Today we have 3 new announcements for Supabase Auth:
- Support for third-party Auth providers
- Phone-based Multi-factor Authentication (SMS and Whatsapp)
- New Auth Hooks for SMS and email
Let's dive into each new feature.
The headline feature today is third-party Authentication.
Supabase is a modular platform. We've been designing it so that you can choose which products you use with Postgres. You can use our own products (like Supabase Auth) or external products (like Auth0), and in theory the experience should be just-as-delightful.
Until today, using third-party auth products required developers to translate JWTs into a format compatible with Supabase Auth. This is difficult and unmaintainable.
So we fixed it. Today we're adding first-class support for the following third-party authentication products:
- Auth0
- AWS Cognito (standalone or via AWS Amplify)
- Firebase Auth
Migrating auth providers can be costly and technically challenging, especially for applications with large user bases. You can use Supabase's native auth offering alongside your third-party authentication provider to achieve a disruption-free migration.
All of the third-party providers are supported in the Supabase CLI, so you can evaluate, test, and develop your integration for free.
The Supabase client supports third-party auth like this:
_10 import { createClient } from '@supabase/supabase-js' _10 _10 const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, { _10 accessToken: async () => { _10 const accessToken = await auth0.getTokenSilently() _10 return accessToken _10 }, _10 })
We've extended MFA to support SMS and WhatsApp.
We have a strong conviction that all applications should have access to an open and secure authentication provider. Secure-by-default should not be a luxury: developers should have affordable access to security best-practices.
Almost two years ago we launched MFA with TOTP (app authenticator) free of charge. Since then, we've heard a common complaint from developers: app authenticators can be hard to adopt for non-techies. Phone-based MFA is for those developers who want to provide a more accessible MFA experience for their users.
The code looks like this:
_14 // Send an SMS or WhatsApp message to the user _14 const { data: { challengeId } } = await supabase.auth.mfa.challenge({ _14 factorId, _14 }) _14 _14 // To verify the code received by the user _14 await supabase.auth.mfa.verify({ _14 factorId, _14 challengeId, _14 code: '123456', _14 }) _14 _14 // The user's `aal` claim in the JWT _14 // will be upgraded to aal2
We've added a few new Auth Hooks, which supports HTTP endpoints as a webhook now.
Email Hooks
We've heard the (rather loud) feedback that the built-in email templates (based on the Go templating language) can be limiting. There's been a lot of development in email rendering libraries like Resend's React Email. To help make this available for developers, we've added a "Send Email" Auth Hook, which you can use to customize your emails and how they are sent.
SMS Hooks
Supabase Auth has built-in support for popular SMS sending providers like Twilio, Messagebird, Textlocal and Vonage, but we realize this choice can be limiting.
Today we're launching a new "Send SMS" Auth Hook. You no longer need to use the built-in provider - you can implement your own by specifying a HTTP endpoint that receives a POST request when a message needs to be sent.
Check out the docs for more details on how to get started:
- Third-party Authentication
- Multi-factor Authentication
- Auth Hooks