Some questions around using WeWeb Supabase auth plugin

Tims · March 11, 2025, 8:39am

Hi all,

I am using the Supabase auth plugin with Google social login (Google oAuth) which is all working very well, but I have some questions around that.

If a user logs in, how long do they stay logged in? Can I configure this on WeWeb side in the plugin or is this on Supabase side?
Per Supabase auth documentation, a login creates a session. Refreshing the session gives a new refresh token and access token pair. I’m using these access tokens to authorize REST API requests coming from my front-end. However, with some testing I noticed that the access token expires after 1 hour and a user will run into the error that the JWT token has expired. I suppose the simple approach would be to use the “Refresh session” in the workflow before sending the REST API request, but I wonder whether this is the best approach (I have about ~50 distinct workflows with rest API Requests). Is it best practice to build something like a “global session refresher” that automatically refreshes the token? Would that be even possible in WeWeb?

Tims · April 8, 2025, 10:22am

Not sure if this is allowed, but bumping this for visibility

Vitor · June 16, 2025, 10:58am

I also needed this information, the same problem happens to me. Did you find any solution?

tomerer2000 · June 16, 2025, 11:40am

I upload the thing with weweb team, from what I understand if you use restApi it’s your responsibility to figure out how to keep the JWT valid.
If you use supabase functions there are dedicated actions that will stay valid as long as the session is valid

Tims · June 17, 2025, 1:57pm

So here’s what I figured out. The WeWeb editor shows different behavior than published applications. Once a user logs in via Supabase, they stay logged in indefinitely. However, in the Editor, they are automatically logged out after 1 hour. I’m not sure why it’s like that.

In a published application, the error for JWT invalid does not occur at all, because the logged in state persists. This also aligns with supabase documentation

By default, it lasts indefinitely and a user can have an unlimited number of active sessions on as many devices.

A session is represented by the Supabase Auth access token in the form of a JWT, and a refresh token which is a unique string.

Vitor · June 17, 2025, 2:37pm

In my case it happens in the already published application, after some time and based on that sometimes duplicating the page also happens

Tims · June 17, 2025, 2:57pm

Does it happen when the editor is also active/logged in on the same Supabase authentication? Because that is also true for me, but when the editor is not logged in on the same Supabase authentication it works according to Supabase documentation.

Vitor · June 17, 2025, 3:49pm

Okay, so if I use the same login in the editor and in production, the editor ends up causing production to be disconnected? That would be my situation

Topic		Replies	Views
Supabase Auth Plugin — Session Expiring After Tab Duplication or Inactivity Ask us anything authentication , supabase , bug , weweb	3	24	June 13, 2025
JWT Token is expiring before the actual time Ask us anything authentication	3	77	February 26, 2025
WeWeb / Supabase auth issue Ask us anything supabase	12	586	April 30, 2024
Is there a way to set the Supabase auth token manually? How do I?	9	2304	February 17, 2024
Does WeWeb's editor expire the authentication token after a long period of inactivity? Ask us anything authentication	4	63	March 6, 2025

Some questions around using WeWeb Supabase auth plugin

Related topics