diff --git a/apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts b/apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts index 709b3c495dbcc..7ede31efb625a 100644 --- a/apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts +++ b/apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts @@ -663,6 +663,7 @@ export const auth = { { name: 'Firebase Auth', url: '/guides/auth/third-party/firebase-auth' }, { name: 'Auth0', url: '/guides/auth/third-party/auth0' }, { name: 'AWS Cognito (Amplify)', url: '/guides/auth/third-party/aws-cognito' }, + { name: 'WorkOS', url: '/guides/auth/third-party/workos' }, ], }, { diff --git a/apps/docs/content/guides/auth/third-party/overview.mdx b/apps/docs/content/guides/auth/third-party/overview.mdx index 447f9f79f783a..9698ececa01c6 100644 --- a/apps/docs/content/guides/auth/third-party/overview.mdx +++ b/apps/docs/content/guides/auth/third-party/overview.mdx @@ -10,6 +10,7 @@ Supabase has first-class support for these third-party authentication providers: - [Firebase Auth](/docs/guides/auth/third-party/firebase-auth) - [Auth0](/docs/guides/auth/third-party/auth0) - [AWS Cognito (with or without AWS Amplify)](/docs/guides/auth/third-party/aws-cognito) +- [WorkOS](/docs/guides/auth/third-party/workos) You can use these providers alongside Supabase Auth, or on their own, to access the [Data API (REST and GraphQL)](/docs/guides/database), [Storage](/docs/guides/storage), [Realtime](/docs/guides/storage) and [Functions](/docs/guides/functions) from your existing apps. diff --git a/apps/docs/content/guides/auth/third-party/workos.mdx b/apps/docs/content/guides/auth/third-party/workos.mdx new file mode 100644 index 0000000000000..341a4b75f485c --- /dev/null +++ b/apps/docs/content/guides/auth/third-party/workos.mdx @@ -0,0 +1,57 @@ +--- +id: 'auth-third-party-workos' +title: 'WorkOS' +subtitle: 'Use WorkOS with your Supabase project' +--- + +WorkOS can be used as a third-party authentication provider alongside Supabase Auth, or standalone, with your Supabase project. + +## Getting started + +1. First you need to add an integration to connect your Supabase project with your WorkOS tenant. You will need your WorkOS issuer. The issuer is `https://api.workos.com/user_management/`. Substitute your [custom auth domain](https://workos.com/docs/custom-domains/auth-api) for "api.workos.com" if configured. +2. Add a new Third-party Auth integration in your project's [Authentication settings](/dashboard/project/_/settings/auth). +3. Set up a JWT template to assign the `role: 'authenticated'` claim to your access token. + +## Setup the Supabase client library + + + + + +```typescript +import { createClient } from '@supabase/supabase-js' +import { createClient as createAuthKitClient } from '@workos-inc/authkit-js' + +const authkit = await createAuthKitClient('WORKOS_CLIENT_ID', { + apiHostname: '', +}) + +const supabase = createClient('https://.supabase.co', 'SUPABASE_ANON_KEY', { + accessToken: async () => { + return authkit.getAccessToken() + }, +}) +``` + + + + + +## Add a new Third-Party Auth integration to your project + +In the dashboard navigate to your project's [Authentication settings](/dashboard/project/_/settings/auth) and find the Third-Party Auth section to add a new integration. + +## Set up a JWT template to add the authenticated role. + +Your Supabase project inspects the `role` claim present in all JWTs sent to it, to assign the correct Postgres role when using the Data API, Storage or Realtime authorization. + +WorkOS JWTs already contain a `role` claim that corresponds to the user's role in their organization. It is necessary to adjust the `role` claim to be `"authenticated"` like Supabase expects. This can be done using JWT templates (navigate to Authentication -> Sessions -> JWT Template in the WorkOS Dashboard). + +This template overrides the `role` claim to meet Supabase's expectations, and adds the WorkOS role in a new `user_role` claim: + +```json +{ + "role": "authenticated", + "user_role": {{organization_membership.role}} +} +``` diff --git a/apps/docs/content/guides/getting-started/mcp.mdx b/apps/docs/content/guides/getting-started/mcp.mdx index a0baa71716b76..22f72bb04f729 100644 --- a/apps/docs/content/guides/getting-started/mcp.mdx +++ b/apps/docs/content/guides/getting-started/mcp.mdx @@ -14,6 +14,7 @@ The [Model Context Protocol](https://modelcontextprotocol.io/introduction) (MCP) - [Cline](#cline) (VS Code extension) - [Claude desktop](#claude-desktop) - [Claude code](#claude-code) +- [Qodo Gen](#qodo-gen) Once connected, your AI assistants can interact with and query your Supabase projects on your behalf. @@ -117,11 +118,22 @@ You can also add the Supabase MCP server as a locally-scoped server, which will 1. Run the following command in your terminal: ```bash - claude mcp add supabase -s local -e SUPABASE_ACCESS_TOKEN=your_token_here npx -y @supabase/mcp-server-supabase@latest + claude mcp add supabase -s local -e SUPABASE_ACCESS_TOKEN=your_token_here -- npx -y @supabase/mcp-server-supabase@latest ``` Locally-scoped servers take precedence over project-scoped servers with the same name and are stored in your project-specific user settings. +### Qodo Gen + +1. Open [Qodo Gen](https://docs.qodo.ai/qodo-documentation/qodo-gen) chat panel in VSCode or IntelliJ. +1. Click `Connect more tools`. +1. Click `+ Add new MCP`. +1. Add the following configuration: + + <$Partial path="mcp_supabase_config.mdx" variables={{ "app": "Qodo Gen" }} /> + +1. Click `Save`. + ### Next steps Your AI tool is now connected to Supabase using MCP. Try asking your AI assistant to create a new project, create a table, or fetch project config. diff --git a/supa-mdx-lint/Rule001HeadingCase.toml b/supa-mdx-lint/Rule001HeadingCase.toml index 872b473a5b66a..c8818c4e0d026 100644 --- a/supa-mdx-lint/Rule001HeadingCase.toml +++ b/supa-mdx-lint/Rule001HeadingCase.toml @@ -149,6 +149,7 @@ may_uppercase = [ "Prisma", "Prometheus", "Python", + "Qodo Gen", "Queues?", "Quotas", "Query Performance", diff --git a/supa-mdx-lint/Rule003Spelling.toml b/supa-mdx-lint/Rule003Spelling.toml index b2babe01e78f8..3392a9e73e26f 100644 --- a/supa-mdx-lint/Rule003Spelling.toml +++ b/supa-mdx-lint/Rule003Spelling.toml @@ -237,6 +237,7 @@ allow_list = [ "ProGuard", "PubSub", "Prisma", + "Qodo", "README", "Redis", "RedwoodJS",