auth-js

An isomorphic JavaScript client library for the Supabase Auth API.

Docs

• Using auth-js: https://supabase.com/docs/reference/javascript/auth-signup
• TypeDoc: https://supabase.github.io/auth-js/v2

Quick start

Install

npm install --save @supabase/auth-js

Usage

import { AuthClient } from '@supabase/auth-js'

const GOTRUE_URL = 'http://localhost:9999'

const auth = new AuthClient({ url: GOTRUE_URL })

• signUp(): https://supabase.io/docs/reference/javascript/auth-signup
• signIn(): https://supabase.io/docs/reference/javascript/auth-signin
• signOut(): https://supabase.io/docs/reference/javascript/auth-signout

Custom fetch implementation

auth-js uses the cross-fetch library to make HTTP requests, but an alternative fetch implementation can be provided as an option. This is most useful in environments where cross-fetch is not compatible, for instance Cloudflare Workers:

import { AuthClient } from '@supabase/auth-js'

const AUTH_URL = 'http://localhost:9999'

const auth = new AuthClient({ url: AUTH_URL, fetch: fetch })

Sponsors

We are building the features of Firebase using enterprise-grade, open source products. We support existing communities wherever possible, and if the products don’t exist we build them and open source them ourselves.

Changelog

2.70.0 (2025-05-16)

Features

• add signInWithWeb3 with solana (#1037) (cff5bcb)
• validate uuid and sign out scope parameters to functions (#1063) (1bcb76e)

Bug Fixes

• add missing deleted_at property to User interface (#1059) (96da194)
• export processLock from toplevel (#1057) (d99695a)

2.69.1 (2025-03-24)

Bug Fixes

• generatePKCEChallenge should use btoa (#1044) (c06fafb)

2.69.0 (2025-03-22)

Features

• introduce getClaims method to verify asymmetric JWTs (#1030) (daa2669)

Bug Fixes

• assert type in decodeJWTPayload (#1018) (3d80039)
• set jwks_cached_at (#1039) (9bdc023)

2.68.0 (2025-01-21)

Features

• consider session expired with margin on getSession() without auto refresh (#1027) (80f88e4)

Bug Fixes

• remove internal-types.ts (#1014) (28ead89)
• update docs to add scrypt (#1012) (1225239)

2.67.3 (2024-12-17)

Bug Fixes

• return redirect errors early (#1003) (9751b80)

2.67.2 (2024-12-16)

Bug Fixes

• isBrowser() to include check on window (#982) (645f224)

2.67.1 (2024-12-13)

Bug Fixes

• revert #992 and #993 (#999) (12b2848)

2.67.0 (2024-12-12)

Features

• wrap navigator.locks.request with plain promise to help zone.js (#989) (2e6e07c), closes #830

Bug Fixes

• add email_address_invalid error code (#994) (232f133)
• return error early for redirects (#992) (9f32d30)

2.66.1 (2024-12-04)

Bug Fixes

• add loose auto complete to string literals where applicable (#966) (fd9248d)
• add new error codes (#979) (dfb40d2)
• don't remove session for identity linking errors (#987) (e68ebe6)

2.66.0 (2024-11-01)

Features

• add process lock for optional use in non-browser environments (React Native) (#977) (8af88b6)

Bug Fixes

• typo in warning message (#975) (4f21f93)
• update soft-deletion docs (#973) (cb052a9)

2.65.1 (2024-10-14)

Bug Fixes

• Call SIGNED_OUT event where session is removed (#854) (436fd9f)
• improve mfa.enroll return types (#956) (8a1ec06)
• move MFA sub types to internal file (#964) (4b7455c)
• remove phone mfa deletion, match on error codes (#963) (ef3911c)

2.65.0 (2024-08-27)

Features

• add bindings for Multi-Factor Authentication (Phone) (#932) (b957c30)
• add kakao to sign in with ID token (#845) (e2337ba)
• remove session, emit SIGNED_OUT when JWT session_id is invalid (#905) (db41710)

Bug Fixes

• Correct typo in GoTrueClient warning message (#938) (8222ee1)
• don't throw error in exchangeCodeForSession (#946) (6e161ec)
• move docker compose to v2 (#940) (38eef89)

2.64.4 (2024-07-12)

Bug Fixes

• update types (#930) (dbc5962)

2.64.3 (2024-06-17)

Bug Fixes

• don't call removeSession prematurely (#915) (e0dc518)
• limit proxy session warning to once per client instance (#900) (4ecfdda)
• patch release workflow (#922) (f84fb50)
• type errors in verifyOtp (#918) (dcd0b9b)

2.64.2 (2024-05-03)

Bug Fixes

• signOut should ignore 403s (#894) (eeb77ce)
• suppress getSession warning whenever _saveSession is called (#895) (59ec9af)

2.64.1 (2024-04-25)

Bug Fixes

• return error if missing session or missing custom auth header (#891) (8d16578)

2.64.0 (2024-04-25)

Features

• remove cache: no-store as it breaks cloudflare (#886) (10e9d38)

Bug Fixes

• Revert "fix: getUser returns null if there is no session (#876)" (#889) (6755fef)
• revert check for access token in header (#885) (03d8ba7)

2.63.2 (2024-04-20)

Bug Fixes

• check for access token in header (#882) (ae4a53d)

2.63.1 (2024-04-18)

Bug Fixes

• getUser returns null if there is no session (#876) (6adf8ca)
• implement exponential back off on the retries of _refreshAccessToken method (#869) (f66711d)
• update session warning (#879) (3661130)

2.63.0 (2024-03-26)

Features

• add method for anonymous sign-in (#858) (e8a1fc9)
• add support for error codes (#855) (99821f4)
• explicit cache: no-store in fetch (#847) (034bee0)
• warn use of getSession() when isServer on storage (#846) (9ea94fe)

Bug Fixes

• refactor all pkce code into a single method (#860) (860bffc)
• remove data type (#848) (15c7c82)