Authentication
Authentication is handled by Supabase Auth. Users sign in with email and password, can enable two-factor authentication, reset passwords, verify email, and sign out of all devices.
#Purpose
Explain how identity is established and the account-security features available.
#Architecture
Supabase Auth manages credentials and sessions. The Next.js app reads the authenticated session server-side to identify the caller and their organization.
Account-security features are exposed through the app: two-factor authentication (per user), forgot/reset password, email verification, and sign-out-of-all-devices.
#How it works
1
Sign in
Supabase authenticates the credentials and issues a session.
2
Session used server-side
API routes resolve the user and organization from the session.
3
Second factor (optional)
If the user enabled 2FA, it is completed at sign-in.
4
Recovery
Forgot-password and email verification flows restore or confirm access.
#Implementation notes
- 2FA is enabled per user; there is no organization-wide enforcement toggle.
- Password policy and session lifetime are managed by the auth platform, not organization-configurable.
- Sign-out-of-all-devices ends every active session for a user.
#Limitations
Known limitations
- No org-configurable password policy or session timeout.
- No org-wide 2FA enforcement (drive adoption by policy).
#Security considerations
Security
- Encourage 2FA for all privileged accounts.
- Treat session handling as platform-managed; do not roll a custom auth layer.
- Use sign-out-of-all-devices for suspected compromise.
#Best practices
- Require strong passwords by policy and pair with 2FA.
- Keep verified emails current for recovery.
- Never store raw credentials in application tables.
#Related documentation
Authorization & Isolation
After identity, access.
2FA (admin guide)
User-facing.
Security Model
Overall model.
Still need help?
Can’t find what you’re looking for? The DevSphere OS team is happy to help.
Was this page helpful?