Update a user
Update the current user's email, password, or metadata.
Mutate the currently signed-in user. The same method handles email change, password change, and arbitrary user-metadata updates — pick the attribute keys that match what you want to change.
update_user PUTs to /user with the access token of the current session, persists the refreshed user object back into the session, and emits a USER_UPDATED event to every on_auth_state_change subscriber. An active session is required — without one the method raises Supabase::Auth::Errors::AuthSessionMissing.
Signature
supabase.auth.update_user(attributes, options = {})Two positional arguments: an attributes Hash with the user fields to change, and an optional options Hash. Because Ruby's hash-literal shorthand lets you drop the braces on the last positional Hash, calls look keyword-y (update_user(email: "...")) — but the method takes a single attributes Hash, not keyword arguments.
Parameters
attributes
| Name | Type | Required | Description |
|---|---|---|---|
email | String | Optional | New email address. Triggers a confirmation email to the new address; the change applies only after the user clicks the link. |
password | String | Optional | New password. Applied immediately on the next request. The current session is reissued by GoTrue. |
phone | String | Optional | New phone number in E.164 format. Triggers an OTP to the new number that must be verified via verify_otp before the change applies. |
data | Hash | Optional | Arbitrary user_metadata. Replaces top-level keys you provide; other existing keys are preserved server-side. |
nonce | String | Optional | A reauthentication nonce. Required by GoTrue when password updates demand a fresh reauthenticate call. See reauthenticate. |
options
| Name | Type | Required | Description |
|---|---|---|---|
email_redirect_to | String | Optional | URL to embed in the email-change confirmation link sent to the new address. |
Returns
A Struct with a single :user field of type Supabase::Auth::Types::User — the updated user record returned by GoTrue. The wrapping client also rebuilds and persists the current session (access_token / refresh_token are preserved, user is replaced) and fires USER_UPDATED. Raises AuthSessionMissing if no session is active.
Example — change password
response = supabase.auth.update_user(password: "new-strong-password-2026")
response.user.idExample — change email
response = supabase.auth.update_user(
{ email: "ada.new@example.com" },
email_redirect_to: "https://app.example.com/auth/email-changed"
)
# response.user.email is still the OLD email until the user clicks the
# confirmation link sent to the new address.Example — update user_metadata
supabase.auth.update_user(data: {
full_name: "Ada Lovelace",
preferences: { theme: "dark", locale: "en-GB" }
})Example — multiple changes at once
supabase.auth.update_user(
email: "ada.new@example.com",
password: "new-strong-password-2026",
data: { full_name: "Ada Lovelace" }
)An email change kicks off a confirmation flow and does not flip the user's email field until the new address confirms; a password change applies immediately. Raises AuthSessionMissing when no session is present rather than silently sending an anonymous request.