Supabase Auth
Last verified 2026-04-06 · Reviewed by guptadeepak
Editorial verdict
Supabase Auth is the right CIAM choice for B2C apps and developer-tools already on the Supabase platform, Auth integrates with PostgreSQL Row-Level Security in a way that no other CIAM matches, removing the need for a separate authz vendor for many use cases. The trade-off is a B2C-first product without first-class B2B Organizations or SAML; for B2B SaaS, look elsewhere. For greenfield Supabase-native apps, Supabase Auth is one of the strongest picks at low cost.
Last verified by @guptadeepak on 2026-04-06.
At a glance
- Best for
- Apps already on Supabase platform that benefit from PostgreSQL + Auth + RLS integration
- Pricing
- tiered-mau
- Free tier
- 50,000 MAU
- Deployment
- cloud-saas, self-hosted
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- Yes
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- $544M
- Latest round
- Growth · $100M · 2025
- Years in business
- 6 yrs
- Round led by
- Accel
- Profitable
- Not disclosed
Auth is one module of the open-source Postgres platform Supabase, which raised $100M at a $5B valuation in Oct 2025.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Bundled with PostgreSQL platform, Auth integrates with Row-Level Security policies for fine-grained data access without a separate authz vendor.
- Apache 2.0 self-hosted GoTrue (the underlying Auth service), full OSS optionality.
- Generous free tier and predictable platform pricing across the bundle.
- Excellent docs and a rapidly-growing community across the broader Supabase ecosystem.
Limitations
- B2C-first, no first-class Organizations, weak SAML / OIDC, no SCIM.
- Tied to PostgreSQL, Auth on Supabase requires Supabase's Postgres, not arbitrary databases.
- No native FGA, no adaptive MFA, no managed bot defense.
- Compliance footprint is solid for B2B SaaS but lacks FedRAMP and PCI DSS direct attestation.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Partial |
| OIDC SSO | Partial |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Partial |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Partial |
| RBAC | Partial |
|---|---|
| ABAC | No |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | No |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | No |
| Multi-tenancy | Partial |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, vue, svelte, flutter, ios, swift, android, kotlin, python, go, dart |
| CLI | Yes |
| Terraform provider | Yes |
| Local emulator | Yes |
| Extension model | PostgreSQL Row-Level Security + Edge Functions for Auth Hooks |
| Bot detection | No |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | No |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | Yes |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $25/mo |
|---|---|
| 100,000 MAU | $100/mo |
| 500,000 MAU | $600/mo |
| 1,000,000 MAU | $1,500/mo |
- Auth is bundled with Supabase platform, Postgres + Auth + Realtime + Storage in one
- Free tier covers 50k MAU on Auth
- Self-hosted GoTrue (the Auth service) is Apache 2.0, free at any scale
- Auth is part of broader Supabase platform pricing rather than separately metered
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Apps already on Supabase platform that benefit from PostgreSQL + Auth + RLS integration
- B2C consumer apps and developer-tools at the 10k–500k MAU range
- Teams that want OSS GoTrue self-host with Postgres-native authz patterns
Not for
- B2B SaaS needing Organizations / SCIM / Enterprise SSO
- Workloads requiring FedRAMP or PCI DSS
- Apps with complex authorization needing FGA at scale
FAQ
- What is GoTrue?
- GoTrue is the underlying Apache 2.0-licensed Auth service that powers Supabase Auth. It's a Go-based JWT-issuing server that originated as a Netlify project, forked and developed further by Supabase. Self-hosting GoTrue is unrestricted; Supabase Cloud runs it as part of the platform.
- How does Supabase Auth integrate with PostgreSQL Row-Level Security?
- JWT claims issued by Supabase Auth are accessible inside PostgreSQL RLS policies (via auth.uid() and auth.jwt()), which means data access can be authorized at the database level using the authenticated user's identity. This composes auth and authz in a way that no other CIAM in this index matches as natively.
- Can I use Supabase Auth without the rest of Supabase?
- Yes via self-hosted GoTrue, but you lose the PostgreSQL RLS integration that is the main differentiator. Most teams that pick Supabase Auth do so as part of choosing the broader Supabase platform.
Sources
- Supabase Auth documentationaccessed 2026-04-22
- Supabase pricingaccessed 2026-04-22
- GoTrue (Supabase Auth) GitHubaccessed 2026-04-22
What Supabase Auth is
Supabase Auth (originally GoTrue, forked from Netlify) is the auth component of the Supabase platform, a PostgreSQL-centric backend-as-a-service launched in 2020. The differentiator is integration with PostgreSQL Row-Level Security: JWT claims issued by Auth are accessible inside database policies, which means authorization decisions can happen at the database layer using the authenticated user's identity. This composition is unique in the index.
Where Supabase Auth wins
PostgreSQL RLS integration removes the need for a separate authz layer for many use cases. Apache 2.0 self-hostable GoTrue. Generous free tier as part of the broader platform. Excellent docs and a large community across the Supabase ecosystem.
Where Supabase Auth hurts
B2C-first by design, no first-class Organizations, weak SAML, no SCIM. Tied to PostgreSQL, Supabase Auth assumes Postgres. Compliance footprint lacks FedRAMP and PCI DSS. For B2B SaaS or for enterprise federation, look elsewhere.
How Supabase Auth compares
The closest comparisons are Firebase Auth vs Supabase Auth, Auth0 vs Supabase Auth, and Supabase Auth vs Clerk. For OSS without the Postgres requirement, SuperTokens, BetterAuth, and Hanko are alternatives.
Editorial changelog (1 entry)
Editorial review: capability matrix and TCO bands confirmed against the latest vendor documentation.