If you're building an MVP with Supabase + React Native, choosing the right authentication flow is critical. The easiest path is to use Supabase Auth with Google / Apple OAuth, which reduces friction and avoids building your own password system.
π Overview of the Supabase Auth Setup
Your MVP typically has 3 main components:
- Mobile App (React Native / Expo)
- Supabase Auth + Database (Postgres)
- Optional : Your own backend server (used if you want custom business logic)
Supabase handles OAuth (Google/Apple/Facebook), issues JWTs, and applies Row Level Security (RLS).
π¦ Step-by-Step: How the Login Flow Works
1. App Starts β Check Existing Session
When the app launches:
const { data: session } = await supabase.auth.getSession();
- If session exists (with a valid JWT) β user goes straight in.
- If not β show login screen.
2. User Taps βSign in with Google/Appleβ
await supabase.auth.signInWithOAuth({
provider: "google",
options: { redirectTo: "your://callback" }
});
This opens the providerβs login UI.
3. Provider Login
The user enters credentials with Google or Apple.
4. Provider Returns an Authorization Code
Important:
This code is not the JWT.
It is a temporary βticketβ that must be exchanged.
5. Supabase Exchanges That Code for a Session Object
Supabase securely calls Google/Apple:
POST https://oauth2.googleapis.com/token
β returns: id_token, access_token, refresh_token
Supabase then creates a session object:
{
"access_token": "<JWT>",
"refresh_token": "<long-lived token>",
"user": { "id": "uuid", "email": "..." }
}
βοΈ The access_token is the JWT.
βοΈ This is what your app will use for all authenticated actions.
6. Session Is Returned to Your App
The Supabase client stores and manages it.
π Token Refresh Flow (Handled Automatically)
- The access_token (JWT) expires quickly.
- The refresh_token silently fetches a new JWT.
- Supabase handles this behind the scenes.
π₯οΈ Optional : Your Own Backend API
If your app calls a custom backend:
- The app sends requests with:
Authorization: Bearer <access_token>
- Your backend verifies the Supabase JWT.
- Your backend runs custom logic and may call Supabase DB with a service role.
π‘ ASCII Diagram of the Full Flow
ββββββββββββββββββββββ
β Mobile App (RN) β
β MyNextHome / MVP β
ββββββββββ¬ββββββββββββ
β
β 1. App start: check existing session
β
βΌ
ββββββββββββββββββββββββββββββ
β No session? Show Login β
β [Continue with Google] β
β [Continue with Apple] β
ββββββββββ¬ββββββββββββββββββββ
β
β 2. User taps "Google"
β
βΌ
ββββββββββββββββββββββββββββββββ
β Supabase Auth β
βββββββββββββ¬βββββββββββββββββββ
β 3. Redirect to provider
βΌ
βββββββββββββββββββββββββββββββββ
β Google / Apple / Facebook β
βββββββββββββ¬ββββββββββββββββββββ
β 4. User authenticates
βΌ
ββββββββββββββββββββββββββββββββ
β Supabase Auth β
β 5. Exchange code β session β
β Returns: access_token(JWT) β
βββββββββββββ¬βββββββββββββββββββ
β 6. Session back to app
βΌ
ββββββββββββββββββββββ
β Mobile App (RN) β
β Stores session β
βββββββββ¬βββββββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββββββββ
β β β
β 7a. Direct DB β 7b. Custom Backend β
β queries β calls β
βΌ βΌ βΌ
ββββββββββββββββββ βββββββββββββββββββ (optional)
β Supabase DB β β Your Backend βββββββββββββββ
β + RLS β β API Server β β
βββββββ¬βββββββββββ ββββββββ¬βββββββββββ β
β Uses JWT (auth.uid())β Validates JWT β
βΌ βΌ βΌ
Only user's data Business logic External APIs
β Summary
- OAuth β Provider returns authorization code
- Supabase exchanges the code β creates session (with JWT)
- App stores session β uses JWT for DB and backend access
- Token refresh is automatic
This flow is ideal for an MVP because itβs simple, secure, and frictionless.
Top comments (0)