GoTrue - Supabase's Auth Server

Currently viewing the human version

What is GoTrue?

GoTrue is the auth server that powers Supabase. It handles user registration, login, JWT tokens, and session management. Originally built by Netlify, now maintained by Supabase. You can find the complete API documentation and self-hosting guide in their docs.

Here's the real shit: it works well with PostgreSQL's Row Level Security, which is actually useful unlike most auth integrations that require you to roll your own access control.

What GoTrue Actually Does

JWT Token Handling: Issues standard JWT tokens that don't randomly break like some auth services I won't name. Configurable expiration, custom claims for RBAC. The tokens actually work.

Authentication Methods:

Email/password (with sane password policies you can actually configure)
Magic links (passwordless login that works most of the time)
OAuth with 20+ providers - Google, GitHub, Apple, Discord, etc.
SMS OTP (when your SMS provider isn't down)
Anonymous sessions for guest users

PostgreSQL Integration: This is where GoTrue shines. It integrates with PostgreSQL's Row Level Security so you can do access control at the database level instead of writing brittle application logic.

-- Users can only see their own data - enforced by the database
CREATE POLICY "users_own_data" ON profiles 
  FOR ALL USING (auth.uid() = user_id);

-- Different levels of access
CREATE POLICY "users_read_public" ON profiles 
  FOR SELECT USING (is_public = true);

-- Time-based access control
CREATE POLICY "users_edit_recent" ON posts 
  FOR UPDATE USING (
    auth.uid() = user_id 
    AND created_at > now() - interval '1 hour'
  );

The auth.uid() function extracts the user ID from the JWT automatically. No more checking tokens in your application code. But here's the magic: this happens at the database level, so even if your application has bugs, users can't access data they shouldn't see. It's like having a security guard at every table.

Real-World Architecture

GoTrue is a stateless Go service that connects to PostgreSQL. In production, you'll want:

Multiple GoTrue instances behind a load balancer (because shit breaks)
PostgreSQL connection pooling with PgBouncer or similar
Proper monitoring because you'll need it when things go wrong
Rate limiting configured properly (default limits are too permissive)

The service works with PostgREST for API generation and Realtime for WebSockets. You can also integrate with PgBouncer for connection pooling and Prometheus for monitoring. Check out the production architecture examples and customer case studies for real-world implementations.

Cost Reality Check

Here's what you'll actually pay as of September 2025 (and why your CFO will either love you or fire you):

Supabase (includes GoTrue):

Free: 50,000 MAU (good for prototypes)
Pro: $25/month for 100,000 MAU
Overage: $0.00325 per MAU

Auth0:

Essentials: $35/month for 500 MAU (already expensive for a side project)
Professional: $240/month for 1,000 MAU (starts hurting real quick)
Enterprise: $23,000+ annually (Auth0 hit us with some massive unexpected bill, think it was like $3,000 or something crazy, turns out they were counting password resets as active users which is complete bullshit)

Firebase Auth: Google's pricing calculator is designed to confuse you, but expect $150-300/month for 100K MAU.

Self-Hosting vs Managed

Self-hosting benefits:

Your data stays on your servers
No vendor lock-in bullshit
Deploy wherever you want
Customize everything

Self-hosting downsides:

You're responsible for security updates
No SLA unless you build it yourself
Monitoring and alerting is your problem
When it breaks at 3am, you fix it

Managed service benefits:

Supabase handles the operational stuff
99.9% uptime SLA (when it works)
Built-in monitoring and logs
Someone else gets called at 3am

Some companies like Mobbin and Good Tape migrated from Firebase/Auth0 to save money. Read the migration guides and check out discussions on Hacker News for real migration experiences. Also see Reddit discussions where developers share their experiences with costs and complexity.

But before you get excited about the cost savings, you need to understand how GoTrue stacks up against the competition. Let's compare the real differences.

GoTrue vs Alternative Authentication Services

Feature	GoTrue (Supabase)	Auth0	Firebase Auth	AWS Cognito
Pricing (100K MAU)	$25/month	$240+/month	$150-300/month	$275+/month
Open Source	✅ MIT License	❌ Proprietary	❌ Proprietary	❌ Proprietary
Data Ownership	✅ Your PostgreSQL	❌ Auth0 servers	❌ Google servers	❌ AWS servers
Self-Hosting	✅ Full support	❌ Not available	❌ Not available	❌ Cloud only
Database Integration	✅ Native PostgreSQL RLS	⚠️ Custom integration	⚠️ Custom integration	⚠️ Custom integration
JWT Standard	✅ RFC 7519 compliant	✅ RFC 7519 compliant	✅ RFC 7519 compliant	✅ RFC 7519 compliant
OAuth Providers	✅ 20+ providers	✅ 30+ providers	✅ 15+ providers	✅ 25+ providers
MFA Support	✅ TOTP, SMS	✅ Comprehensive	✅ SMS, App-based	✅ SMS, Hardware
Email Templates	✅ Customizable HTML	✅ Advanced editor	✅ Basic templates	✅ Basic templates
Rate Limiting	✅ Configurable	✅ Built-in	✅ Basic protection	✅ Configurable
API Access	✅ REST + GraphQL	✅ REST + GraphQL	✅ REST only	✅ REST + SDK
Vendor Lock-in Risk	✅ Low (pg_dump)	❌ High	❌ High	❌ Medium
Enterprise Features	⚠️ Growing	✅ Comprehensive	✅ Google Workspace	✅ AWS Integration
Community Support	✅ Active Discord	✅ Extensive docs	✅ Large community	✅ AWS Support
Regional Deployment	✅ Any region	⚠️ Limited regions	❌ Google regions	✅ AWS regions

Production Deployment Reality

Getting Started - The Easy Part

Use Supabase's managed service unless you hate money and love operational headaches. It works and they handle the boring stuff.

// Basic setup that actually works
import { createClient } from '@supabase/supabase-js'

const supabase = createClient(
  'https://your-project.supabase.co',
  'your-anon-key'
)

// User registration
const { data, error } = await supabase.auth.signUp({
  email: 'user@example.com',
  password: 'secure-password'
})

Docker Logo

Self-hosting for masochists and enterprises with compliance requirements:

## Basic Docker setup - will probably work
FROM supabase/gotrue:latest

ENV GOTRUE_SITE_URL=https://yourapp.com
ENV GOTRUE_JWT_SECRET=your-256-bit-secret-that-you-actually-need-to-generate
ENV DATABASE_URL=postgresql://user:pass@db:5432/auth

EXPOSE 9999
CMD ["gotrue"]

Configuration That Won't Bite You

Security settings you actually need:

## JWT config - get this wrong and everything breaks
GOTRUE_JWT_SECRET=your-256-bit-secret-not-password123
GOTRUE_JWT_EXP=3600  # 1 hour - don't make it too long
GOTRUE_SECURITY_REFRESH_TOKEN_ROTATION_ENABLED=true

## Rate limiting - defaults are way too generous
GOTRUE_RATE_LIMIT_EMAIL_SENT=10  # Not 60, trust me
GOTRUE_RATE_LIMIT_HEADER=X-Forwarded-For

## SMTP - will break randomly
GOTRUE_SMTP_HOST=smtp.sendgrid.net
GOTRUE_SMTP_PORT=587
GOTRUE_SMTP_USER=apikey
GOTRUE_SMTP_PASS=your-sendgrid-api-key

Production gotchas:

JWT rotation fucked us for weeks. Think it was iOS caching tokens but honestly we tried everything - clearing storage, force logout, even had users reinstall the app. Finally figured out we needed some rollback strategy but by then everyone was pissed (JWT rotation best practices)
Email delivery fails silently with error messages like "SMTP Error 550" - helpful, right? (SMTP troubleshooting guide)
PostgreSQL connection limits will kill you at scale (learned this during a product launch when everything went down) (PostgreSQL connection management)
Docker health checks need manual configuration or your load balancer will route traffic to dead containers (Docker health check docs)

PostgreSQL RLS - The Good Part

This is why you'd choose GoTrue over other options. Database-level security that actually works:

-- Enable RLS - forget this and your data is wide open
ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;

-- Users see only their data
CREATE POLICY \"users_own_profiles\" ON profiles
  FOR ALL USING (auth.uid() = user_id);

-- Admin access (write this policy carefully)
CREATE POLICY \"admins_all_access\" ON profiles
  FOR ALL USING (
    (auth.jwt() ->> 'app_metadata')::json ->> 'role' = 'admin'
  );

RLS gotchas:

Locked myself out of prod DB with a bad admin policy at 2am. Had to restore from backup because I'm an idiot (RLS policy debugging guide)
Performance tanks with complex policies - our user lookup went from maybe 50ms to like 800ms or some shit, took forever to debug (RLS performance optimization)
Debugging policy problems is hell - PostgreSQL error messages are cryptic as fuck (PostgreSQL RLS troubleshooting)
Migration scripts break everything if you forget to disable RLS first. Cost us maybe 3-4 hours of downtime, customers were not happy (RLS migration strategies)

Production Architecture That Won't Fall Over

## docker-compose.yml - actually tested in production
version: '3.8'
services:
  gotrue-1:
    image: supabase/gotrue:latest
    environment:
      - GOTRUE_DB_MAX_POOL_SIZE=20  # Not 50, you'll run out of connections
    deploy:
      replicas: 2  # Start small
  
  postgres:
    image: postgres:15
    environment:
      - POSTGRES_DB=auth
      - POSTGRES_PASSWORD=secure-password
      - POSTGRES_MAX_CONNECTIONS=200  # You'll need this
    volumes:
      - postgres_data:/var/lib/postgresql/data

Load balancer setup (because you'll need it):

upstream gotrue_backend {
    server gotrue-1:9999;
    server gotrue-2:9999;
    # Health checks are manual - Docker health checks don't work well
}

server {
    listen 443 ssl;
    server_name auth.yourapp.com;
    
    location /health {
        proxy_pass http://gotrue_backend;
        proxy_connect_timeout 5s;
        proxy_read_timeout 10s;
    }
    
    location / {
        proxy_pass http://gotrue_backend;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Monitoring Because You'll Need It

## Basic monitoring setup
GOTRUE_METRICS_ENABLED=true
GOTRUE_METRICS_EXPORTER=prometheus
OTEL_EXPORTER_PROMETHEUS_PORT=9100

What to monitor (from painful experience):

PostgreSQL connection count (maxed out at like 100 connections during a traffic spike, everything died) (PostgreSQL monitoring guide)
Email send failures (SendGrid went down for hours and we had no backup, users couldn't sign up) (Email monitoring best practices)
JWT validation errors (mobile clients don't refresh tokens properly - expect like 5-10% error rate, it's annoying) (JWT monitoring patterns)
Memory usage (Go garbage collector spikes to 2GB then drops to 200MB - scared the shit out of us the first time) (Go memory profiling)
Response times for /token endpoint (went from 50ms to 2s when we hit connection limits, users noticed) (API performance monitoring)

Prometheus Monitoring: Essential for production GoTrue deployments

Framework Integration Gotchas

Next.js with Auth Helpers:

// This works but SSR is tricky
import { createBrowserSupabaseClient } from '@supabase/auth-helpers-nextjs'
import { SessionContextProvider } from '@supabase/auth-helpers-react'

export default function App({ Component, pageProps }) {
  const supabaseClient = createBrowserSupabaseClient()
  
  return (
    <SessionContextProvider supabaseClient={supabaseClient}>
      <Component {...pageProps} />
    </SessionContextProvider>
  )
}

Common problems:

Token refresh during SSR breaks things (NextJS 13.4+ has a specific bug with middleware) (Next.js auth middleware debugging)
Hydration mismatches with auth state (you get "Warning: Text content did not match" in dev tools) (React hydration troubleshooting)
Mobile Safari cookie issues (SameSite=None stopped working in iOS 16.4, had to add a user-agent check) (Safari cookie debugging guide)

React Native has its own special hell:

import { createClient } from '@supabase/supabase-js'
import AsyncStorage from '@react-native-async-storage/async-storage'

const supabase = createClient(url, anonKey, {
  auth: {
    storage: AsyncStorage,
    autoRefreshToken: true,
    persistSession: true,
    detectSessionInUrl: false  // Important for mobile
  }
})

Security - Don't Fuck This Up

JWT secrets - get this wrong and you're fucked:

## Generate a proper secret
openssl rand -base64 32

## Use a secrets manager in production
GOTRUE_JWT_SECRET=$(aws ssm get-parameter --name \"/auth/jwt-secret\" --with-decryption --query Parameter.Value --output text)

HTTPS everywhere - GoTrue sends tokens in headers:

## Redirect all HTTP to HTTPS
server {
    listen 80;
    server_name auth.yourapp.com;
    return 301 https://$server_name$request_uri;
}

Database security:

## Always use SSL
DATABASE_URL=postgresql://user:pass@host:5432/db?sslmode=require

Production lessons learned:

Connection pool exhaustion takes down everything (Connection pooling strategies)
JWT rotation breaks mobile apps for weeks (Mobile JWT handling patterns)
Email templates break on HTML updates (Email template best practices)
Rate limiting triggers on legitimate traffic during launches (Rate limiting patterns)
CORS configuration will waste hours of your life (CORS troubleshooting guide)

The architecture works well once you get through the pain of initial setup. Just don't expect it to be as simple as the docs make it look. For real production examples, check Supabase's scaling blog posts, the community examples repo, and Docker deployment guides. Also useful: Terraform provider docs and Kubernetes manifests from the community.

At this point, you probably have questions. Good. So did we when we first deployed GoTrue. Here are the answers to the questions you're actually going to ask (not the ones in the official docs).

Real Questions from Real Engineers

Is GoTrue actually free or is this some bullshit freemium thing?

GoTrue itself is open source with MIT license - actually free, not "free with strings attached" bullshit. But you'll pay for: - Infrastructure (servers, PostgreSQL, SMTP service) - Supabase managed service ($25/month for 100K MAU) - Your time when things break at 3am

Self-hosting costs $20-50/month for small apps. Supabase managed is usually worth it unless you love operational headaches.

How does GoTrue compare to Auth0? Will I regret switching?

GoTrue pros:

Won't bankrupt you ($25/month vs Auth0's $240/month)
PostgreSQL integration actually works
You own your data
Open source means no vendor lock-in

GoTrue cons:

Missing enterprise SSO integrations that big companies need
No compliance certifications (SOC2, ISO) that auditors love
Smaller community, fewer integrations
You're betting on Supabase not going out of business

If you need Auth0's enterprise features, pay the $23,000+ annually. If you just need auth that works and costs less, GoTrue is fine.

GitHub Integration: OAuth works well with GitHub for developer-focused apps

Can I migrate from Auth0/Firebase without telling all my users to reset passwords?

User data: Yes, both Auth0 and Firebase let you export user emails, metadata, etc.

Passwords: No, because that would be a security nightmare. Hashed passwords can't be transferred between systems.

Reality: All your users need to reset passwords. We sent like 10,000 "please reset your password" emails and got hundreds of support tickets asking "why can't I log in?" Pro tip: send them a discount code to soften the blow.

Migration strategy that works:

Export user data first
Run dual auth systems temporarily
Force password resets gradually
Prepare for complaints

What auth methods does GoTrue support without breaking?

Email/password: Works reliably with configurable password policies

Magic links: Passwordless login that works 90% of the time. Email delivery can be flaky.

OAuth providers: 20+ providers including Google, GitHub, Apple, Discord. Some are more reliable than others.

SMS OTP: Works when your SMS provider isn't down (they're often down)

Anonymous auth: For guest users, works fine

Reality check: Email/password is most reliable. OAuth works but each provider has quirks. SMS OTP depends entirely on your provider not sucking.

How do I set up PostgreSQL RLS without locking myself out?

RLS is GoTrue's best feature but easy to fuck up:

-- Start carefully - test in development first
ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY;

-- Basic user isolation 
CREATE POLICY "users_own_data" ON user_profiles
  FOR ALL USING (auth.uid() = user_id);

-- Admin escape hatch (test this!)
CREATE POLICY "admin_access" ON user_profiles  
  FOR ALL USING (
    (auth.jwt() ->> 'app_metadata')::json ->> 'role' = 'admin'
  );

Common fuckups:

Forgetting the admin policy and locking yourself out (happened to me at 2am, had to restore from backup like an idiot)
Complex policies that tank performance (our 3-table join policy took queries from like 100ms to 3 seconds)
Migration scripts that break when RLS is enabled (forgot to SET ROLE to bypass RLS, took forever to figure out)
Testing with wrong user tokens (spent 2 hours debugging why user couldn't see their own data, felt stupid)

What are the minimum system requirements that actually work?

Development:

1 vCPU, 512MB RAM (will be slow but works)
PostgreSQL 12+ (don't go older)

Production that won't fall over:

2+ vCPU, 2GB+ RAM per GoTrue instance
PostgreSQL with connection pooling (PgBouncer)
Load balancer (Nginx, HAProxy)
Monitoring (you'll need it)
SMTP service that doesn't suck

Reality: Start small, scale when you hit limits. Don't over-engineer from day one.

How do I handle JWT token refresh without breaking mobile apps?

// Basic setup that usually works
const supabase = createClient(url, anonKey, {
  auth: {
    autoRefreshToken: true,
    persistSession: true
  }
})

// Listen for failures
supabase.auth.onAuthStateChange((event, session) => {
  if (event === 'TOKEN_REFRESHED') {
    console.log('Token refreshed successfully')
  }
  if (event === 'SIGNED_OUT') {
    // Handle forced logout gracefully
  }
})

Production gotchas:

Token rotation breaks mobile apps for weeks (learned this the hard way)
Background refresh fails silently sometimes
Network issues during refresh force logout (users hate this)
Different behavior between web and mobile (always test both)

Settings that help:

GOTRUE_SECURITY_REFRESH_TOKEN_ROTATION_ENABLED=true
GOTRUE_SECURITY_REFRESH_TOKEN_REUSE_INTERVAL=10s

Can GoTrue handle multi-tenant apps or will it break?

Multi-tenancy works but requires planning:

-- Tenant isolation at database level
CREATE POLICY "tenant_isolation" ON user_data
  FOR ALL USING (
    tenant_id = (auth.jwt() ->> 'app_metadata')::json ->> 'tenant_id'
  );

Approaches that work:

Separate databases per tenant (expensive)
RLS policies with tenant ID (complex)
JWT claims with organization data (requires careful design)

Reality: Multi-tenancy is hard regardless of auth system. Plan your data model carefully.

What SMTP providers won't randomly stop working?

Reliable options:

SendGrid: Usually works, decent free tier, good APIs
AWS SES: Cheap for volume, requires AWS account
Postmark: Expensive but very reliable
Mailgun: Good APIs, reasonable pricing

Configuration that works:

GOTRUE_SMTP_HOST=smtp.sendgrid.net
GOTRUE_SMTP_PORT=587
GOTRUE_SMTP_USER=apikey
GOTRUE_SMTP_PASS=your-sendgrid-api-key
GOTRUE_SMTP_MAX_FREQUENCY=300  # Don't spam users

Reality: All SMTP providers have outages. Have a backup plan.

Email Providers: Choose reliable SMTP services to avoid delivery issues

What monitoring do I need so I don't get fired?

Essential alerts:

Database connection exhaustion (will kill everything)
Authentication failure rate spikes (attacks or bugs)
Email delivery failures (users can't sign up)
Memory/CPU usage (Go can be spiky)

Monitoring setup:

GOTRUE_METRICS_ENABLED=true
GOTRUE_METRICS_EXPORTER=prometheus
OTEL_EXPORTER_PROMETHEUS_PORT=9100

What to watch:

/token endpoint response times (bottleneck)
PostgreSQL connection count
JWT validation errors
SMTP delivery rates

How do I backup user data without fucking up GDPR compliance?

## Basic backup that works
pg_dump -h localhost -U postgres -d auth_db > gotrue_backup.sql

## Encrypted backup for compliance
pg_dump -h localhost -U postgres -d auth_db | gzip | gpg --encrypt > backup.sql.gz.gpg

GDPR requirements:

Encrypt backups with user data
Implement data retention policies
Support user data deletion requests
Log access to backups

Reality: Compliance is complex. Get legal advice.

Does GoTrue work with serverless or will it break in weird ways?

GoTrue works with serverless but has gotchas:

Connection pooling is mandatory: Use PgBouncer or Supabase's pooler

Cold start issues: Database connections add latency

Environment variables: Manage secrets properly

Reality: Works fine once configured properly. The first deployment will be painful.

What security audits has GoTrue actually passed?

Supabase mentions security assessments but doesn't publish detailed reports. Key features:

JWT implementation follows RFC 7519
Rate limiting protects against brute force
Token rotation detects replay attacks
HTTPS required in production

Reality: For serious compliance needs (healthcare, finance), you'll need additional security reviews. GoTrue is secure enough for most apps but doesn't have the certifications that enterprise auditors want.

Quick Navigation

What GoTrue Actually Does

Real-World Architecture

Cost Reality Check

Self-Hosting vs Managed

Getting Started - The Easy Part

Configuration That Won't Bite You

PostgreSQL RLS - The Good Part

Production Architecture That Won't Fall Over

Monitoring Because You'll Need It

Framework Integration Gotchas

Security - Don't Fuck This Up

Is GoTrue actually free or is this some bullshit freemium thing?

How does GoTrue compare to Auth0? Will I regret switching?

Can I migrate from Auth0/Firebase without telling all my users to reset passwords?

What auth methods does GoTrue support without breaking?

How do I set up PostgreSQL RLS without locking myself out?

What are the minimum system requirements that actually work?

How do I handle JWT token refresh without breaking mobile apps?

Can GoTrue handle multi-tenant apps or will it break?

What SMTP providers won't randomly stop working?

What monitoring do I need so I don't get fired?

How do I backup user data without fucking up GDPR compliance?

Does GoTrue work with serverless or will it break in weird ways?

What security audits has GoTrue actually passed?

Related Tools & Recommendations

Flutter vs React Native vs Kotlin Multiplatform: Which One Won't Destroy Your Sanity?

Vercel + Supabase + Stripe: Stop Your SaaS From Crashing at 1,000 Users

Supabase Got Expensive and My Boss Said Find Something Cheaper

Vercel + Supabase Connection Limits Will Ruin Your Day

OAuth2 JWT Authentication Implementation - The Real Shit You Actually Need

I Spent a Weekend Integrating Clerk + Supabase + Next.js (So You Don't Have To)

Clerk - Auth That Actually Fucking Works

Vercel + Supabase + Clerk: How to Deploy Without Everything Breaking

Converting Angular to React: What Actually Happens When You Migrate

ReactとVueでコンポーネント共有？マジでやめとけ

React Bundle Optimization - Your App's on a Diet

Next.js 14 App Router 설치하기 - 진짜 삽질함

Migrating CRA Tests from Jest to Vitest

Next.js App Router - File-System Based Routing for React

jQuery - The Library That Won't Die

Hoppscotch - Open Source API Development Ecosystem

Stop Jira from Sucking: Performance Troubleshooting That Works

Svelte Hydration Is Dogwater - Here's How To Not Get Fired

SvelteKit - Web Apps That Actually Load Fast

SvelteKit + TypeScript + Tailwind: What I Learned Building 3 Production Apps