Skip to main content
You can implement various types of authentication when using PowerSync with Supabase:

Standard Supabase Auth

These examples show how to implement fetchCredentials() in your client-side backend connector to get the Supabase JWT from the Supabase Client Library:

Anonymous Sign-Ins

This examples shows use of Supabase’s signInAnonymously() and then the implementation of fetchCredentials() to get the JWT from the Supabase Client Library:

Fully Custom Auth

This example shows how to implement Supabase Edge Functions to generate custom JWTs for PowerSync (either for signed-in users or anonymous users) as well as expose a JWKS endpoint:

External Auth Providers

We’ve heard from the community that Supabase’s support for third-party auth providers works with PowerSync, but we don’t have any examples for this yet.

Supabase JWT Signing Keys

Supabase supports two types of JWT signing keys:
TypeAlgorithmDescription
Legacy JWT signing keysHS256 (symmetric)Uses a shared secret to sign and verify tokens. This is the original method.
New JWT signing keysRS256 (asymmetric)Uses public/private key pairs. Supabase signs tokens with a private key, and PowerSync verifies them using a public key fetched via JWKS.
PowerSync supports both methods. Which configuration you need depends on your Supabase project’s JWT settings and your PowerSync deployment type.
To check which signing keys your Supabase project uses, go to Project Settings > JWT in your Supabase Dashboard.

PowerSync Cloud

When using PowerSync Cloud with a Supabase-hosted database, PowerSync can auto-detect your Supabase project from the database connection string and configure authentication automatically.

Self-Hosted PowerSync

For self-hosted PowerSync instances, configure authentication in your config.yaml.

Migrating from Legacy to New JWT Signing Keys

If you’re migrating your Supabase project from legacy JWT signing keys to the new asymmetric keys:

Step 1: Complete the Supabase Migration

Follow all steps in Supabase’s JWT signing keys migration guide, including the “Rotate to asymmetric JWTs” step.
The migration is not complete until you complete the “Rotate to asymmetric JWTs” step in Supabase. Skipping this step will cause authentication failures.

Step 2: Update PowerSync Configuration

For PowerSync Cloud and self-hosted with standard Supabase connections:
  • No changes required. PowerSync auto-detects and uses the new JWKS endpoint.
  • If you previously provided a legacy JWT secret, you can remove it (it’s no longer needed).
For manual JWKS configurations:
  • Ensure your JWKS URI (jwks_uri) points to your Supabase JWKS endpoint.
  • Verify the authenticated JWT Audience (audience) is configured.

Step 3: Clear Cached Tokens

Have all users sign out and sign back in. This ensures they receive new tokens signed with the asymmetric keys.

Troubleshooting

Debugging error codes:

PSYNC_S2101: Could not find an appropriate key in the keystore

This error indicates PowerSync cannot verify the JWT signature. Common causes:
CauseSolution
Incomplete Supabase migrationComplete the “Rotate to asymmetric JWTs” step in Supabase’s migration guide.
Cached tokensHave users sign out and sign back in to get fresh tokens.
Non-standard connection stringPowerSync couldn’t auto-detect your Supabase project. Use manual JWKS configuration.
Wrong JWT secretFor legacy keys, verify the JWT secret matches your Supabase project settings.

PSYNC_S2105: JWT payload is missing a required claim “aud”

This error occurs when using manual JWKS configuration without specifying an audience. Add authenticated to your audience configuration.

Auto-detection not working

If PowerSync logs this warning: 
Supabase Auth is enabled, but no Supabase connection string found. Skipping Supabase JWKS URL configuration.
This means PowerSync couldn’t detect your Supabase project from the database connection string. Use manual JWKS configuration instead.

Sync Rules / Streams

The Supabase user UUID will be available as: To use a different identifier as the user ID in Sync Rules / Streams (for example, user email), use Custom Authentication.