A short-lived token (usually a JWT) sent with every request to prove the user is authenticated.
An Access Token is a short-lived credential (typically valid for 1 hour) that proves you are logged in. It is sent with every HTTP Request to your Backend so the server knows who is making the request.
In Supabase, access tokens are JWTs (JSON Web Tokens) that contain your user ID, email, and other metadata. They are cryptographically signed, meaning they cannot be forged or tampered with.
Access tokens are intentionally short-lived for security: if one is stolen, it only works for a limited time. When it expires, your app uses a Refresh Token to get a new one automatically. This happens behind the scenes — you don't write any code for it.
The Supabase JavaScript library handles storing the access token and including it in the Authorization HTTP Header of every request.
Learn the concepts, fix things with confidence, and ship real products with AI beside you. No coding background required, and we're with you from the first idea to launch.
Free to start. No card. Leave whenever you want.