Auth
Overview
Authentication, sessions, MFA, and admin user management.
The auth namespace wraps the GoTrue (Supabase Auth) API. Access it via supabase.auth after constructing a client. Methods use snake_case names, single-hash credentials, and keyword arguments for top-level options.
supabase = Supabase.create_client(
supabase_url: ENV.fetch("SUPABASE_URL"),
supabase_key: ENV.fetch("SUPABASE_ANON_KEY")
)
supabase.auth.sign_in_with_password(email: "ada@example.com", password: "secret")Sign-in / sign-up
| Method | Description |
|---|---|
sign_up | Create a new user with email/phone + password. |
sign_in_with_password | Sign in with email/phone + password. |
sign_in_with_otp | Send a magic-link or SMS one-time password. |
sign_in_with_oauth | Build a redirect URL for a third-party OAuth provider. |
sign_in_with_id_token | Sign in with a provider-issued ID token (e.g. Google, Apple). |
sign_in_with_sso | Sign in via SAML SSO using domain or provider ID. |
sign_in_anonymously | Create and sign in an anonymous user. |
sign_out | Revoke the current session and clear local storage. |
verify_otp | Verify a one-time password and produce a session. |
resend | Resend a magic link, SMS OTP, or signup confirmation. |
Sessions & user
| Method | Description |
|---|---|
get_session | Return the current session, refreshing it if needed. |
refresh_session | Force-refresh the session using a refresh token. |
set_session | Restore a session from existing access + refresh tokens. |
get_user | Fetch the user for the current (or a supplied) access token. |
get_user_identities | List the OAuth identities linked to the current user. |
update_user | Update the current user's email, password, or metadata. |
get_claims | Decode and verify JWT claims for the current (or supplied) token. |
reauthenticate | Trigger a fresh nonce challenge for the current user. |
reset_password_for_email | Send a password-reset email. |
on_auth_state_change | Subscribe to SIGNED_IN / SIGNED_OUT / TOKEN_REFRESHED events. |
exchange_code_for_session | Finish a PKCE flow by exchanging the auth code for a session. |
link_identity | Link an OAuth identity to the current user. |
unlink_identity | Unlink an OAuth identity from the current user. |
MFA (supabase.auth.mfa)
| Method | Description |
|---|---|
mfa.enroll | Enroll a new TOTP or phone factor. |
mfa.challenge | Start a verification challenge for a factor. |
mfa.verify | Submit a code to satisfy a challenge. |
mfa.challenge_and_verify | Challenge + verify in one call. |
mfa.unenroll | Remove an MFA factor. |
mfa.list_factors | List the current user's verified factors. |
mfa.get_authenticator_assurance_level | Inspect AAL1/AAL2 state from the current JWT. |
Admin (supabase.auth.admin)
The admin API requires a service_role key — see the admin overview for the warning and setup pattern.
| Method | Description |
|---|---|
admin.create_user | Create a user directly, bypassing email/phone confirmation. |
admin.list_users | List users with pagination. |
admin.get_user_by_id | Fetch a single user by UUID. |
admin.update_user_by_id | Update any field on any user. |
admin.delete_user | Hard- or soft-delete a user. |
admin.invite_user_by_email | Send a signup invitation email. |
admin.generate_link | Generate magic-link / recovery / invite / signup URLs without sending the email. |
Calling style
Ruby's hash-literal shorthand lets you write sign_in_with_password(email: "...", password: "...") directly. Sub-options stay nested under options: { ... } to match the wire payload.