The process of verifying who a user is -- login, signup, and sessions.
Authentication is the process of verifying someone is who they claim to be. In web apps, this typically means logging in with a username/password, or through OAuth (Sign in with Google/GitHub). After authentication, the Server creates a Session or issues a JSON Web Token to track the user.
Authentication protects protected routes, controls access via RLS, and secures APIs with tokens and API keys. Encryption and Hashing protect passwords. Middleware checks authentication on every request. When authentication fails, Supabase returns a 401 Status Code visible in the Network Tab.
Supabase provides built-in authentication with email/password, magic links, and OAuth providers. In React Router apps, loaders check if the user is authenticated before fetching data, and actions verify the user before saving. The auth.uid() function in RLS policies ensures users can only access their own data. Error Handling in loaders returns redirects to the login page for unauthenticated users. Authentication state is managed with Hooks and determines which routes and components are accessible. Boilerplate auth patterns are commonly generated by Claude Code.
Auth tokens are sent via HTTP Headers (Authorization: Bearer ...) on every request. Without valid auth, permissions fail and RLS Policies block data access, often returning undefined or empty results.
Authorization is the related concept that determines what an authenticated user is allowed to do. Together, authentication and authorization form the two pillars of app security. In Supabase, your passwords are hashed using bcrypt before storage, and your login session is managed through an Access Token and Refresh Token pair. An Auth Provider component in React makes auth state available throughout your app.
We give you the skills to build, deploy, and own a full product. Professional stack, AI co-pilot, no coding background required.