Document New Supabase auth - addition of JWT secret

installation/authentication-setup/supabase-auth.mdx

@@ -17,14 +17,14 @@ You can implement various types of auth:
    * [Example](https://github.com/powersync-ja/powersync-jwks-example/)
 * Experimental: We've also heard from the community that Supabase's newly released [support for external auth providers works](https://supabase.com/blog/third-party-auth-mfa-phone-send-hooks), but we don't have any examples for this yet.
 
-<Note>
-The "Supabase Auth" setting no longer works for Supabase projects created after 25 November 2024. While we are working with Supabase on a fix, please apply this workaround: https://releases.powersync.com/announcements/important-notice-for-supabase-users-using-supabase-jwts
-</Note>
+To implement either **Supabase Auth** or **Anonymous Sign-Ins**, enable the "Use Supabase Auth" setting on the PowerSync instance, and provide your Supabase JWT Secret. Internally, this setting allows PowerSync to verify and use Supabase JWTs directly using HS256 and the provided secret.
 
-To implement either Supabase Auth or Anonymous Sign-Ins, enable the "Use Supabase Auth" setting on the PowerSync instance. (This is also [covered in the Supabase & PowerSync integration guide](/integration-guides/supabase-+-powersync#configuring-powersync))
+Enabling Supabase Auth is also [covered in the Supabase & PowerSync integration guide](/integration-guides/supabase-+-powersync#configuring-powersync).
 
-Internally, Supabase auth signs the token using HS256, using a secret available as `current_setting('app.settings.jwt_secret')` on the database.
+To rotate the secret, generate a new secret in the your Supabase project's API Settings:
 
-To rotate the secret, generate a new secret in the Supabase project settings. The new secret will be automatically picked up by PowerSync within 5 minutes. In this period, some authentication failures are expected.
+<Frame>
+   <img src="/images/authentication/supabase-jwt-secret.png"/>
+</Frame>
 
-The Supabase user UUID will be available as `token_parameters.user_id`. To use a different identifier as the user ID in sync rules (for example user email), use [Custom authentication](/installation/authentication-setup/custom).
+The Supabase user UUID will be available as `request.user_id()` in Sync Rules. To use a different identifier as the user ID in sync rules (for example user email), use [Custom authentication](/installation/authentication-setup/custom).

self-hosting/appendix/database-connection.mdx

@@ -8,33 +8,34 @@ Below, you can find provider-specific instructions to obtain connection details
 
 <AccordionGroup>
   <Accordion title="Supabase">
-1. In your Supabase dashboard, navigate to **"Project Settings"** \-> **"Database" -> "Connection string**" and select the "URI" tab.
-2. Uncheck the "**Display connection pooler**" checkbox. PowerSync needs to connect to the database directly and cannot use the pooler.
-
-<Frame>
-  <img src="/images/self-hosting-3.avif"/>
-</Frame>
-1. Copy the connection string. The hostname should be `db.<PROJECT-ID>.supabase.co`, and not, for example, `aws-0-us-west-1.pooler.supabase.com`.
-2. Paste this URI into the `uri` field under `replication` \> `connections` in your configuration file, for example:
-
-```yaml
-# config.yaml
-
-replication:
-  connections:
-    - type: postgresql
-      uri: postgresql://postgres:[YOUR-PASSWORD]@db.abc.supabase.co:5432/postgres
-```
-
-1. Replace `[YOUR-PASSWORD]` with the password for the `postgres` user in your Supabase database.
-   * Supabase also [refers to this password](https://supabase.com/docs/guides/database/managing-passwords) as the _database password_ or _project password_.
-2. PowerSync has the Supabase CA certificate pre-configured — `verify-full` SSL mode can be used directly, without any custom certificates.
-3. Under `client_auth` enable Supabase Auth:
-
-```yaml
-client_auth:
-  supabase: true
-```
+    1. In your Supabase dashboard, navigate to **"Project Settings"** \-> **"Database" -> "Connection string**" and select the "URI" tab.
+    2. Uncheck the "**Display connection pooler**" checkbox. PowerSync needs to connect to the database directly and cannot use the pooler.
+    <Frame>
+      <img src="/images/self-hosting-3.avif"/>
+    </Frame>
+    3. Copy the connection string. The hostname should be `db.<PROJECT-ID>.supabase.co`, and not, for example, `aws-0-us-west-1.pooler.supabase.com`.
+    4. Paste this URI into the `uri` field under `replication` \> `connections` in your configuration file, for example:
+
+    ```yaml
+    # config.yaml
+
+    replication:
+      connections:
+        - type: postgresql
+          uri: postgresql://postgres:[YOUR-PASSWORD]@db.abc.supabase.co:5432/postgres
+    ```
+
+    5. Replace `[YOUR-PASSWORD]` with the password for the `postgres` user in your Supabase database.
+      * Supabase also [refers to this password](https://supabase.com/docs/guides/database/managing-passwords) as the _database password_ or _project password_.
+    6. PowerSync has the Supabase CA certificate pre-configured — `verify-full` SSL mode can be used directly, without any custom certificates.
+    7. Under `client_auth` enable Supabase Authentication:
+
+    ```yaml
+    client_auth:
+      supabase: true
+      supabase_jwt_secret: [secret]
+    ```
+    For more details, see [Supabase Auth](/installation/authentication-setup/supabase-auth).
   </Accordion>
   <Accordion title="AWS RDS">
 Add your connection details under `replication` \> `connections` in your configuration file.

self-hosting/installation/client-side-setup.mdx

@@ -97,14 +97,15 @@ If you are using Supabase or Firebase authentication, PowerSync can verify JWTs
 
 ### Supabase Auth
 
-Under `client_auth` in your config file, enable `supabase` authentication:
+Under `client_auth` in your config file, enable Supabase authentication:
 
 ```yaml
 # config.yaml
 
 client_auth:
   # Enable this if using Supabase Auth
   supabase: true
+  supabase_jwt_secret: [secret]
 ```
 
 For more details, see [Supabase Auth](/installation/authentication-setup/supabase-auth).

self-hosting/installation/powersync-service-setup.mdx

@@ -113,6 +113,7 @@ sync_rules:
 client_auth:
   # Enable this if using Supabase Auth
   # supabase: true
+  # supabase_jwt_secret: [secret]
 
   # JWKS URIs can be specified here.
   jwks_uri: http://demo-backend:6060/api/auth/keys

snippets/create-cloud-instance.mdx

@@ -1,7 +1,7 @@
 1. In the [PowerSync Dashboard](/usage/tools/powersync-dashboard) Project tree, click on "**Create new instance**":
 
 <Frame>
-  <img src="/images/integration-2.png" width="60%" />
+  <img src="/images/installation/create-new-instance.png" width="60%" />
 </Frame>
 
 2. Give your instance a name, such as "Testing".

snippets/supabase-database-connection.mdx

@@ -11,14 +11,10 @@
      * Supabase also [refers to this password](https://supabase.com/docs/guides/database/managing-passwords) as the _database password_ or _project password_.
    * PowerSync has the Supabase CA certificate pre-configured — `verify-full` SSL mode can be used directly, without any custom certificates.
 2. Click **"Test Connection"** and fix any errors.
-3. Under the **"Client Auth"** tab, enable **"Use Supabase Auth"**:
-  <Frame caption="PowerSync fetches the Supabase JWT key directly from the database.">
-    <img src="/images/integration-4.png"/>
-  </Frame>
+3. Under the **"Client Auth"** tab, enable **"Use Supabase Auth"** and enter your Supabase **JWT Secret**:
+    <Frame caption="PowerSync uses the secret to verify Supabase's JWTs.">
+      <img src="/images/authentication/use-supabase-auth.png"/>
+    </Frame>
 4. Click **"Save".**
 
-<Note>
-The "Supabase Auth" setting no longer works for Supabase projects created after 25 November 2024. While we are working with Supabase on a fix, please apply this workaround: https://releases.powersync.com/announcements/important-notice-for-supabase-users-using-supabase-jwts
-</Note>
-
 PowerSync deploys and configures an isolated cloud environment for you, which will take a few minutes to complete.