Anonymous Sign-Ins in Supabase

Antiokh · July 17, 2025, 5:45pm

Hi! Supabase has added an option to use Supabase without a user creation. It’s handy for apps which provide something before registration. Now it can be built with local variables and some hacks/RLSs, but maybe it’s possible to use those Anonymous Sign-Ins instead?

Also, it would be great to authenticate user somehow without email/password.

I’ve found some implementations, like here, for individual user’s API keys:

gist.github.com

https://gist.github.com/FelixZY/0aef530690458b381b8100afa19202c8

supabase_api_auth.sql

-- Token Based API Access for Supabase
--
-- How to configure Supabase (https://supabase.com/) to generate and accept API tokens.
--
-- (c) 2022 Felix Zedén Yverås
-- Provided under the MIT license (https://spdx.org/licenses/MIT.html)
--
-- Disclaimer: This file is formatted using pg_format. I'm not happy with the result but
-- prefer to follow a tool over going by personal taste.
--

This file has been truncated. show original

github.com/supabase/storage

Signed urls for upload

opened 09:05AM - 19 Nov 21 UTC

closed 05:09PM - 06 Mar 23 UTC

etiennedupont

enhancement accepted

# Feature request ## Is your feature request related to a problem? Please des…cribe. At [Labelflow](https://github.com/Labelflow/labelflow), we developed a tool to upload images on our Supabase storage, based on one nextJs API route. The goal is for us to abstract the storage method from the client-side by querying a generic upload route to upload any file and to ease the permission management. Indeed, in the server-side function, one service role Supabase client is manipulated to actually make the upload. We use next-auth to secure the route (and to manage authentication in the app in general). Client-side upload looks like that: ```javascript await fetch("https://labelflow.ai/api/upload/[key-in-supabase]", { method: "PUT", body: file, }); ``` Server-side API route looks more or less like that (I don't show the permission management part): ```javascript import { createClient } from "@supabase/supabase-js"; import nextConnect from "next-connect"; const apiRoute = nextConnect({}); const client = createClient( process?.env?.SUPABASE_API_URL as string, process?.env?.SUPABASE_API_KEY as string ); const bucket = "labelflow-images"; apiRoute.put(async (req, res) => { const key = (req.query.id as string[]).join("/"); const { file } = req; const { error } = await client.storage.from(bucket).upload(key, file.buffer, { contentType: file.mimetype, upsert: false, cacheControl: "public, max-age=31536000, immutable", }); if (error) return res .status(404); return res.status(200); }); export default apiRoute; ``` **The problem is that we face a serious limitation in terms of upload size** since we use Vercel for deployment which [doesn't allow serverless functions to handle requests that are more than 5Mb](https://vercel.com/support/articles/how-to-bypass-vercel-5mb-body-size-limit-serverless-functions). Since we send over images in the upload request from the client to the server, we're likely to reach that limit quite often. ## Describe the solution you'd like As we don't want to manipulate Supabase clients client-side, we think that the ideal solution would be to allow us to upload directly to Supabase, using an **upload signed URL**. The above upload route could now take only a key as an input and return a signed URL to make the upload to. Client-side upload would now be in two steps: ```javascript // Get Supabase signed Url const { signedUrl } = await (await fetch("https://labelflow.ai/api/upload/[key-in-supabase]", { method: "GET", })).json(); // Upload the file await fetch(signedUrl, { method: "PUT", body: file, }); ``` And our API route would look like that, more or less: ```javascript import { createClient } from "@supabase/supabase-js"; import nextConnect from "next-connect"; const apiRoute = nextConnect({}); const client = createClient( process?.env?.SUPABASE_API_URL as string, process?.env?.SUPABASE_API_KEY as string ); const bucket = "labelflow-images"; apiRoute.get(async (req, res) => { const key = (req.query.id as string[]).join("/"); const { signedURL } = await client.storage .from(bucket) .createUploadSignedUrl(key, 3600); // <= this is the missing feature if (signedURL) { res.setHeader("Content-Type", "application/json"); return res.status(200).json({signedURL}); } return res.status(404); }); export default apiRoute; ``` ## Describe alternatives you've considered I described them in our [related issue](https://github.com/labelflow/labelflow/issues/576#issuecomment-972732048): - Use the Supabase client, client-side. We'd need to give extra care about security, and the fact we don’t use Supabase auth is not helping. Some references to do that: https://supabase.io/docs/guides/auth#row-level-security & https://github.com/supabase/supabase/tree/master/examples/nextjs-ts-user-management#postgres-row-level-security - Use another storage method (Google Cloud, AWS) that supports upload SignedUrl, in an end-to-end fashion instead of Supabase - Use another storage method (Google Cloud, AWS) that supports upload SignedUrl as an intermediate. E.g. upload on a GC bucket then download it from the API serverless function and finally upload on Supabase using the client ## Additional context We're happy to work on developing this feature at Labelflow if you think this is the best option!

But to use it inside Supabase we still need some extra coded functions.

Broberto · July 17, 2025, 7:41pm

You have all the info you need here - Anonymous Sign-Ins | Supabase Docs
It’s only a matter of setting up the RLS to reflect the anon flag from the JWT as they describe and using the wwLib methods to access the Supabase instance. It’s probably not gonna get implemented into the no-code plugin for a long time, but you can access it even probably now with the custom JS action.

Antiokh · July 18, 2025, 3:08pm

thanks! where can I find more info about wwLib methods?

Antiokh · July 23, 2025, 2:16pm

The key bonus from those anonymous sign-ins is that you can mark user as authenticated without creating a real user. So you can utilize all strenghts of RLS’s and then, only after, ask for the email to create a real account.

Anonymous Sign-Ins | Supabase Docs

So I want to create an anonymous account, and then I want WeWeb to raise “Authenticated” state in WeWeb.

So we actually need three new actions:

Anonymous sign-in

const { data, error } = await supabase.auth.signInAnonymously()

Set email to anonymous account

const { data: updateEmailData, error: updateEmailError } = await supabase.auth.updateUser({
  email: 'valid.email@supabase.io',
})

// verify the user's email by clicking on the email change link
// or entering the 6-digit OTP sent to the email address

// once the user has been verified, update the password
const { data: updatePasswordData, error: updatePasswordError } = await supabase.auth.updateUser({
  password: 'password',
})

Link anonymous account to existing

// 1. Sign in anonymously (assuming the user is already signed in anonymously)
const { data: anonData, error: anonError } = await supabase.auth.getSession()

// 2. Attempt to update the user with the existing email
const { data: updateData, error: updateError } = await supabase.auth.updateUser({
  email: 'valid.email@supabase.io',
})

// 3. Handle the error (since the email belongs to an existing user)
if (updateError) {
  console.log('This email belongs to an existing user. Please sign in to that account.')

  // 4. Sign in to the existing account
  const {
    data: { user: existingUser },
    error: signInError,
  } = await supabase.auth.signInWithPassword({
    email: 'valid.email@supabase.io',
    password: 'user_password',
  })

  if (existingUser) {
    // 5. Reassign entities tied to the anonymous user
    // This step will vary based on your specific use case and data model
    const { data: reassignData, error: reassignError } = await supabase
      .from('your_table')
      .update({ user_id: existingUser.id })
      .eq('user_id', anonData.session.user.id)

    // 6. Implement your chosen conflict resolution strategy
    // This could involve merging data, overwriting, or other custom logic
    await resolveDataConflicts(anonData.session.user.id, existingUser.id)
  }
}

// Helper function to resolve data conflicts (implement based on your strategy)
async function resolveDataConflicts(anonymousUserId, existingUserId) {
  // Implement your conflict resolution logic here
  // This could involve ignoring the anonymous user's metadata, overwriting the existing user's metadata, or merging the data of both the anonymous and existing user.
}

And then I can implement some purge function in Supabase to clean those anonymous data.

Antiokh · July 27, 2025, 10:20pm

so what about wwLib?

sam1 · July 28, 2025, 12:52am

type wwLib in your console and you can see all the properties

Topic		Replies	Views
Accessing Supabase Storage (non-public) How do I? supabase	10	413	February 19, 2025
Sign in as user? Ask us anything supabase	9	326	April 29, 2025
Upload directly to Supabase Buckets How do I? supabase	3	284	January 26, 2024
What's the best way tu opload a file directly to Supabase storage? How do I?	52	4306	September 15, 2023
How to check from WeWeb page if a value exists in Supabase for unauthenticated WeWeb page user? How do I? supabase	7	543	March 21, 2024

Anonymous Sign-Ins in Supabase

Related topics