Documentation edits made through Mintlify web editor

Author: benitav

installation/authentication-setup/supabase-auth.mdx

@@ -8,23 +8,58 @@ sidebarTitle: Overview
 You can implement various types of auth:
 
 * Standard [Supabase Auth](https://supabase.com/docs/guides/auth)
-   * JavaScript [example](https://github.com/powersync-ja/powersync-js/blob/58fd05937ec9ac993622666742f53200ee694585/demos/react-supabase-todolist/src/library/powersync/SupabaseConnector.ts#L87)
-   * Dart/Flutter [example](https://github.com/powersync-ja/powersync.dart/blob/9ef224175c8969f5602c140bcec6dd8296c31260/demos/supabase-todolist/lib/powersync.dart#L38)
-   * Kotlin [example](https://github.com/powersync-ja/powersync-kotlin/blob/4f60e2089745dda21b0d486c70f47adbbe24d289/connectors/supabase/src/commonMain/kotlin/com/powersync/connector/supabase/SupabaseConnector.kt#L75)
+
+  * JavaScript [example](https://github.com/powersync-ja/powersync-js/blob/58fd05937ec9ac993622666742f53200ee694585/demos/react-supabase-todolist/src/library/powersync/SupabaseConnector.ts#L87)
+
+  * Dart/Flutter [example](https://github.com/powersync-ja/powersync.dart/blob/9ef224175c8969f5602c140bcec6dd8296c31260/demos/supabase-todolist/lib/powersync.dart#L38)
+
+  * Kotlin [example](https://github.com/powersync-ja/powersync-kotlin/blob/4f60e2089745dda21b0d486c70f47adbbe24d289/connectors/supabase/src/commonMain/kotlin/com/powersync/connector/supabase/SupabaseConnector.kt#L75)
+
 * Anonymous Sign-Ins
-   * JavaScript [Example](https://github.com/powersync-ja/powersync-js/blob/58fd05937ec9ac993622666742f53200ee694585/demos/react-multi-client/src/library/SupabaseConnector.ts#L47)
+
+  * JavaScript [Example](https://github.com/powersync-ja/powersync-js/blob/58fd05937ec9ac993622666742f53200ee694585/demos/react-multi-client/src/library/SupabaseConnector.ts#L47)
+
 * Fully custom auth
-   * [Example](https://github.com/powersync-ja/powersync-jwks-example/)
+
+  * [Example](https://github.com/powersync-ja/powersync-jwks-example/)
+
 * Experimental: We've also heard from the community that Supabase's newly released [support for external auth providers works](https://supabase.com/blog/third-party-auth-mfa-phone-send-hooks), but we don't have any examples for this yet.
 
-To implement either **Supabase Auth** or **Anonymous Sign-Ins**, enable the "Use Supabase Auth" setting on the PowerSync instance, and provide your Supabase JWT Secret. Internally, this setting allows PowerSync to verify and use Supabase JWTs directly using HS256 and the provided secret.
+## Enabling Supabase Auth
+
+To implement either **Supabase Auth** or **Anonymous Sign-Ins**, enable the relevant setting on the PowerSync instance, and provide your Supabase JWT Secret. Internally, this setting allows PowerSync to verify and use Supabase JWTs directly using HS256 and the provided secret.
+
+### PowerSync Cloud instances:
+
+1. In the PowerSync Dashboard, right-click on your instance to edit it.
+
+2. Under the **"Client Auth"** tab, enable **"Use Supabase Auth"** and enter your Supabase **JWT Secret**:<Frame caption="PowerSync uses the secret to verify Supabase's JWTs.">
+     ![](/images/authentication/use-supabase-auth.png)
+   </Frame>
+
+3. Click **"Save and deploy"** to deploy the updates to your instance.
+
+### Self-hosted instances:
+
+This can be enabled via your [`config.yaml`](/self-hosting/installation/powersync-service-setup):
+
+```yaml
+
+client\_auth:
+&#x20; *# Enable this if using Supabase Auth*
+&#x20; supabase: true
+&#x20; supabase\_jwt\_secret: your-jwt-secret
+
+```
+
+## Rotating the JWT Secret
 
-Enabling Supabase Auth is also [covered in the Supabase & PowerSync integration guide](/integration-guides/supabase-+-powersync#configuring-powersync).
+If you encounter authroziation errors, you may need to regenrate the JWT Secret. A common cause of this are Supabase projects that are restarted after being paused.
 
 To rotate the secret, generate a new secret in the your Supabase project's API Settings:
 
 <Frame>
-   <img src="/images/authentication/supabase-jwt-secret.png"/>
+  ![](/images/authentication/supabase-jwt-secret.png)
 </Frame>
 
-The Supabase user UUID will be available as `request.user_id()` in Sync Rules. To use a different identifier as the user ID in sync rules (for example user email), use [Custom authentication](/installation/authentication-setup/custom).
+The Supabase user UUID will be available as `request.user_id()` in [Sync Rules](/usage/sync-rules). To use a different identifier as the user ID in sync rules (for example user email), use [Custom authentication](/installation/authentication-setup/custom).

self-hosting/installation/client-side-setup.mdx

@@ -5,16 +5,21 @@ title: "Client-Side Setup"
 We recommend splitting up your client-side implementation into four phases:
 
 <CardGroup>
-<Card title="Generate development token" icon="key" href="/self-hosting/installation/client-side-setup#1-generate-development-token" horizontal/> <Card title="Run Diagnostics app" icon="bug" href="/self-hosting/installation/client-side-setup#2-run-the-diagnostics-app-using-a-development-token" horizontal/>
-<Card title="Use client SDK with token" icon="code" href="/self-hosting/installation/client-side-setup#3-use-the-client-sdk-with-development-token" horizontal/>
-<Card title="Implement authentication" icon="lock" href="/self-hosting/installation/client-side-setup#4-implement-authentication" horizontal/>
+  <Card title="Generate development token" icon="key" href="/self-hosting/installation/client-side-setup#1-generate-development-token" horizontal />
+
+  <Card title="Run Diagnostics app" icon="bug" href="/self-hosting/installation/client-side-setup#2-run-the-diagnostics-app-using-a-development-token" horizontal />
+
+  <Card title="Use client SDK with token" icon="code" href="/self-hosting/installation/client-side-setup#3-use-the-client-sdk-with-development-token" horizontal />
+
+  <Card title="Implement authentication" icon="lock" href="/self-hosting/installation/client-side-setup#4-implement-authentication" horizontal />
 </CardGroup>
 
-## 1\. Generate Development Token
+## 1. Generate Development Token
 
 The recommended approach is to initially use a short-lived development token and then wire up production auth at a later stage.
 
 1. Generate a temporary private/public key-pair (RS256) or shared key (HS256) for JWT signing and verification.
+
 2. Add the key to your PowerSync Service configuration file, e.g.:
 
 ```yaml
@@ -31,10 +36,14 @@ client_auth:
 ```
 
 1. Generate a signed JWT. We have two options to get you started:
+
    1. If you have a `.yaml` configuration file and HS256 key, we recommending using the `generate-token` script from the Test Client in the [powersync-service repo](https://github.com/powersync-ja/powersync-service/tree/main/test-client), as described here [Self-hosted Setup / Local Development](/installation/authentication-setup/development-tokens#self-hosted-setup-local-development). You need to clone this repo to use this option.
+
    2. Alternatively:
-         1. Save the private key into a `.env` file.
-         2. Generate a JWT, loading the `.env` file and inputting a user UUID. See example script:
+
+      1. Save the private key into a `.env` file.
+
+      2. Generate a JWT, loading the `.env` file and inputting a user UUID. See example script:
 
 ```js
 import * as jose from 'jose';
@@ -63,7 +72,7 @@ const token = await new jose.SignJWT({})
 console.log(token);
 ```
 
-## 2\. Run the Diagnostics app using a development token
+## 2. Run the Diagnostics app using a development token
 
 With the [Diagnostics web app](https://github.com/powersync-ja/powersync-js/tree/main/tools/diagnostics-app) you can quickly inspect a user's local database. By using this you can confirm that the PowerSync Service configuration and sync rules behave as expected without needing to set up authentication or app UI.
 
@@ -78,18 +87,18 @@ Enter the generated token into the app's sign in screen.
 Enter your PowerSync Service endpoint (see the port number specified in your config file e.g. `http://localhost:8080`).
 
 <Info>
-**Checkpoint:**
+  **Checkpoint:**
 
-Inspect your global bucket and synced table (from the [PowerSync Service Setup](/self-hosting/installation/powersync-service-setup) section) in the diagnostics app — these should match the sync rules you [defined previously](/self-hosting/installation/powersync-service-setup#1.sync-rules).
+  Inspect your global bucket and synced table (from the [PowerSync Service Setup](/self-hosting/installation/powersync-service-setup) section) in the diagnostics app — these should match the sync rules you [defined previously](/self-hosting/installation/powersync-service-setup#1.sync-rules).
 </Info>
 
-## 3\. Use the Client SDK with a development token
+## 3. Use the Client SDK with a development token
 
 Install the PowerSync client SDK in your app. Refer to the client-side installation instructions here: [Client-Side Setup](/installation/client-side-setup)
 
 Hardcode the development token you generated above in the `fetchCredentials` method, which you'll implement as part of [Integrate with your Backend](/installation/client-side-setup/integrating-with-your-backend)
 
-## 4\. Implement authentication
+## 4. Implement authentication
 
 Read about how authentication works in PowerSync here: [Authentication Setup](/installation/authentication-setup)
 
@@ -105,7 +114,7 @@ Under `client_auth` in your config file, enable Supabase authentication:
 client_auth:
   # Enable this if using Supabase Auth
   supabase: true
-  supabase_jwt_secret: [secret]
+  supabase_jwt_secret: your-secret
 ```
 
 For more details, see [Supabase Auth](/installation/authentication-setup/supabase-auth).
@@ -115,6 +124,7 @@ For more details, see [Supabase Auth](/installation/authentication-setup/supabas
 Under `client_auth` in your config file, add your Firebase JWKS URI and audience.
 
 * JWKS URI: [https://www.googleapis.com/service\_accounts/v1/jwk/[email protected]](https://www.googleapis.com/service%5Faccounts/v1/jwk/[email protected])
+
 * JWT Audience: Your Firebase project ID
 
 ```yaml
@@ -135,7 +145,7 @@ For more details, see [Firebase Auth](/installation/authentication-setup/firebas
 
 Refer to: [Custom](/installation/authentication-setup/custom)
 
-PowerSync supports both RS256 and HS256\. Insert your auth details into your configuration file:
+PowerSync supports both RS256 and HS256. Insert your auth details into your configuration file:
 
 ```yaml
 # config.yaml
@@ -154,4 +164,4 @@ client_auth:
   #       kid: '${PS_JWK_KID}'
 
   audience: ['powersync-dev', 'powersync']
-```
+```

self-hosting/installation/powersync-service-setup.mdx

@@ -8,9 +8,13 @@ After configuring your Postgres database for PowerSync, you'll setup your [Power
 This entails:
 
 1. Configuring MongoDB (if required)
+
 2. Defining your PowerSync config
+
    1. Defining connections to Postgres and MongoDB
+
    2. Defining your [Sync Rules](/usage/sync-rules)
+
    3. Defining your auth method
 
 Examples of the above can be found in our demo application [here](https://github.com/powersync-ja/self-host-demo/tree/main/config). Below we go through these in more detail.
@@ -28,6 +32,7 @@ mongosh "mongodb+srv://powersync.abcdef.mongodb.net/" --apiVersion 1 --username
 ```
 
 If you are rolling your own Docker environment, you can include this init script in your docker-compose file to configure a replica set as once-off operation:
+
 ```yaml
   # Initializes the MongoDB replica set. This service will not usually be actively running
   mongo-rs-init:
@@ -46,26 +51,20 @@ If you are rolling your own Docker environment, you can include this init script
 The PowerSync Service is configured using key/value pairs in a config file, and supports the following configuration methods:
 
 1. Inject config as an environment variable (which contains the base64 encoding of a config file)
+
 2. Use a config file mounted on a volume
+
 3. Specify the config as a command line parameter (again base64 encoded)
 
 Both YAML and JSON config files are supported, and you can see examples of the above configuration methods in our demo app's [docker-compose](https://github.com/powersync-ja/self-host-demo/blob/d61cea4f1e0cc860599e897909f11fb54420c3e6/docker-compose.yaml#L46) file.
 
 A detailed `config.yaml` example with additional comments can be found here:
-<Card
-  title="self-host-demo/config/powersync.yaml at main · powersync-ja/self-host-demoGitHub"
-  icon="github"
-  href="https://github.com/powersync-ja/self-host-demo/blob/main/config/powersync.yaml"
-  horizontal
-/>
+
+<Card title="self-host-demo/config/powersync.yaml at main · powersync-ja/self-host-demoGitHub" icon="github" href="https://github.com/powersync-ja/self-host-demo/blob/main/config/powersync.yaml" horizontal />
 
 The config file schema is also available here:
-<Card
-  title="self-host-demo/schema/schema.json at main · powersync-ja/self-host-demoGitHub"
-  icon="github"
-  href="https://github.com/powersync-ja/self-host-demo/blob/main/schema/schema.json"
-  horizontal
-/>
+
+<Card title="self-host-demo/schema/schema.json at main · powersync-ja/self-host-demoGitHub" icon="github" href="https://github.com/powersync-ja/self-host-demo/blob/main/schema/schema.json" horizontal />
 
 Below is a skeleton config file that you can copy/paste and edit locally:
 
@@ -113,7 +112,7 @@ sync_rules:
 client_auth:
   # Enable this if using Supabase Auth
   # supabase: true
-  # supabase_jwt_secret: [secret]
+  # supabase_jwt_secret: your-secret
 
   # JWKS URIs can be specified here.
   jwks_uri: http://demo-backend:6060/api/auth/keys
@@ -132,11 +131,11 @@ client_auth:
 Specify the connection to Postgres in the `replication` section. Retrieving your database connection string / individual parameters differs by database hosting provider. See [Database Connection](/self-hosting/appendix/database-connection) for further details.
 
 <Info>
-If you are using hosted Supabase, you will need to enable IPv6 for Docker as per [https://docs.docker.com/config/daemon/ipv6/](https://docs.docker.com/config/daemon/ipv6/)
+  If you are using hosted Supabase, you will need to enable IPv6 for Docker as per [https://docs.docker.com/config/daemon/ipv6/](https://docs.docker.com/config/daemon/ipv6/)
 
-If your host OS does not support Docker IPv6 e.g. macOS, you will need to run Supabase locally.
+  If your host OS does not support Docker IPv6 e.g. macOS, you will need to run Supabase locally.
 
-This is because Supabase only allows direct database connections over IPv6 — PowerSync cannot connect using the connection pooler.
+  This is because Supabase only allows direct database connections over IPv6 — PowerSync cannot connect using the connection pooler.
 </Info>
 
 Specify the connection to MongoDB in the `storage` section.
@@ -150,12 +149,8 @@ Using `!env [variable name]` will substitute the value of the environment variab
 Only environment variables with names starting with `PS_` can be substituted.
 
 See examples here:
-<Card
-  title="self-host-demo/config/powersync.yaml at main · powersync-ja/self-host-demoGitHub"
-  icon="github"
-  href="https://github.com/powersync-ja/self-host-demo/blob/main/config/powersync.yaml"
-  horizontal
-/>
+
+<Card title="self-host-demo/config/powersync.yaml at main · powersync-ja/self-host-demoGitHub" icon="github" href="https://github.com/powersync-ja/self-host-demo/blob/main/config/powersync.yaml" horizontal />
 
 ### Sync Rules
 
@@ -195,15 +190,15 @@ For more information about sync rules see:
 [Sync Rules](/usage/sync-rules)
 
 <Info>
-**Checkpoint**
+  **Checkpoint**
 
-To verify that your sync rules are functioning correctly, inspect the contents of your sync bucket in MongoDB.
+  To verify that your sync rules are functioning correctly, inspect the contents of your sync bucket in MongoDB.
 
-If you are running MongoDB in Docker, run the following:
+  If you are running MongoDB in Docker, run the following:
 
-```bash
-docker exec -it {MongoDB container name} mongosh "mongodb://{MongoDB service host}/{MongoDB database name}" --eval "db.bucket_data.find().pretty()"
-# Example
-docker exec -it self-host-demo-mongo-1 mongosh "mongodb://localhost:27017/powersync_demo" --eval "db.bucket_data.find().pretty()"
-```
-</Info>
+  ```bash
+  docker exec -it {MongoDB container name} mongosh "mongodb://{MongoDB service host}/{MongoDB database name}" --eval "db.bucket_data.find().pretty()"
+  # Example
+  docker exec -it self-host-demo-mongo-1 mongosh "mongodb://localhost:27017/powersync_demo" --eval "db.bucket_data.find().pretty()"
+  ```
+</Info>

snippets/supabase-database-connection.mdx

@@ -1,20 +1,27 @@
+1. Copy the database connection details from Supabase:<Frame caption="It is important to uncheck this checkbox">
+     <img src="/images/integration-3.png" />
+   </Frame>
 
-1. Copy the database connection details from Supabase:
-   * In your Supabase dashboard, navigate to **"Project Settings"** \-> **"Database" -> "Connection string**" and select the "URI" tab.
-   * Uncheck the "**Display connection pooler**" checkbox. PowerSync needs to connect to the database directly and cannot use the pooler.
-    <Frame caption="It is important to uncheck this checkbox">
-    <img src="/images/integration-3.png"/>
-    </Frame>
    * Copy the connection string. The hostname should be `db.<PROJECT-ID>.supabase.co`, and not, for example, `aws-0-us-west-1.pooler.supabase.com`.
+
    * Paste this URI in PowerSync instance **URI** field.
+
    * Enter the **Password** for the `postgres` user in your Supabase database.
-     * Supabase also [refers to this password](https://supabase.com/docs/guides/database/managing-passwords) as the _database password_ or _project password_.
+
+     * Supabase also [refers to this password](https://supabase.com/docs/guides/database/managing-passwords) as the *database password* or *project password*.
+
    * PowerSync has the Supabase CA certificate pre-configured — `verify-full` SSL mode can be used directly, without any custom certificates.
+
+   - In your Supabase dashboard, navigate to **"Project Settings"** -> **"Database" -> "Connection string**" and select the "URI" tab.
+
+   - Uncheck the "**Display connection pooler**" checkbox. PowerSync needs to connect to the database directly and cannot use the pooler.
+
 2. Click **"Test Connection"** and fix any errors.
-3. Under the **"Client Auth"** tab, enable **"Use Supabase Auth"** and enter your Supabase **JWT Secret**:
-    <Frame caption="PowerSync uses the secret to verify Supabase's JWTs.">
-      <img src="/images/authentication/use-supabase-auth.png"/>
-    </Frame>
-4. Click **"Save".**
+
+3. Under the **"Client Auth"** tab, enable **"Use Supabase Auth"** and enter your Supabase **JWT Secret**:<Frame caption="PowerSync uses the secret to verify Supabase's JWTs.">
+     ![](/images/authentication/use-supabase-auth.png)
+   </Frame>
+
+4. Click **"Save and deploy"** to deploy the updates to your instance.
 
 PowerSync deploys and configures an isolated cloud environment for you, which will take a few minutes to complete.