Why the fuck did Supabase break `auth-helpers`?

Because they decided Next.js 13 App Router was the future and [the old package couldn't handle Server Components](https://supabase.com/docs/guides/auth/server-side/migrating-to-ssr-from-auth-helpers). Instead of fixing it gradually, they deprecated it and launched [`@supabase/ssr`](https://supabase.com/docs/guides/auth/server-side/nextjs) which has its own set of problems.The migration was painful. I had to rewrite auth in 3 different apps because the new patterns are completely different.

`getUser()` vs `getSession()` - what's the difference?

`getUser()` hits the Supabase API to verify your token. `getSession()` trusts whatever's in localStorage/cookies.Use `getUser()` in Server Components because it's actually secure. Use `getSession()` in Client Components when you need the data immediately without a network request.But here's the catch: `getUser()` is slower and fails when Supabase has issues. I've had production outages because `getUser()` was timing out.

My auth state is fucked between server and client components

Yeah, this is the worst part. Server Components see different auth state than Client Components because they run at different times with different cookie values.The middleware is supposed to sync them, but it doesn't always work. I've had cases where:- Server renders "logged in" user- Client hydrates and sees "logged out"- UI flickers between statesThe "solution" is to always handle loading states and never trust that server/client auth will match.

Why is my middleware running on CSS files?

Because you copied the matcher config from the docs without reading it. The default pattern runs on ALL requests. Your CSS is slow because every stylesheet is running auth checks.Fix your `middleware.ts`: ```typescript export const config = { matcher: [ '/((?!_next/static|_next/image|favicon.ico|.*\.(css|js|ico|svg|png)$).*),' ], } ```

Google OAuth doesn't work, what's broken?

Probably your redirect URI. Google is picky about exact matches. In your [Supabase dashboard](https://supabase.com/dashboard/project/_/auth/providers), the authorized redirect URI must exactly match what you're using: ```typescript const { error } = await supabase.auth.signInWithOAuth({ provider: 'google', options: { redirectTo: 'https://yourapp.com/auth/callback' // Must be exact } }) ``` Also, check your Google Console - the consent screen might be in "Testing" mode which only allows specific users.

Should I use Server Actions or API routes for auth?

Server Actions for forms (login/signup). They handle CSRF automatically and work without JavaScript.API routes for everything else - webhooks, mobile app auth, third-party integrations. They're more flexible but you have to handle security yourself.Don't overthink it. Server Actions are simpler 90% of the time.

My API routes are returning 401 for logged-in users

Your server client is probably broken. Copy this and it'll work: ```typescript // app/api/protected/route.ts import { createClient } from '@/utils/supabase/server' import { NextResponse } from 'next/server' export async function GET() { const supabase = await createClient() const { data: { user }, error } = await supabase.auth.getUser() if (error || !user) { return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) } return NextResponse.json({ data: 'it works' }) } ``` Make sure your server client utility uses `cookies()` correctly. The examples in earlier versions of the docs were wrong.

Email confirmation is broken in production

Your email template is probably still using the old confirmation URL format. Go to your [Supabase auth templates](https://supabase.com/dashboard/project/_/auth/templates) and change: ``` {{ .ConfirmationURL }} ``` to: ``` {{ .SiteURL }}/auth/confirm?token_hash={{ .TokenHash }}&type=email ``` Then create the `/auth/confirm` route handler. The old `ConfirmationURL` doesn't work with the new SSR package.

Hydration errors are making me lose my mind

This happens when the server thinks the user is logged in but the client doesn't (or vice versa). Never show user data in Server Components if you care about your sanity.Always use Client Components with loading states: ```typescript 'use client' export function UserProfile() { const [user, setUser] = useState(null) const [loading, setLoading] = useState(true) useEffect(() => { getUser().then(setUser).finally(() => setLoading(false)) }, []) if (loading) return Loading... return user ? Hi {user.email} : Not logged in } ```

My auth randomly stops working in production

This is usually because: 1. Supabase is having API issues (check their status page) 2. Your middleware is timing out on the Edge Runtime 3. Clock drift between your server and Supabase's servers 4. Someone changed the JWT secret and didn't tell you Add error logging to your middleware to figure out which one it is.

How do I add user roles/permissions?

Create a `profiles` table and use [Row Level Security](https://supabase.com/docs/guides/auth/row-level-security). Don't try to be clever with JWT claims - just query the database: ```sql CREATE TABLE profiles ( id UUID REFERENCES auth.users(id), role TEXT DEFAULT 'user' ); CREATE POLICY "Users see own profile" ON profiles FOR SELECT USING (auth.uid() = id); CREATE POLICY "Admins see everything" ON profiles FOR SELECT USING ( (SELECT role FROM profiles WHERE id = auth.uid()) = 'admin' ); ``` This scales better than shoving roles into JWT tokens.

Real-time subscriptions aren't receiving updates for logged-in users

The real-time connection uses the same JWT as your regular auth, so RLS policies apply. If users can't see the data in a regular query, they won't get real-time updates either.Check your RLS policies first: ```typescript 'use client' useEffect(() => { const supabase = createClient() const channel = supabase .channel('changes') .on('postgres_changes', { event: '*', schema: 'public', table: 'your_table' }, (payload) => console.log('Got update:', payload) ) .subscribe() return () => supabase.removeChannel(channel) }, []) ```

Should I use the Supabase CLI for local development?

Yes, but it's a pain in the ass to set up. Run `supabase start` and it spins up Docker containers for Postgres, Auth, and the API.It works well once configured, but the initial setup is tedious and the containers use a lot of RAM. For simple auth testing, just use your cloud instance.

Currently viewing the AI version

Switch to human version

Supabase Next.js 13+ Server-Side Auth: AI-Optimized Technical Reference

Critical Context & Failure Scenarios

Breaking Changes & Migration Reality

@supabase/auth-helpers deprecated with no working migration path
@supabase/ssr replacement has incomplete documentation and broken examples
Production failures occur during Supabase API outages when getUser() times out
Silent middleware failures cause random user logouts with no error messages
Hydration mismatches happen when server/client auth states diverge

Severity Indicators

Critical: Random logouts in production (affects all users)
High: Middleware timeout during Supabase incidents (2-3 hour outages reported)
Medium: CSS/JS files running through auth middleware (performance degradation)
Low: Development vs production cookie behavior differences

Technical Specifications with Context

Version Requirements

Next.js 14.0.3+ required - versions below 13.5.6 have broken cookie handling

Pin package versions to avoid breaking changes:

@supabase/supabase-js@2.39.3
@supabase/ssr@0.0.10

Performance Thresholds

Middleware timeout: Edge Runtime has strict timeouts, fails during Supabase API slowness
Authenticated route caching: Cannot cache user-specific content, negates SSR performance benefits
Real-time connection limits: WebSocket connections fail in Server Components
UI performance: Hydration errors cause loading flickers and poor UX

Configuration That Works in Production

Environment Setup

# .env.local (NOT .env - Next.js won't load them)
NEXT_PUBLIC_SUPABASE_URL=https://project-id.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...

Dual Client Architecture (Required)

// Browser Client (utils/supabase/client.ts)
import { createBrowserClient } from '@supabase/ssr'
export function createClient() {
  return createBrowserClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
  )
}

// Server Client (utils/supabase/server.ts)
import { createServerClient } from '@supabase/ssr'
import { cookies } from 'next/headers'
export async function createClient() {
  const cookieStore = await cookies()
  return createServerClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookies: {
        getAll: () => cookieStore.getAll(),
        setAll: (cookiesToSet) => {
          try {
            cookiesToSet.forEach(({ name, value, options }) =>
              cookieStore.set(name, value, options)
            )
          } catch {
            // Server Components can't write cookies - middleware handles refresh
          }
        },
      },
    }
  )
}

Critical Middleware Configuration

// middleware.ts
export const config = {
  matcher: [
    // CRITICAL: Exclude static files or CSS will run through auth
    '/((?!_next/static|_next/image|favicon.ico|.*\\.(svg|png|jpg|jpeg|gif|webp|css|js|ico)$).*)',
  ],
}

Security Implementation

Authentication Method Comparison

Method	Security Level	Performance Impact	Failure Mode
`getUser()`	High (API verified)	Slow + API dependent	Timeouts during outages
`getSession()`	Low (localStorage trust)	Fast	XSS vulnerability
Recommendation	Use `getUser()` with fallback handling	Cache results	Monitor Supabase status

Row Level Security (RLS) Requirements

-- Essential RLS pattern for user isolation
CREATE POLICY "users_own_data" ON profiles
  FOR ALL USING (auth.uid() = id);

-- Admin access pattern
CREATE POLICY "admin_access" ON profiles  
  FOR ALL USING (
    (SELECT role FROM profiles WHERE id = auth.uid()) = 'admin'
  );

Common Failure Modes & Solutions

Middleware Failures

Symptoms: Random logouts, silent failures, 401 errors on authenticated requests
Root Causes:

Edge Runtime timeouts during Supabase API slowness
Cookie serialization inconsistencies between dev/prod
Headers already sent errors when setting cookies after response streaming

Solution Pattern:

// Graceful error handling in middleware
const { data: { user }, error } = await supabase.auth.getUser()
if (error) {
  console.error('Auth check failed:', error.message)
  // Don't redirect on API errors - let app handle gracefully
  return supabaseResponse
}

Hydration Mismatches

Symptoms: UI flickers between logged in/out states
Root Causes:

Server renders with different auth state than client hydration
Token expiry between server render and client hydration
Clock drift between environments

Solution Pattern: Always use loading states in Client Components

const [user, setUser] = useState(null)
const [loading, setLoading] = useState(true)
// Never show user data without loading state

OAuth Redirect Issues

Symptoms: Google/GitHub auth fails, redirect loops
Root Causes: Mismatched redirect URIs, testing mode restrictions
Solution: Exact URI matching in Supabase dashboard and Google Console

Resource Requirements & Time Investment

Implementation Complexity

Basic auth setup: 4-6 hours (if following exact patterns)
OAuth providers: Additional 2-3 hours per provider
Real-time features: Additional 8-12 hours (Client Component complexity)
Production debugging: 6+ hours when things break (silent failures common)

Expertise Requirements

Essential: Understanding of Next.js App Router, Server vs Client Components
Critical: Cookie handling, middleware execution order, Edge Runtime limitations
Advanced: RLS policy design, JWT security, production monitoring

Hidden Costs

Monitoring setup: Essential for catching silent middleware failures
Error tracking: Middleware errors hide in function logs, not application logs
Performance monitoring: Auth checks add latency to every request
Maintenance burden: Breaking changes in Supabase packages require migration

Decision Criteria & Trade-offs

When to Use This Pattern

✅ Worth it for: Apps requiring server-side rendering with auth, real-time features, complex permissions
✅ Good for: Teams comfortable with Next.js App Router complexity
✅ Suitable when: Can invest in proper monitoring and error handling

When to Avoid

❌ Skip if: Simple auth needs (consider Clerk, Auth0)
❌ Avoid when: Team lacks Next.js 13+ App Router experience
❌ Wrong choice for: Apps requiring 100% uptime (dependent on Supabase API availability)

Alternative Comparison

Option	Setup Time	Maintenance	Vendor Lock-in	Cost
Supabase + Next.js	High	High	High	Low
Clerk	Low	Low	High	Medium
Auth0	Medium	Low	High	High
Custom JWT	Very High	Very High	None	Low

Production Checklist

Pre-deployment Requirements

Pin package versions to avoid breaking changes
Configure middleware exclusions for static assets
Set up error monitoring for middleware failures
Test auth during Supabase API slowness
Verify RLS policies prevent unauthorized access
Test OAuth redirects in production environment
Configure email templates with correct URLs

Monitoring & Alerts

Function logs monitoring for middleware errors
Supabase status page alerts
Auth failure rate tracking
Performance monitoring for auth-related slowness
Cookie serialization error detection

Break-glass Procedures

Fallback auth method during Supabase outages
User notification system for auth issues
Manual token refresh capabilities
Emergency access patterns for critical operations

Critical Warnings

What Documentation Doesn't Tell You

Middleware runs on every request including CSS/JS if not properly configured
Server Components cannot write cookies creating sync issues with client state
Edge Runtime has strict timeouts causing auth failures during API slowness
Cookie size limits can cause silent failures with large JWT tokens
Development vs production cookie behavior differs significantly

Breaking Points

1000+ concurrent users: Middleware becomes bottleneck
Large JWT tokens: Cookie size limits cause failures
Complex RLS policies: Database performance degrades
Multiple OAuth providers: Redirect URI management becomes complex
Real-time subscriptions: Memory usage increases significantly

"This Will Break If" Warnings

Supabase has API outages (happens regularly)
Next.js updates change cookie handling (has happened before)
You don't exclude static assets from middleware (performance killer)
Clock drift between server and Supabase exceeds token tolerance
You trust getSession() for security decisions (XSS vulnerability)

This implementation pattern works for production applications but requires significant expertise investment and robust error handling to manage the inherent complexity and failure modes.

Useful Links for Further Investigation

Useful Links (And Which Ones Are Actually Good)

Link	Description
Supabase Next.js SSR Guide	Actually useful, but the examples are too simple. Missing real-world error handling.
Next.js Middleware Docs	Decent reference, but doesn't explain why your cookies stop working randomly.
Supabase Auth API Reference	Good for when you need to know the exact parameters. Dry as hell but accurate.
RLS Policies Guide	Essential reading. RLS is the only thing standing between you and a data breach.
Supabase User Management Example	Good starting point if you ignore the outdated auth patterns that don't work anymore. The profile update logic is useful to copy.
Vercel Subscription Payments	Solid template if you need Stripe integration. The auth flow is well-implemented.
Next.js SaaS Starter	Lee Robinson's template. Clean code, good patterns, actually works in production.
Migration Examples	Essential if you're stuck on auth-helpers. The before/after comparisons are helpful.
Supabase Discord	Active community with real-time help from core team and developers. Best place for quick auth debugging.
GitHub Issues	Where to complain when things break. Search before posting - your bug is probably already reported.
Supabase Community Forum	GitHub discussions for longer-form questions and feature requests.
Stack Overflow	Hit or miss. Lots of outdated answers for auth-helpers. Sort by newest.
Vercel + Supabase	Works out of the box. Environment variables sync automatically. Just make sure your redirect URLs are correct.
Railway + Supabase	Cheaper alternative to Vercel. Deployment is less polished but functional.
Docker Deployment	For when you want full control. Setup is annoying but you own everything.
RLS Policies Examples	Copy these patterns. Don't try to be creative with security.
Common Auth Vulnerabilities	OWASP top 10. Read it, implement the fixes.
JWT Security	Deep dive into JWT security. More than you need but good to understand.
Supabase CLI	Useful for local development and migrations. The Docker setup uses a lot of RAM but works well once configured.
Browser DevTools	Learn to inspect cookies and local storage. Half your auth bugs will be cookie issues.
Postman/Insomnia	For testing your API routes. Auth headers can be tricky to get right.
Supabase Status Page	Check here first when auth randomly stops working. Supabase has outages more often than they admit.
Vercel Function Logs	Essential for debugging middleware issues in production. Edge runtime errors are hard to catch otherwise.
Next.js Debugging Guide	Watch your auth requests. Failed token refreshes show up here first.
Social Login with OAuth	For enterprise SSO. More complex than it looks.
Multi-tenant with RLS	RLS policies get complex fast. Start simple.
Auth API Reference	Track login patterns and user behavior. Useful for product decisions.

Supabase Next.js 13+ Server-Side Auth: AI-Optimized Technical Reference

Critical Context & Failure Scenarios

Breaking Changes & Migration Reality

Severity Indicators

Technical Specifications with Context

Version Requirements

Performance Thresholds

Configuration That Works in Production

Environment Setup

Dual Client Architecture (Required)

Critical Middleware Configuration

Security Implementation

Authentication Method Comparison

Row Level Security (RLS) Requirements

Common Failure Modes & Solutions

Middleware Failures

Hydration Mismatches

OAuth Redirect Issues

Resource Requirements & Time Investment

Implementation Complexity

Expertise Requirements

Hidden Costs

Decision Criteria & Trade-offs

When to Use This Pattern

When to Avoid

Alternative Comparison

Production Checklist

Pre-deployment Requirements

Monitoring & Alerts

Break-glass Procedures

Critical Warnings

What Documentation Doesn't Tell You

Breaking Points

"This Will Break If" Warnings

Useful Links for Further Investigation

Useful Links (And Which Ones Are Actually Good)

Related Tools & Recommendations

Supabase vs Firebase vs Appwrite vs PocketBase - Which Backend Won't Fuck You Over

Framework Wars Survivor Guide: Next.js, Nuxt, SvelteKit, Remix vs Gatsby

Building a SaaS That Actually Scales: Next.js 15 + Supabase + Stripe

Migrating CRA Tests from Jest to Vitest

Vite + React 19 + TypeScript + ESLint 9: Actually Fast Development (When It Works)

Remix vs SvelteKit vs Next.js: Which One Breaks Less

Firebase Started Eating Our Money, So We Switched to Supabase

Firebase - Google's Backend Service for When You Don't Want to Deal with Servers

Prisma Cloud - Cloud Security That Actually Catches Real Threats

Prisma - TypeScript ORM That Actually Works

Ditch Prisma: Alternatives That Actually Work in Production

Vercel + Supabase + Clerk: How to Deploy Without Everything Breaking

I Spent a Weekend Integrating Clerk + Supabase + Next.js (So You Don't Have To)

Clerk - Auth That Actually Fucking Works

Vercel - Deploy Next.js Apps That Actually Work

Major npm Supply Chain Attack Hits 18 Popular Packages

Vercel's Billing Will Surprise You - Here's What Actually Costs Money

Create React App is Dead

Stop Migrating Your Broken CRA App

Migrating from Node.js to Bun Without Losing Your Sanity