Authentication
Secure your app with built-in authentication. Set up Google OAuth, email/password login, protect routes, and manage user sessions.
Skappa apps use Supabase Auth — a battle-tested authentication system that supports email/password, magic links, and social OAuth providers. User sessions are managed automatically with secure, HTTP-only cookies. This guide walks you through setting up and customizing authentication.
Built-in Authentication
When you ask the AI to add authentication to your app, it scaffolds a complete auth flow: sign up, sign in, password reset, and session management. Under the hood, it uses Supabase Auth with the Next.js server-side client, so sessions are validated on the server rather than relying on client-side tokens.
Google OAuth Setup
To enable Google sign-in, you need OAuth credentials from Google Cloud Console:
- Go to the Google Cloud Console and create a new OAuth 2.0 Client ID.
- Set the authorized redirect URI to your Supabase project callback URL (found in Authentication > Providers > Google).
- Copy the Client ID and Client Secret into the Supabase dashboard.
- Enable the Google provider in Supabase under Authentication > Providers.
// Redirect URI format: https://your-project.supabase.co/auth/v1/callback
Protecting Routes
Use Next.js middleware to check authentication on protected pages. The middleware runs before the page renders, so unauthenticated users are redirected to the login page immediately:
// middleware.ts
import { createServerClient } from '@supabase/ssr'
import { NextResponse } from 'next/server'
export async function middleware(request) {
const supabase = createServerClient(/* config */)
const { data: { user } } = await supabase.auth.getUser()
if (!user && request.nextUrl.pathname.startsWith('/dashboard')) {
return NextResponse.redirect(new URL('/login', request.url))
}
return NextResponse.next()
}User Sessions
Sessions are stored as secure, HTTP-only cookies — not in localStorage. This prevents cross-site scripting (XSS) attacks from stealing tokens. Sessions refresh automatically, so users stay logged in across visits without re-authenticating.
Best Practices
- Always validate authentication on the server side, never trust client-side checks alone.
- Use Row Level Security (RLS) in Supabase to restrict database access per user.
- Require email verification before granting full access to your app.
- Implement rate limiting on auth endpoints to prevent brute-force attacks.
Tip: Tell the AI: "Add Google OAuth login with a protected dashboard." It generates the full flow including the login page, callback handler, middleware, and dashboard layout with user info.
Still have questions?
Join our Discord community or submit feedback to get help.