Auth

Part Four: GoTrue

About

How to restrict table access to authenticated users, row level policies, and email domain based access.

Watch

GoTrue Server

GoTrue is an auth API server written in Go by the Netlify team, find the Supabase fork here. The list of available API endpoints is available here.

When you deploy a new Supabase project, we deploy a new instance of this server alongside your database, and also inject your database with the required auth schema.

It makes it super easy to, for example, send magic link emails which your users can use to login:


_10
# replace <project-ref> with your own project reference
_10
# and SUPABASE_KEY with your anon api key
_10
curl -X POST 'https://<project-ref>.supabase.co/auth/v1/magiclink' \
_10
-H "apikey: SUPABASE_KEY" \
_10
-H "Content-Type: application/json" \
_10
-d '{
_10
"email": "[email protected]"
_10
}'

GoTrue is responsible for issuing access tokens for your users, sends confirmation, magic-link, and password recovery emails (by default we send these from a Supabase SMTP server, but you can easily plug in your own inside the dashboard at Project Settings > Auth) and also transacting with third party OAuth providers to get basic user data.

The community even recently built in the functionality to request custom OAuth scopes, if your users need to interact more closely with the provider. See the scopes parameter here: https://github.com/supabase/gotrue#get-authorize.

So let's say you want to send emails on behalf of a user via Gmail, you might request the gmail.send scope by directing them to:


_10
https://sjvwsaokcugktsdaxxze.supabase.co/auth/v1/authorize?provider=google&https://www.googleapis.com/auth/gmail.send

You'll have to make sure your Google app is verified of course in order to request these advanced scopes.

gotrue-js (and also gotrue-csharp, gotrue-py, gotrue-kt, and gotrue-dart) are all wrappers around the GoTrue API endpoints, and make for easier session management inside your client.

But all the functionality of gotrue-js is also available in supabase-js, which uses gotrue-js internally when you do things like:


_10
const { user, session, error } = await supabase.auth.signInWithPassword({
_10
_10
password: 'example-password',
_10
})

If you want to request a feature, or contribute to the project directly, just head to https://github.com/supabase/gotrue and open some issues/PRs, we're always open to help.

In the next guide we'll be looking at how to setup external OAuth providers: Watch Part Five: Google OAuth

Resources

Next steps