Policies

Supabase JWT Auth Policy

The Supabase JWT Authentication policy allows you to authenticate incoming requests using a token created by supabase.com.

When configured, you can have Zuplo check incoming requests for a JWT token and automatically populate the ZuploRequest's user property with a user object.

This user object will have a sub property - taking the sub id from the JWT token. It will also have a data property populated by other data returned in the JWT token - including all your claims, user_metadata and app_metadata.

You can also require specific claims to have specific values to allow authentication to complete, providing a layer of authorization.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{ "name": "my-supabase-jwt-auth-inbound-policy", "policyType": "supabase-jwt-auth-inbound", "handler": { "export": "SupabaseJwtInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "allowUnauthenticatedRequests": false, "requiredClaims": { "claim_1": [ "valid_value_1", "valid_value_2" ] }, "secret": "$env(SUPABASE_JWT_SECRET)" } } }

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • secret <string> (Required) -
    The key used to verify the signature of the JWT token.
  • allowUnauthenticatedRequests <boolean> -
    Indicates whether the request should continue if authentication fails. Default is false which means unauthenticated users will automatically receive a 401 response.
    Defaults to false.
  • requiredClaims <object> -
    Any claims that must be present for authentication to succeed - multiple valid values can be specified for each claim.

Using the Policy

Authorization#

You can also require certain claims to be valid by specifying this in the options. For example, if you require the claim user_role to be either admin or supa_user, you would configure the policy as follows:

{ "export": "SupabaseJwtInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "secret": "$env(SUPABASE_JWT_SECRET)", "allowUnauthenticatedRequests": false, "requiredClaims": { "user_role": ["admin", "supa_user"] } } }

Read more about how policies work

Previous
PropelAuth JWT Auth