Zuplo DocsZuplo Docs
Authentication

Supabase JWT Auth Policy

The Supabase JWT Authentication policy allows you to authenticate incoming requests using a token created by supabase.com.

When configured, you can have Zuplo check incoming requests for a JWT token and automatically populate the ZuploRequest's user property with a user object.

This user object will have a sub property - taking the sub id from the JWT token. It will also have a data property populated by other data returned in the JWT token - including all your claims, user_metadata and app_metadata.

You can also require specific claims to have specific values to allow authentication to complete, providing a layer of authorization.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{
  "name": "my-supabase-jwt-auth-inbound-policy",
  "policyType": "supabase-jwt-auth-inbound",
  "handler": {
    "export": "SupabaseJwtInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "allowUnauthenticatedRequests": false,
      "requiredClaims": {
        "claim_1": ["valid_value_1", "valid_value_2"]
      },
      "secret": "$env(SUPABASE_JWT_SECRET)"
    }
  }
}
json

Policy Configuration

  • name <string> - The name of your policy instance. This is used as a reference in your routes.
  • policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be supabase-jwt-auth-inbound.
  • handler.export <string> - The name of the exported type. Value should be SupabaseJwtInboundPolicy.
  • handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
  • handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • secret (required) <string> - The key used to verify the signature of the JWT token.
  • allowUnauthenticatedRequests <boolean> - Indicates whether the request should continue if authentication fails. Default is false which means unauthenticated users will automatically receive a 401 response. Defaults to false.
  • requiredClaims <object> - Any claims that must be present for authentication to succeed - multiple valid values can be specified for each claim.

Using the Policy

Authorization

You can also require certain claims to be valid by specifying this in the options. For example, if you require the claim user_role to be either admin or supa_user, you would configure the policy as follows:

{
  "export": "SupabaseJwtInboundPolicy",
  "module": "$import(@zuplo/runtime)",
  "options": {
    "secret": "$env(SUPABASE_JWT_SECRET)",
    "allowUnauthenticatedRequests": false,
    "requiredClaims": {
      "user_role": ["admin", "supa_user"]
    }
  }
}
json

Read more about how policies work

← Previous page
PropelAuth JWT Auth Policy
Next page →
Curity Phantom Token Auth Policy