Enable Supabase Auth for your app built with Sabo. You’ll configure Supabase, set env vars, verify preconfigured clients, protect routes, implement sign-in/sign-up (incl. OAuth and Magic Link), and support password recovery.
Quick Setup
Set up Supabase (Dashboard)
Create your project and configure Auth settings:
- Copy your Project URL and anon public key (Dashboard → Settings → API). You can start from the Supabase Dashboard.
- Set your Site URL and add
/auth/callbackto Additional Redirect URLs for dev and prod (Dashboard → Auth → URL Configuration). Guide: Redirect URLs. - Optional: enable your social providers (e.g., Google, GitHub, Apple, Facebook) and use
/auth/callbackas the callback (Dashboard → Auth → Providers). See the full list: Social login. Example guide: Login with Google.
Multiple domains/apps? Add each origin to Additional Redirect URLs and expose a callback endpoint on every domain that needs to complete the code exchange. See Redirect URLs.
Confirm: env keys are set,
/auth/callback is whitelisted for the domains you use, and (if enabled) providers redirect back successfully.Define environment variables
Add these environment variables to your local
.env (or .env.local) and to your hosting provider..env
Run the app and ensure env vars are loaded (no undefined errors).
Verify preconfigured clients
Sabo already ships with multiple clients:
- Browser client:
src/lib/supabase/client.ts - Server client (cookies wired):
src/lib/supabase/server.ts
Run locally and ensure there are no missing env errors for
NEXT_PUBLIC_SUPABASE_URL and NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY.Route protection (summary)
Sabo applies a global Supabase auth middleware that:
- keeps auth cookies in sync for SSR,
- redirects signed-out users away from protected pages,
- redirects signed-in users away from auth pages.
For full patterns (matchers, includes/excludes, Stripe webhook exclusion, roles/tenants), see Routing & Middleware.
Authentication Flows
Sabo supports four main authentication flows:- Email/Password - Traditional email and password sign-in/sign-up
- Magic Link - Passwordless authentication via email link
- OAuth - Social login with Google, GitHub, Apple
- Password Reset - Forgot password and reset flow
Email/Password Flow
Sign In Flow
The email/password sign-in uses a two-step UX for better security and flexibility:Step 1: Enter email (/sign-in)
User enters their email address on What happens:
/sign-in page.src/app/(auth)/sign-in/page.tsx
- Email is validated (client-side)
- Email is stored in
sessionStoragefor next step - User is redirected to
/sign-in/confirm
Step 2: Choose authentication method (/sign-in/confirm)
User sees two options:What happens:
- Magic Link - Send a passwordless login link via email
- Password - Enter password to sign in
src/app/(auth)/sign-in/confirm/page.tsx
- Email is retrieved from
sessionStorageand shown (disabled) - User can choose Magic Link OR password
- Password sign-in → calls
signIn()server action → redirects to/dashboard - Magic Link → calls
signInWithMagicLink()→ sends email → user waits for email
Need to customize confirmation, magic link, or password reset emails? Follow Auth Emails with Resend for template editing, SMTP setup, and deliverability guidance.
Sign Up Flow
Sign-up follows a similar two-step pattern:Step 1: Enter name and email (/sign-up)
User enters full name and email address.
src/app/(auth)/sign-up/page.tsx
Step 2: Choose registration method (/sign-up/confirm)
User chooses:
- Magic Link - Complete registration via email link (no password needed)
- Password - Create a password-based account
src/app/(auth)/sign-up/confirm/page.tsx
Magic Link Flow
Magic Links provide passwordless authentication - users receive an email with a one-time login link.User requests magic link
From either
/sign-in/confirm or /sign-up/confirm, user clicks “Send magic link” button.Server action sends email
src/app/(auth)/actions.ts
- Supabase sends email with magic link
- Email contains link like:
https://yourapp.com/auth/callback?token_hash=abc123&type=email - User clicks link in email
OAuth Flow
Sabo supports OAuth social login with Google, GitHub, and Apple.Configure OAuth providers (Supabase)
- Go to Supabase Dashboard → Authentication → Providers
- Enable your desired providers (Google, GitHub, Apple)
- For each provider, set:
- Client ID (from provider’s developer console)
- Client Secret (from provider’s developer console)
- Redirect URL: Use Supabase’s callback URL (automatically provided)
Server action initiates OAuth
src/app/(auth)/actions.ts
- Supabase generates OAuth URL for the provider
- User is redirected to provider’s login page (e.g., Google sign-in)
- User grants permission to your app
OAuth sign-in automatically creates a user account if it doesn’t exist. No separate sign-up flow needed.User data (name, email, avatar) is fetched from the OAuth provider and stored in Supabase.
Password Reset Flow
Users who forget their password can reset it via email.Server action sends reset email
src/app/(auth)/actions.ts
- Supabase sends password reset email
- Email contains link like:
https://yourapp.com/auth/callback?token_hash=xyz&type=recovery - User clicks link
Callback redirects to reset page
User clicks reset link → What happens:
/auth/callback?token_hash=...&type=recoverysrc/app/auth/callback/route.ts
- Callback verifies reset token
- If valid: redirects to
/reset-password - User is now authenticated with a temporary session
Auth Callback Route
The/auth/callback route is the central hub for all authentication flows. It handles:
- OAuth code exchange
- Magic link verification
- Email confirmation
- Password reset links
src/app/auth/callback/route.ts
For request/response schemas, status codes, and example tests for this route, see the Auth Callback API reference.
Error Handling & UI Patterns
Loading States
All auth actions should show loading indicators:Error States
Display errors from server actions:Toast Notifications
Usesonner for success messages:
Form Validation
Client-side validation before calling server actions:Query Parameter Banners
Show contextual messages based on URL parameters:src/app/(auth)/sign-in/page.tsx
Auth Routes Summary
| Route | Purpose | Redirects to |
|---|---|---|
/sign-in | Email entry (step 1) | /sign-in/confirm |
/sign-in/confirm | Password or Magic Link (step 2) | /dashboard (success) |
/sign-up | Name + email entry (step 1) | /sign-up/confirm |
/sign-up/confirm | Password or Magic Link (step 2) | /sign-in?signup=success |
/forgot-password | Request password reset email | /sign-in?reset=true |
/reset-password | Enter new password (after email link) | /sign-in (success) |
/auth/callback | OAuth & email verification handler | /dashboard or /reset-password |