Auth

User Management

View, delete, and export user information.

You can view your users on the Users page of the Dashboard. You can also view the contents of the Auth schema in the Table Editor.

Accessing user data via API

For security, the Auth schema is not exposed in the auto-generated API. If you want to access users data via the API, you can create your own user tables in the public schema.

Make sure to protect the table by enabling Row Level Security. Reference the auth.users table to ensure data integrity. Specify on delete cascade in the reference. For example, a public.profiles table might look like this:

create table public.profiles (
id uuid not null references auth.users on delete cascade,
first_name text,
last_name text,

primary key (id)
);

alter table public.profiles enable row level security;

To update your public.profiles table every time a user signs up, set up a trigger. If the trigger fails, it could block signups, so test your code thoroughly.

-- inserts a row into public.profiles
create function public.handle_new_user()
returns trigger
language plpgsql
security definer set search_path = ''
as $$
begin
insert into public.profiles (id, first_name, last_name)
values (new.id, new.raw_user_meta_data ->> 'first_name', new.raw_user_meta_data ->> 'last_name');
return new;
end;
$$;

-- trigger the function every time a user is created
create trigger on_auth_user_created
after insert on auth.users
for each row execute procedure public.handle_new_user();

Adding and retrieving user metadata

You can assign metadata to users on sign up:

const { data, error } = await supabase.auth.signUp({
email: 'example@email.com',
password: 'example-password',
options: {
data: {
first_name: 'John',
age: 27,
},
},
})

User metadata is stored on the raw_user_meta_data column of the auth.users table. To view the metadata:

const {
data: { user },
} = await supabase.auth.getUser()
let metadata = user.user_metadata

Deleting users

You may delete users directly or via the management console at Authentication > Users. Note that deleting a user from the auth.users table does not automatically sign out a user. As Supabase makes use of JSON Web Tokens (JWT), a user's JWT will remain "valid" until it has expired. Should you wish to immediately revoke access for a user, do consider making use of a Row Level Security policy as described below.

Exporting users

As Supabase is built on top of Postgres, you can query the auth.users and auth.identities table via the SQL Editor tab to extract all users:

select * from auth.users;

You can then export the results as CSV.

We only collect analytics essential to ensuring smooth operation of our services. Learn more