Skill

auth

Supabase authentication flows in Next.js App Router. Use when building signup, login, logout, password reset, OAuth, or protected routes.

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/saas-toolkit:auth

User invocable

Model invocable

Inline context

Default effort

Tool Access

This skill is limited to the following tools:

ReadWriteEditGrepGlobBashWebSearchWebFetchmcp__supabase

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Implement Supabase authentication for Next.js App Router using `@supabase/ssr`.

SKILL.md

219 lines · ~1.4k tokens

Stats

Parent stars0

MaintenanceGood

Last CommitMar 4, 2026

Actions

View Source View Plugin View on GitHub View README

Stats

Actions

/auth — Supabase Auth for Next.js

Implement Supabase authentication for Next.js App Router using @supabase/ssr.

Setup

1. Install dependencies

npm install @supabase/supabase-js @supabase/ssr

2. Environment variables

NEXT_PUBLIC_SUPABASE_URL=your-project-url
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key

3. Create Supabase clients

Server client (lib/supabase/server.ts):

import { createServerClient } from '@supabase/ssr';
import { cookies } from 'next/headers';

export async function createClient() {
  const cookieStore = await cookies();
  return createServerClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookies: {
        getAll() { return cookieStore.getAll(); },
        setAll(cookiesToSet) {
          cookiesToSet.forEach(({ name, value, options }) =>
            cookieStore.set(name, value, options)
          );
        },
      },
    }
  );
}

Browser client (lib/supabase/client.ts):

import { createBrowserClient } from '@supabase/ssr';

export function createClient() {
  return createBrowserClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
  );
}

Middleware client (lib/supabase/middleware.ts):

import { createServerClient } from '@supabase/ssr';
import { NextResponse, type NextRequest } from 'next/server';

export async function updateSession(request: NextRequest) {
  let supabaseResponse = NextResponse.next({ request });

  const supabase = createServerClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookies: {
        getAll() { return request.cookies.getAll(); },
        setAll(cookiesToSet) {
          cookiesToSet.forEach(({ name, value }) =>
            request.cookies.set(name, value)
          );
          supabaseResponse = NextResponse.next({ request });
          cookiesToSet.forEach(({ name, value, options }) =>
            supabaseResponse.cookies.set(name, value, options)
          );
        },
      },
    }
  );

  const { data: { user } } = await supabase.auth.getUser();

  if (!user && request.nextUrl.pathname.startsWith('/dashboard')) {
    const url = request.nextUrl.clone();
    url.pathname = '/login';
    return NextResponse.redirect(url);
  }

  return supabaseResponse;
}

4. Middleware auth guard

middleware.ts (project root):

import { updateSession } from '@/lib/supabase/middleware';
import type { NextRequest } from 'next/server';

export async function middleware(request: NextRequest) {
  return await updateSession(request);
}

export const config = {
  matcher: [
    '/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
  ],
};

5. Protected route layout

app/(protected)/layout.tsx:

import { createClient } from '@/lib/supabase/server';
import { redirect } from 'next/navigation';

export default async function ProtectedLayout({ children }) {
  const supabase = await createClient();
  const { data: { user } } = await supabase.auth.getUser();

  if (!user) redirect('/login');

  return <>{children}</>;
}

Auth Flows

OAuth callback

app/auth/callback/route.ts:

import { createClient } from '@/lib/supabase/server';
import { NextResponse } from 'next/server';

export async function GET(request: Request) {
  const { searchParams, origin } = new URL(request.url);
  const code = searchParams.get('code');
  const next = searchParams.get('next') ?? '/dashboard';

  if (code) {
    const supabase = await createClient();
    const { error } = await supabase.auth.exchangeCodeForSession(code);
    if (!error) return NextResponse.redirect(`${origin}${next}`);
  }

  return NextResponse.redirect(`${origin}/auth/auth-code-error`);
}

Email/password signup (Server Action)

'use server';
import { createClient } from '@/lib/supabase/server';
import { redirect } from 'next/navigation';

export async function signup(formData: FormData) {
  const supabase = await createClient();
  const { error } = await supabase.auth.signUp({
    email: formData.get('email') as string,
    password: formData.get('password') as string,
  });
  if (error) return { error: error.message };
  redirect('/check-email');
}

Password reset

'use server';
import { createClient } from '@/lib/supabase/server';

export async function resetPassword(formData: FormData) {
  const supabase = await createClient();
  const { error } = await supabase.auth.resetPasswordForEmail(
    formData.get('email') as string,
    { redirectTo: `${process.env.NEXT_PUBLIC_SITE_URL}/auth/callback?next=/update-password` }
  );
  if (error) return { error: error.message };
  return { success: true };
}

Session management

Sessions are automatically refreshed by the middleware on every request
Always use getUser() (not getSession()) for auth checks — getUser() validates the JWT server-side
Sign out: await supabase.auth.signOut() then router.refresh()

Rules

NEVER use createClient from @supabase/supabase-js directly — always use @supabase/ssr
NEVER use getSession() for authorization checks — use getUser()
Always implement middleware for session refresh
Protect routes at the layout level, not per-page
Use Server Actions for auth mutations (signup, login, reset)

auth

Invocation

Tool Access

Context Preview

SKILL.md

auth

Invocation

Tool Access

Context Preview

SKILL.md

/auth — Supabase Auth for Next.js

Setup

1. Install dependencies

2. Environment variables

3. Create Supabase clients

4. Middleware auth guard

5. Protected route layout

Auth Flows

OAuth callback

Email/password signup (Server Action)

Password reset

Session management

Rules

Similar Skills

/auth — Supabase Auth for Next.js

Setup

1. Install dependencies

2. Environment variables

3. Create Supabase clients

4. Middleware auth guard

5. Protected route layout

Auth Flows

OAuth callback

Email/password signup (Server Action)

Password reset

Session management

Rules

Similar Skills