Part Four: GoTrue


How to restrict table access to authenticated users, row level policies, and email domain based access.


Gotrue Server

Gotrue is an auth API server written in Go by the Netlify team, find the Supabase fork here: The list of available API endpoints is available here.

When you deploy a new Supabase project, we deploy a new instance of this server alongside your database, and also inject your database with the required auth schema.

It makes it super easy to, for example, send magic link emails which your user's can use to login:

# replace <project-ref> with your own project reference
# and SUPABASE_KEY with your anon api key
curl -X POST 'https://<project-ref>' \
-H "apikey: SUPABASE_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": ""

Gotrue is responsible for issuing access tokens for your users, sends confirmation, magic-link, and password recovery emails (by default we send these from a Supabase SMTP server, but you can easily plug in your own inside the dashboard at Auth > Settings) and also transacting with third party OAuth providers to get basic user data.

The community even recently built in the functionality to request custom OAuth scopes, if your users need to interact more closely with the provider. See the scopes parameter here:

So let's say you want to send emails on behalf of a user via gmail, you might request the gmail.send scope by directing them to:

You'll have to make sure your google app is verified of course in order to request these advanced scopes.

Gotrue-js (and also gotrue-csharp, gotrue-py, gotrue-kt, and gotrue-dart) are all wrappers around the gotrue API endpoints, and make for easier session management inside your client.

But all the functionality of gotrue-js is also available in supabase-js, which uses gotrue-js internall when you do things like:

const { user, session, error } = await supabase.auth.signIn({
email: '',
password: 'example-password',

If you want to request a feature, or contribute to the project directly, just head to and open some issues/PRs, we're always open to help.

In the next guide we'll be looking at how to setup external OAuth providers: Watch Part Five: Google Oauth


Next steps