Part Four: GoTrue

About#

How to restrict table access to authenticated users, row level policies, and email domain based access.

Watch#

Gotrue Server#

Gotrue is an auth API server written in Go by the Netlify team, find the Supabase fork here: https://github.com/supabase/gotrue. The list of available API endpoints is available here.

When you deploy a new Supabase project, we deploy a new instance of this server alongside your database, and also inject your database with the required auth schema.

It makes it super easy to, for example, send magic link emails which your users can use to login:

1# replace <project-ref> with your own project reference
2# and SUPABASE_KEY with your anon api key
3curl -X POST 'https://<project-ref>.supabase.co/auth/v1/magiclink' \
4-H "apikey: SUPABASE_KEY" \
5-H "Content-Type: application/json" \
6-d '{
7  "email": "someone@email.com"
8}'

Gotrue is responsible for issuing access tokens for your users, sends confirmation, magic-link, and password recovery emails (by default we send these from a Supabase SMTP server, but you can easily plug in your own inside the dashboard at Auth > Settings) and also transacting with third party OAuth providers to get basic user data.

The community even recently built in the functionality to request custom OAuth scopes, if your users need to interact more closely with the provider. See the scopes parameter here: https://github.com/supabase/gotrue#get-authorize.

So let's say you want to send emails on behalf of a user via gmail, you might request the gmail.send scope by directing them to:

https://sjvwsaokcugktsdaxxze.supabase.co/auth/v1/authorize?provider=google&https://www.googleapis.com/auth/gmail.send

You'll have to make sure your google app is verified of course in order to request these advanced scopes.

Gotrue-js (and also gotrue-csharp, gotrue-py, gotrue-kt, and gotrue-dart) are all wrappers around the gotrue API endpoints, and make for easier session management inside your client.

But all the functionality of gotrue-js is also available in supabase-js, which uses gotrue-js internally when you do things like:

const { user, session, error } = await supabase.auth.signIn({
  email: 'example@email.com',
  password: 'example-password',
})

If you want to request a feature, or contribute to the project directly, just head to https://github.com/supabase/gotrue and open some issues/PRs, we're always open to help.

In the next guide we'll be looking at how to setup external OAuth providers: Watch Part Five: Google Oauth

Resources#

• JWT debugger: https://jwt.io​

Next steps#

• Watch Part One: JWTs
• Watch Part Two: Row Level Security
• Watch Part Three: Policies
• Watch Part Five: Google Oauth
• Sign up for Supabase: app.supabase.com