Authentication
Email, OAuth, magic links, and SSO with built-in session management
Cloud ships with a complete auth system wired into every project. Sign-up, sign-in, OAuth, magic links, password reset, and SSO are pre-configured — you just call the auto-shipped supabase client from your code and the agent handles the rest.
What's included
Every Cloud project gets the following out of the box:
- Email + password — with email verification and branded templates
- Magic links — passwordless sign-in via one-click email
- OAuth providers — Google, GitHub, and Apple pre-configured (no client IDs to register)
- Password reset — timing-safe, enumeration-safe recovery flow
- SAML SSO — Okta, Google Workspace, Azure AD on the Enterprise plan
The supabase client is imported from @/lib/supabase (or wherever the agent placed it) and works in the browser, on the server, and in edge functions.
Sign-up and sign-in flows
The most common pattern uses email and password. The agent will scaffold the form components for you, but here are the underlying calls.
Sign up
import { supabase } from '@/lib/supabase';
const { data, error } = await supabase.auth.signUp({
email: 'jane@acme.com',
password: 'a-strong-password',
options: {
data: { first_name: 'Jane', last_name: 'Doe' },
emailRedirectTo: `${window.location.origin}/auth/callback`,
},
});Cloud sends a branded confirmation email via Resend. The user clicks the link, lands on /auth/callback, and the session is established automatically.
Sign in
const { data, error } = await supabase.auth.signInWithPassword({
email: 'jane@acme.com',
password: 'a-strong-password',
});Sign out
await supabase.auth.signOut();This clears the session from localStorage and revokes the refresh token server-side.
Get the current user
const { data: { user } } = await supabase.auth.getUser();
if (user) {
console.log(user.id, user.email);
}getUser() makes a network call to validate the JWT. For purely client-side reads, use supabase.auth.getSession() — it reads from localStorage without round-tripping.
OAuth providers
Google, GitHub, and Apple are managed by Cloud — no developer console setup, no client secrets to rotate. Trigger an OAuth sign-in like this:
await supabase.auth.signInWithOAuth({
provider: 'google',
options: {
redirectTo: `${window.location.origin}/auth/callback`,
},
});Swap 'google' for 'github' or 'apple'. The user is redirected to the provider, completes consent, and lands back on your callback route with a session.
Adding a custom provider
Want Discord, Microsoft, Slack, or Twitch? Open your project's Cloud tab → Authentication → Providers, click Add provider, paste your client ID and secret, and the redirect URL is generated for you. The provider is enabled immediately — no redeploy needed.
Magic links
For passwordless sign-in, send a one-click link via email:
const { error } = await supabase.auth.signInWithOtp({
email: 'jane@acme.com',
options: {
emailRedirectTo: `${window.location.origin}/auth/callback`,
},
});The user clicks the link in their inbox, hits /auth/callback, and is signed in. No password required. Magic links also double as the "Resend confirmation email" mechanism on the post-signup screen.
Session management
Sessions are JWT-based. The access token expires in one hour; refresh tokens are rotated automatically by the client. By default, sessions persist in localStorage, so users stay signed in across reloads and tabs.
Subscribe to auth changes for reactive UIs:
import { useEffect, useState } from 'react';
import { supabase } from '@/lib/supabase';
export function useAuth() {
const [user, setUser] = useState(null);
useEffect(() => {
supabase.auth.getSession().then(({ data }) => {
setUser(data.session?.user ?? null);
});
const { data: sub } = supabase.auth.onAuthStateChange((_event, session) => {
setUser(session?.user ?? null);
});
return () => sub.subscription.unsubscribe();
}, []);
return user;
}onAuthStateChange fires on SIGNED_IN, SIGNED_OUT, TOKEN_REFRESHED, and USER_UPDATED — handle them however you need.
Server-side verification
In edge functions, server actions, or any backend code, verify a JWT before trusting the caller. POST the user's access token to the auth verify endpoint:
const res = await fetch('https://api.swarmz.net/v1/auth/verify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ token: accessToken }),
});
const { user, valid } = await res.json();
if (!valid) throw new Error('Unauthorized');See the full reference in the Auth API section — including refresh, revoke, and admin user-management endpoints.
Row-level security and auth.uid()
Auth and the database are tightly coupled. Inside any Postgres policy or function, auth.uid() returns the signed-in user's ID — letting you write RLS policies like created_by = auth.uid() without any glue code. See /docs/cloud/database for RLS patterns and policy examples.
Email templates
Confirmation, magic link, and password reset emails ship with Swarmz branding by default. To customize subject lines, copy, logos, or HTML, open your project's Cloud tab → Authentication → Email Templates. Variables like {{ .ConfirmationURL }} and {{ .UserName }} are injected at send time. Changes propagate within seconds — no redeploy.
SSO (SAML / Okta / Google Workspace)
SAML SSO is available on the Enterprise plan only. Contact sales to enable it on your workspace.
Once enabled, configure your IdP (Okta, Azure AD, Google Workspace, OneLogin) under Cloud tab → Authentication → SSO. Paste the metadata XML, map attributes, and your team can sign in via SAML — no per-user provisioning needed.