The latest articles on DEV Community by Shipstack (@shipstack_). https://dev.to/shipstack_ https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4005876%2F0a93f68a-e19c-4c21-a082-dd7e316144e5.png https://dev.to/shipstack_ en Shipstack Sat, 27 Jun 2026 23:13:55 +0000 https://dev.to/shipstack_/how-to-share-supabase-auth-between-nextjs-and-expo-one-client-both-platforms-bp1 https://dev.to/shipstack_/how-to-share-supabase-auth-between-nextjs-and-expo-one-client-both-platforms-bp1 <p>Most teams building a web + mobile product end up with two auth integrations that slowly drift apart. You don't need that. Here's how to run a single Supabase auth layer across a Next.js web app and an Expo mobile app in a monorepo — including the gotchas nobody warns you about.</p> <h2> 1. Keep the Supabase client framework-agnostic </h2> <p>Depend only on <code>@supabase/supabase-js</code>. Expose a factory that takes the storage adapter as an argument:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>export function createSupabaseClient({ url, anonKey, storage, detectSessionInUrl }) { return createClient(url, anonKey, { auth: { storage, autoRefreshToken: true, persistSession: true, detectSessionInUrl }, }); } </code></pre> </div> <p>Web uses default browser storage; mobile passes <code>AsyncStorage</code>. Same client, same auth helpers, same session context everywhere.</p> <h2> 2. Reference env vars literally </h2> <p>Next and Expo only inline <strong>literal</strong> <code>process.env.NEXT_PUBLIC_X</code> / <code>EXPO_PUBLIC_X</code> accesses. A dynamic <code>process.env[key]</code> is <code>undefined</code> in the bundle. Pass the literals into the factory from each app.</p> <h2> 3. Authenticate API routes with a Bearer token, not cookies </h2> <p>Cookie sessions are awkward to share with a mobile app. Instead, send the access token from the client session and validate it server-side:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const token = req.headers.get('Authorization')?.replace('Bearer ', ''); const { data } = await admin.auth.getUser(token); </code></pre> </div> <p>Identical from web <code>fetch</code> and from the mobile app.</p> <h2> 4. The monorepo gotchas </h2> <ul> <li> <strong>One React version</strong> across the workspace (Expo pins it) — mixing breaks shared components.</li> <li> <strong><code>node-linker=hoisted</code></strong> so pnpm's symlinks don't trip Metro.</li> <li>A <strong><code>metro.config.js</code></strong> that adds the workspace root to <code>watchFolders</code> and <code>nodeModulesPaths</code>.</li> </ul> <h2> 5. Keep billing server-authoritative </h2> <p>Let clients <em>read</em> their subscription (RLS, select-own) but never write it. The Stripe webhook (service role) is the only writer. No trust placed in the client.</p> <h2> Close </h2> <p>That's the whole pattern: a portable client, token-based route auth, and a monorepo that respects Metro's quirks. I packaged it (plus Stripe, push, RLS, docs) into a starter kit called <strong>Shipstack</strong> if you'd rather not wire it yourself — <a href="https://4426308762925.gumroad.com/l/shipstack" rel="noopener noreferrer">you can grab it here</a>. But the patterns above are yours to use either way.</p> nestjs reactnative supabase typescript