Authentication

​

What This Auth System Does

• a login page at /auth
• magic link sign-in
• optional Google OAuth sign-in
• session handling
• redirects into the signed-in app

• /auth for the sign-in page
• /auth/confirm for the callback
• /auth/complete for the post-auth handoff
• /api/auth for magic link initiation
• /api/auth/google for Google sign-in initiation

​

Minimum Auth Setup

NEXT_PUBLIC_SUPABASE_URL=...
NEXT_PUBLIC_SUPABASE_ANON_KEY=...
NEXT_SUPABASE_SERVICE_KEY=...
NEXT_PUBLIC_APP_URL=http://localhost:3000

​

Magic Link Setup

1. Open Authentication -> URL Configuration
2. Set Site URL to http://localhost:3000
3. Add http://localhost:3000/auth/confirm as a redirect URL
4. Add your production domain and https://yourdomain.com/auth/confirm too
5. Make sure email sign-in is enabled

​

Google OAuth Setup

1. Create Google OAuth credentials in Google Cloud
2. Open Supabase Authentication -> Providers
3. Enable Google
4. Paste your Google client ID and secret into Supabase
5. Keep the same callback URL pattern based on /auth/confirm

​

What Happens When A User Signs In

1. the user starts on /auth
2. Supabase sends them through the login flow
3. Supabase returns to /auth/confirm
4. the app exchanges the code for a session
5. the app sends the user into the signed-in area

​

Verification Checklist

• magic link emails arrive
• clicking the link signs you in
• Google sign-in works if you enabled it
• /home loads without bouncing back to /auth

​

Common Mistakes

• wrong Supabase Site URL
• missing /auth/confirm redirect URL
• wrong Google OAuth credentials
• editing env vars without restarting the app