Supabase

Integrate Stack Auth with Supabase RLS

This guide shows how to integrate Stack Auth with Supabase row level security (RLS).

This guide only focuses on the RLS/JWT integration and does not sync user data between Supabase and Stack. You should use webhooks to achieve data sync.

Setup

Let’s create a sample table and some RLS policies to demonstrate how to integrate Stack Auth with Supabase RLS. You can apply the same logic to your own tables and policies.

Setup Supabase

First, let’s create a Supabase project, then go to the SQL Editor and create a new table with some sample data and RLS policies.

Supabase SQL Editor

1 -- Create the 'data' table
2 CREATE TABLE data (
3   id bigint PRIMARY KEY,
4   text text NOT NULL,
5   user_id UUID
6 );
7 
8 -- Insert sample data
9 INSERT INTO data (id, text, user_id) VALUES
10   (1, 'Everyone can see this', NULL),
11   (2, 'Only authenticated users can see this', NULL),
12   (3, 'Only user with specific id can see this', NULL);
13 
14 -- Enable Row Level Security
15 ALTER TABLE data ENABLE ROW LEVEL SECURITY;
16 
17 -- Allow everyone to read the first row
18 CREATE POLICY "Public read" ON "public"."data" TO public
19 USING (id = 1);
20 
21 -- Allow authenticated users to read the second row
22 CREATE POLICY "Authenticated access" ON "public"."data" TO authenticated
23 USING (id = 2);
24 
25 -- Allow only the owner of the row to read it
26 CREATE POLICY "User access" ON "public"."data" TO authenticated
27 USING (id = 3 AND auth.uid() = user_id);

Setup a new Next.js project

Now let’s create a new Next.js project and install Stack Auth and Supabase client. (more details on Next.js setup, Stack Auth setup, and Supabase setup)

Terminal

$ npx create-next-app@latest -e with-supabase stack-supabase
> cd stack-supabase
> npx @stackframe/init-stack@latest

Now copy the environment variables from the Supabase dashboard to the .env.local file:

NEXT_PUBLIC_SUPABASE_URL
NEXT_PUBLIC_SUPABASE_ANON_KEY
SUPABASE_JWT_SECRET

Copy environment variables from the Stack dashboard to the .env.local file.

NEXT_PUBLIC_STACK_PROJECT_ID
NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY
STACK_SECRET_SERVER_KEY

Set up Supbase client

Now let’s create a server action that mints a supabase JWT with the Stack Auth user ID if the user is authenticated.

/utils/actions.ts

1 'use server';
2 
3 import { stackServerApp } from "@/stack";
4 import * as jose from "jose";
5 
6 export const getSupabaseJwt = async () => {
7   const user = await stackServerApp.getUser();
8 
9   if (!user) {
10     return null;
11   }
12 
13   const token = await new jose.SignJWT({
14     sub: user.id,
15     role: "authenticated",
16   })
17     .setProtectedHeader({ alg: "HS256" })
18     .setIssuedAt()
19     .setExpirationTime('1h')
20     .sign(new TextEncoder().encode(process.env.SUPABASE_JWT_SECRET));
21 
22   return token;
23 };

And now create a helper function to create a Supabase client with the JWT signed by the server action

/utils/supabase-client.ts

1 import { createBrowserClient } from "@supabase/ssr";
2 import { getSupabaseJwt } from "./actions";
3 
4 export const createSupabaseClient = () => {
5   return createBrowserClient(
6     process.env.NEXT_PUBLIC_SUPABASE_URL!,
7     process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
8     { accessToken: async () => await getSupabaseJwt() || "" }
9   );
10 }

Fetch data from Supabase

Let’s create an example page that fetches data from Supabase and displays it.

/app/page.tsx

1 'use client';
2 
3 import { createSupabaseClient } from "@/utils/supabase-client";
4 import { useStackApp, useUser } from "@stackframe/stack";
5 import Link from "next/link";
6 import { useEffect, useState } from "react";
7 
8 export default function Page() {
9   const app = useStackApp();
10   const user = useUser();
11   const supabase = createSupabaseClient();
12   const [data, setData] = useState<null | any[]>(null);
13 
14   useEffect(() => {
15     supabase.from("data").select().then(({ data }) => setData(data ?? []));
16   }, []);
17 
18   const listContent = data === null ? 
19     <p>Loading...</p> :
20     data.length === 0 ?
21       <p>No notes found</p> :
22       data.map((note) => <li key={note.id}>{note.text}</li>);
23 
24   return (
25     <div>
26       {
27         user ? 
28         <>
29           <p>You are signed in</p>
30           <p>User ID: {user.id}</p>
31           <Link href={app.urls.signOut}>Sign Out</Link>
32         </> : 
33         <Link href={app.urls.signIn}>Sign In</Link>
34       }
35       <h3>Supabase data</h3>
36       <ul>{listContent}</ul>
37     </div>
38   )
39 }

Now you should be able to compare the data you can view with an anonymous user, an authenticated user. You can also add your user Id to the row 3 of the Supabase table, and you should be able to see the row if and only if you are signed in with that user.

You can find the full example here on GitHub.

1	-- Create the 'data' table
2	CREATE TABLE data (
3	id bigint PRIMARY KEY,
4	text text NOT NULL,
5	user_id UUID
6	);
7
8	-- Insert sample data
9	INSERT INTO data (id, text, user_id) VALUES
10	(1, 'Everyone can see this', NULL),
11	(2, 'Only authenticated users can see this', NULL),
12	(3, 'Only user with specific id can see this', NULL);
13
14	-- Enable Row Level Security
15	ALTER TABLE data ENABLE ROW LEVEL SECURITY;
16
17	-- Allow everyone to read the first row
18	CREATE POLICY "Public read" ON "public"."data" TO public
19	USING (id = 1);
20
21	-- Allow authenticated users to read the second row
22	CREATE POLICY "Authenticated access" ON "public"."data" TO authenticated
23	USING (id = 2);
24
25	-- Allow only the owner of the row to read it
26	CREATE POLICY "User access" ON "public"."data" TO authenticated
27	USING (id = 3 AND auth.uid() = user_id);

$	npx create-next-app@latest -e with-supabase stack-supabase
>	cd stack-supabase
>	npx @stackframe/init-stack@latest

1	'use server';
2
3	import { stackServerApp } from "@/stack";
4	import * as jose from "jose";
5
6	export const getSupabaseJwt = async () => {
7	const user = await stackServerApp.getUser();
8
9	if (!user) {
10	return null;
11	}
12
13	const token = await new jose.SignJWT({
14	sub: user.id,
15	role: "authenticated",
16	})
17	.setProtectedHeader({ alg: "HS256" })
18	.setIssuedAt()
19	.setExpirationTime('1h')
20	.sign(new TextEncoder().encode(process.env.SUPABASE_JWT_SECRET));
21
22	return token;
23	};

1	import { createBrowserClient } from "@supabase/ssr";
2	import { getSupabaseJwt } from "./actions";
3
4	export const createSupabaseClient = () => {
5	return createBrowserClient(
6	process.env.NEXT_PUBLIC_SUPABASE_URL!,
7	process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
8	{ accessToken: async () => await getSupabaseJwt() \|\| "" }
9	);
10	}

1	'use client';
2
3	import { createSupabaseClient } from "@/utils/supabase-client";
4	import { useStackApp, useUser } from "@stackframe/stack";
5	import Link from "next/link";
6	import { useEffect, useState } from "react";
7
8	export default function Page() {
9	const app = useStackApp();
10	const user = useUser();
11	const supabase = createSupabaseClient();
12	const [data, setData] = useState<null \| any[]>(null);
13
14	useEffect(() => {
15	supabase.from("data").select().then(({ data }) => setData(data ?? []));
16	}, []);
17
18	const listContent = data === null ?
19	<p>Loading...</p> :
20	data.length === 0 ?
21	<p>No notes found</p> :
22	data.map((note) => <li key={note.id}>{note.text}</li>);
23
24	return (
25	<div>
26	{
27	user ?
28	<>
29	<p>You are signed in</p>
30	<p>User ID: {user.id}</p>
31	<Link href={app.urls.signOut}>Sign Out</Link>
32	</> :
33	<Link href={app.urls.signIn}>Sign In</Link>
34	}
35	<h3>Supabase data</h3>
36	<ul>{listContent}</ul>
37	</div>
38	)
39	}