token**\n\nThis is an OAuth2 endpoint that currently implements\nthe password and refresh_token grant types\n\nquery params:\n\n```\n?grant_type=password\n```\n\nbody:\n\n```js\n// Email login\n{\n  \"email\": \"name@domain.com\",\n  \"password\": \"somepassword\"\n}\n\n// Phone login\n{\n  \"phone\": \"12345678\",\n  \"password\": \"somepassword\"\n}\n```\n\nor\n\nquery params:\n\n```\ngrant_type=refresh_token\n```\n\nbody:\n\n```json\n{\n  \"refresh_token\": \"a-refresh-token\"\n}\n```\n\nOnce you have an access token, you can access the methods requiring authentication\nby settings the `Authorization: Bearer YOUR_ACCESS_TOKEN_HERE` header.\n\nReturns:\n\n```json\n{\n  \"access_token\": \"jwt-token-representing-the-user\",\n  \"token_type\": \"bearer\",\n  \"expires_in\": 3600,\n  \"refresh_token\": \"a-refresh-token\"\n}\n```\n\n### **GET /user**\n\nGet the JSON object for the logged in user (requires authentication)\n\nReturns:\n\n```json\n{\n  \"id\": \"11111111-2222-3333-4444-5555555555555\",\n  \"email\": \"email@example.com\",\n  \"confirmation_sent_at\": \"2016-05-15T20:49:40.882805774-07:00\",\n  \"created_at\": \"2016-05-15T19:53:12.368652374-07:00\",\n  \"updated_at\": \"2016-05-15T19:53:12.368652374-07:00\"\n}\n```\n\n### **PUT /user**\n\nUpdate a user (Requires authentication). Apart from changing email/password, this\nmethod can be used to set custom user data. Changing the email will result in a magic link being sent out.\n\n```json\n{\n  \"email\": \"new-email@example.com\",\n  \"password\": \"new-password\",\n  \"phone\": \"+123456789\",\n  \"data\": {\n    \"key\": \"value\",\n    \"number\": 10,\n    \"admin\": false\n  }\n}\n```\n\nReturns:\n\n```json\n{\n  \"id\": \"11111111-2222-3333-4444-5555555555555\",\n  \"email\": \"email@example.com\",\n  \"email_change_sent_at\": \"2016-05-15T20:49:40.882805774-07:00\",\n  \"phone\": \"+123456789\",\n  \"phone_change_sent_at\": \"2016-05-15T20:49:40.882805774-07:00\",\n  \"created_at\": \"2016-05-15T19:53:12.368652374-07:00\",\n  \"updated_at\": \"2016-05-15T19:53:12.368652374-07:00\"\n}\n```\n\nIf `GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_REAUTHENTICATION` is enabled, the user will need to reauthenticate first.\n\n```json\n{\n  \"password\": \"new-password\",\n  \"nonce\": \"123456\"\n}\n```\n\n### **GET /reauthenticate**\n\nSends a nonce to the user's email (preferred) or phone. This endpoint requires the user to be logged in / authenticated first. The user needs to have either an email or phone number for the nonce to be sent successfully.\n\n```js\nheaders: {\n  \"Authorization\" : \"Bearer eyJhbGciOiJI...M3A90LCkxxtX9oNP9KZO\"\n}\n```\n\n### **POST /logout**\n\nLogout a user (Requires authentication).\n\nThis will revoke all refresh tokens for the user. Remember that the JWT tokens\nwill still be valid for stateless auth until they expire.\n\n### **GET /authorize**\n\nGet access_token from external oauth provider\n\nquery params:\n\n```\nprovider=apple | azure | bitbucket | discord | facebook | figma | github | gitlab | google | keycloak | linkedin | notion | slack | snapchat | spotify | twitch | twitter | workos\n\nscopes=\u003coptional additional scopes depending on the provider (email and name are requested by default)\u003e\n```\n\nRedirects to provider and then to `/callback`\n\nFor Apple-specific setup see: \u003chttps://github.com/supabase/auth#apple-oauth\u003e\n\n### **GET /callback**\n\nExternal provider should redirect to this endpoint\n\nRedirects to `\u003cGOTRUE_SITE_URL\u003e#access_token=\u003caccess_token\u003e\u0026refresh_token=\u003crefresh_token\u003e\u0026provider_token=\u003cprovider_oauth_token\u003e\u0026expires_in=3600\u0026provider=\u003cprovider_name\u003e`\nIf additional scopes were requested then `provider_token` will be populated, you can use this to fetch additional data from the provider or interact with their services\n","funding_links":["https://github.com/sponsors/supabase"],"categories":["Go","User Management","Authentication"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsupabase%2Fauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsupabase%2Fauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsupabase%2Fauth/lists"}