// the find
supabase/auth
A JWT based API for managing users and issuing JWT tokens
Supabase's authentication server, forked from Netlify's GoTrue and significantly extended. It handles JWT issuance, user management, 20+ OAuth providers, MFA, passkeys, SAML, and SMS OTP. If you're building on Supabase, this is what runs under the hood; if you're self-hosting standalone, that's where things get complicated.
Provider coverage is genuinely broad — Apple, Google, GitHub, Discord, SAML, and a dozen more, each with their own test file. The refresh token rotation with reuse detection is solid: it identifies token theft by detecting revoked token reuse and immediately invalidates the entire token family. Passkey/WebAuthn support is first-class, not bolted on — registration, authentication, and admin management all have dedicated handlers and test coverage. The versioning guarantees are unusually explicit: they document exactly which schema changes are safe at patch vs. minor vs. major, which matters when you're running migrations in production.
The README literally says 'running an authentication server in production is not an easy feat' and recommends using managed Supabase Auth instead — that's the maintainers telling you this isn't really designed for standalone operation. A chunk of GoTrue-inherited features (multi-instance mode, super admin, group JWTs) are explicitly unsupported and can be removed without notice, so if you built on any of those you're on borrowed time. The `GOTRUE_DB_MAX_POOL_SIZE` defaults to 0, meaning unlimited connections — easy to saturate Postgres under any real load without realizing why. Configuration is several hundred environment variables with no structured validation at startup, so typos or missing required vars surface as runtime failures rather than boot errors.