Use this file to discover all available pages before exploring further.
PowerSync allows generating temporary development tokens for authentication.This is useful for developers who want to get up and running quickly, without full auth integration.This can also be used to generate a token for a specific user to debug issues.
Check the Development tokens setting and save your changes
Click the Connect button in the top bar
Enter a user ID:
If your Sync Streams/Rules data isn’t filtered by user (same data syncs to all users), you can use any value (e.g., test-user).
If your data is filtered by , use a user ID that matches a user in your database. PowerSync uses this (e.g. auth.user_id() in Sync Streams or request.user_id() in Sync Rules) to determine what to sync.
Click Generate Token and copy the token
Development tokens expire after 12 hours.
Follow the steps below. Steps 1 and 2 configure signing keys and your PowerSync Service config; in Step 3 you can use the PowerSync CLI (recommended) or the test-client to generate the token.
1
Step 1: Generate signing keys
Generate a temporary private/public key-pair (RS256) or shared key (HS256) for JWT signing and verification.
RS256
HS256
Use an online JWK generator like mkjwk.org (select RSA, 2048 bits, Signature use, RS256 algorithm).Or generate locally with Node.js:
# Install pem-jwk if needednpm install -g pem-jwk# Generate private keyopenssl genrsa -out private-key.pem 2048# Convert public key to JWK formatopenssl rsa -in private-key.pem -pubout | pem-jwk
Use an online JWK generator like mkjwk.org (select oct, 256 bits, Signature use, HS256 algorithm) - this outputs base64url directly.Or generate and convert using OpenSSL:
# Generate and convert to base64urlopenssl rand -base64 32 | tr '+/' '-_' | tr -d '='
For production environments, shared secrets (HS256) are not recommended.
2
Step 2: Update your config
Add the client_auth parameter to your PowerSync config (e.g. service.yaml):
RS256
HS256
Copy the JWK values from mkjwk.org or the pem-jwk output, then add to your config:
service.yaml
# Client (application end user) authentication settingsclient_auth: # static collection of public keys for JWT verification jwks: keys: - kty: 'RSA' n: '[rsa-modulus]' e: '[rsa-exponent]' alg: 'RS256' kid: 'dev-key-1'
Copy the k value from mkjwk.org or the OpenSSL output, then add to your config:
service.yaml
# Client (application end user) authentication settingsclient_auth: audience: ['http://localhost:8080', 'http://127.0.0.1:8080'] # static collection of public keys for JWT verification jwks: keys: - kty: oct alg: 'HS256' k: '[base64url-encoded-shared-secret]' kid: 'dev-key-1'
These examples use static jwks: keys: for simplicity. For production, we recommend using jwks_uri to point to a JWKS endpoint instead. See Custom Authentication for more details.
3
Step 3: Generate a development token
Choose either the PowerSync CLI (recommended) or the test-client:
CLI (recommended)
test-client
Apply your config changes (e.g. restart your PowerSync Service or run powersync docker reset if running locally with Docker), then run:
powersync generate token --subject=test-user
Replace test-user with the user ID you want to authenticate:
If your Sync Streams/Rules data isn’t filtered by user (same data syncs to all users), you can use any value (e.g., test-user).
If your data is filtered by , use a user ID that matches a user in your database. PowerSync uses this (e.g. auth.user_id() in Sync Streams or request.user_id() in Sync Rules) to determine what to sync.
Replace test-user with the user ID you want to authenticate:
If your Sync Streams/Rules data isn’t filtered by user (same data syncs to all users), you can use any value (e.g., test-user).
If your data is filtered by , use a user ID that matches a user in your database. PowerSync uses this (e.g. auth.user_id() in Sync Streams or request.user_id() in Sync Rules) to determine what to sync.
Development tokens can be used for testing purposes either with the Sync Diagnostics Client, the test-client, or your app itself (for development purposes).
The Sync Diagnostics Client allows you to quickly test syncing and inspect a user’s SQLite database, to verify that your PowerSync Service configuration and Sync Streams / Sync Rules behave as expected.
The test-client is useful for testing of syncing without persisting anything to a client-side SQLite database. Amongst other things, it can be used for load testing, simulating many client syncing concurrently. Consult the README for details on how to provide the development token as argument to test-client supported commands.
To use the temporary development token in your application, update the fetchCredentials() function in your backend connector to return the generated token.
async fetchCredentials(): Promise<PowerSyncCredentials> { // for development: use development token return { endpoint: 'https://your-instance.powersync.com', token: 'your-development-token-here' };}
