A short-lived token (usually a JWT) sent with every request to prove the user is authenticated.
An Access Token is a short-lived credential (typically valid for 1 hour) that proves you are logged in. It is sent with every HTTP Request to your Backend so the server knows who is making the request.
In Supabase, access tokens are JWTs (JSON Web Tokens) that contain your user ID, email, and other metadata. They are cryptographically signed, meaning they cannot be forged or tampered with.
Access tokens are intentionally short-lived for security: if one is stolen, it only works for a limited time. When it expires, your app uses a Refresh Token to get a new one automatically. This happens behind the scenes — you don't write any code for it.
The Supabase JavaScript library handles storing the access token and including it in the Authorization HTTP Header of every request.
We give you the skills to build, deploy, and own a full product. Professional stack, AI co-pilot, no coding background required.