Integrations and Connectors/Connectors/Setup Guides/External Token

Supabase Connector

You can integrate Descope with Supabase to continue using Supabase's services while replacing its authentication system with Descope Flows. This is especially useful if your application is already built on Supabase but you want to take advantage of Descope's flexible and secure authentication experience.

With this integration, Descope can return a Supabase-compatible token as part of the response returned after authenticating with flows, SDKs, or the API.

Supabase also supports using external SAML providers, however this is only available to Supabase Pro tiers and up. If you're using the Free tier with Supabase, the approach used in this doc is the recommended approach for you.

Configuring the Supabase Connector

Find the Supabase connector on the Connectors page of the Descope Console.

  • Connector Name: Provide a unique name for your connector. This assists in distinguishing it, especially when multiple connectors are derived from the same template.
  • Connector Description: Briefly explain the purpose of this connector.
  • Signing Secret: This is the JWT secret from your Supabase project. Read below on how to find this.
  • Expiration Time: Duration in minutes for which the external token is valid.

Supabase connector configuration screen

Getting the Signing Secret

Locating Supabase JWT signing secret

To find the Signing Secret for connector configuration, open your Supabase project and navigate to the project settings. Under the JWT Keys tab, reveal and copy the JWT secret, and then paste it into the Signing Secret input of the connector in Descope.

Enabling the Connector

Now that the connector is configured, it can be enabled under External Token in the Session Management section of your Descope Project Settings. Learn more about using external tokens, like those from Supabase, with Descope in our external tokens doc.

The external token generated by Supabase will be included in the authentication response at the end of your flows. Here is an example of a post authentication response with an external token included:

{
  "cookieDomain": "",
  "cookieExpiration": 0,
  "cookieMaxAge": 0,
  "cookiePath": "/",
  "externalToken": "SUPABASE_TOKEN",
  "firstSeen": false,
  "idpResponse": null,
  "refreshJwt": "DESCOPE_REFRESH_TOKEN",
  "sessionExpiration": 1750879215,
  "sessionJwt": "DESCOPE_SESSION_TOKEN",
  "user": {}
}

This external token contains the expiration time for the token and the ID of the authenticated user in Descope:

{
  "sub": "DESCOPE_USER_ID",
  "exp": 1752785069
}

Using the Token

The token is accessible after authenticating with Descope using any method, and can be used when creating a Supabase client as a Authorization Bearer token:

createClient(
    SUPABASE_PROJECT_URL,
    SUPABASE_PROJECT_ANON_KEY,
    {
        global: {
            headers: {
                Authorization: `Bearer ${externalToken}`
            }
        }
    }
);

This approach does not create a new user record in Supabase. Instead, it leverages Descope-managed user details to apply fine-grained control over user permissions. You can use Descope to handle authentication while continuing to use Supabase features—such as database, storage, and real-time services—and enforce Supabase’s authorization rules to manage user access.

Was this helpful?

Generic Token

Use Descope's Generic Token Connector to generate an external token whenever authenticating

AbuseIPDB

Leverage Descope's AbuseIPDB connector to establish a reputation-based score on a user's originating IP address

On this page