DEV Community

Cathy Lai
Cathy Lai

Posted on

Login With Google via Supabase Auth: What Each Provider is Really Doing

#reactnative #react #supabase #oauth

Supabase, JWTs (JSON Web Token), and the “Clerk at the Door” Mental Model

Imagine this setup:

  • Google / Facebook = a government that checks passports
  • Your app members area = a private building the users want to enter
  • Supabase = the clerk at the front desk
  • JWT = a building access badge

Step 1: Identity Is External

When a user signs in with Google or Facebook, those companies are simply saying:

“Yes, this person is who they claim to be.”

That’s it. They don’t know your app, database rules, nor managing your sessions. They only vouch for identity.

Step 2: Supabase Is the Clerk

This is where Supabase comes in.

Supabase acts like a clerk who:

  1. Checks the passport with the authorities (Google / Facebook OAuth)
  2. Trusts the issuing authority
  3. Registers the visitor in this building
  4. Issues a Supabase badge (JWT)
  5. Tracks when the badge expires
  6. Decides which rooms the visitor can access (Row Level Security)

This is the key insight:

Your app never directly trusts Google or Facebook.

It trusts Supabase.

Supabase trusts the external provider on your behalf.

Why the JWT Is the Star of the Show

Once Supabase issues a JWT:

  • Your app uses the same token everywhere
  • Your Supabase database enforces access via that token
  • Your backend APIs trust that token
  • Your security rules stay consistent

The JWT becomes your app’s single source of truth for authentication.

And crucially:

That JWT does NOT change when you change login providers.

Why Adding Multiple Providers Is Suddenly Easy

This is the part that feels almost magical once the mental model clicks.

If you switch from:

  • Google → Facebook
  • or add Apple, GitHub, etc.

You are not changing your auth system. You are only changing:

Who Supabase asks to verify identity.

Everything else stays the same:

  • Same Supabase user
  • Same JWT format
  • Same database rules
  • Same backend logic

In code, the difference is often just:

provider: "google"
// vs
provider: "facebook"
Enter fullscreen mode Exit fullscreen mode

Architecturally, nothing breaks — because Supabase is the stable layer. It’s separation of concerns at a higher abstraction level:

  • External provider (Google, Facebook, etc): Who are you?
  • Supabase: What does that mean inside my system?
  • App: Here’s your badge — proceed. 
Your App
   ↓
Supabase Auth
   ↓
[ Google | Facebook | Apple | GitHub ]
   ↓
Supabase issues JWT
   ↓
App + Database trust Supabase JWT
Enter fullscreen mode Exit fullscreen mode

Top comments (0)