feature: auth agent references

[Rodriguespn]

Summary

Adds 15 authentication reference files covering the complete auth lifecycle:

• Core (auth-core-*): Sign-up, sign-in, and session management with onAuthStateChange and token refresh
• OAuth (auth-oauth-*): Provider setup (Google, GitHub, Apple, Azure) and PKCE flow for SPAs/SSR
• MFA (auth-mfa-*): TOTP authenticator apps with AAL1/AAL2 and phone verification via Twilio/MessageBird
• Passwordless (auth-passwordless-*): Magic links and email/phone OTP
• Hooks (auth-hooks-*): Custom JWT claims for RBAC/multi-tenancy and custom email/SMS hooks
• Server-side (auth-server-*): SSR patterns for Next.js, SvelteKit, Nuxt and admin API with service role
• SSO (auth-sso-*): SAML 2.0 setup and attribute mapping

Each reference includes quick-start examples, incorrect/correct patterns, and security best practices. Also updates SKILL.md, AGENTS.md, and _sections.md with the new Authentication section.

[Rodriguespn]

Hey Auth team, I've gave this another look by comparing the information from the reference files and our documentation. Below is the changelog report with the changes for each file and the sources I used for each one

---

auth-hooks-send-email.md — Corrected magic_link to magiclink (no underscore), switched to npm:resend instead of Resend API directly, and split into two separate files for SQL and HTTP hook setup.

• https://supabase.com/docs/guides/auth/auth-hooks/send-email-hook
• https://supabase.com/docs/guides/auth/auth-hooks

auth-server-ssr.md — Replaced getUser() with getClaims() in middleware (docs now require it) and renamed middleware pattern from middleware.ts to proxy.ts.

• https://supabase.com/docs/guides/auth/server-side/creating-a-client

auth-core-sessions.md — Fixed misleading INITIAL_SESSION event description, added getClaims() as preferred validation method, removed unverifiable deprecation claim about symmetric JWTs, removed incorrect Dashboard paths.

• https://supabase.com/docs/reference/javascript/auth-onauthstatechange
• https://supabase.com/docs/guides/auth/server-side/creating-a-client

auth-core-signin.md — Documented that email change double confirmation depends on "Secure Email Change" setting.

• https://supabase.com/docs/guides/auth/auth-hooks/send-email-hook

auth-core-signup.md — Fixed "fail silently" → redirects to Site URL, added warning that trigger failures block sign-ups.

• https://supabase.com/docs/guides/auth/managing-user-data
• https://supabase.com/docs/guides/auth/redirect-urls

auth-hooks-custom-claims.md — Added supabase_auth_admin table permissions for user_roles, documented authentication_method input field with all valid values.

• https://supabase.com/docs/guides/database/postgres/custom-claims-and-role-based-access-control-rbac
• https://supabase.com/docs/guides/auth/auth-hooks/custom-access-token-hook

auth-mfa-phone.md — Fixed "SMS sent automatically" → challenge() is required, replaced hardcoded pricing with docs link, noted MFA phone config is shared with phone login.

• https://supabase.com/docs/guides/auth/auth-mfa/phone#add-enrollment-flow
• https://supabase.com/docs/guides/platform/manage-your-usage/advanced-mfa-phone

auth-mfa-totp.md — RLS policy now uses (select auth.uid()) for performance.

• https://supabase.com/docs/guides/auth/auth-mfa#enforce-only-for-users-that-have-opted-in

auth-oauth-pkce.md — Awaited cookies() for Next.js 15+, renamed ANON_KEY → PUBLISHABLE_KEY, rewrote Common Mistake #1, fixed broken docs URL.

• https://supabase.com/docs/guides/auth/server-side/creating-a-client
• https://supabase.com/docs/guides/auth/sessions/pkce-flow

auth-oauth-providers.md — Azure scopes corrected to just email, provider tokens via onAuthStateChange instead of getSession(), expanded Apple setup with 6-month key rotation warning, noted linkIdentity() is beta.

• https://supabase.com/docs/guides/auth/social-login/auth-azure
• https://supabase.com/docs/guides/auth/social-login/auth-apple
• https://supabase.com/docs/guides/auth/auth-identity-linking

auth-passwordless-magic-links.md — Template uses {{ .RedirectTo }} instead of {{ .SiteURL }}, added complete template variables list.

• https://supabase.com/docs/guides/auth/redirect-urls#email-templates-when-using-redirectto
• https://supabase.com/docs/guides/auth/auth-email-templates#terminology

auth-passwordless-otp.md — Removed hardcoded "expires in 1 hour", added WhatsApp channel option, added 60-second verification window note.

• https://supabase.com/docs/reference/javascript/auth-signinwithotp
• https://supabase.com/docs/guides/auth/phone-login#signing-in-with-phone-otp

auth-server-admin-api.md — Added note about key model transition (anon/service_role → sb_publishable/sb_secret).

• https://supabase.com/docs/guides/api/api-keys

auth-server-ssr.md — Updated ANON_KEY → PUBLISHABLE_KEY across all examples, SvelteKit switched to import.meta.env, added getClaims() mention in Server Component.

• https://supabase.com/docs/guides/auth/server-side/creating-a-client

auth-sso-saml.md — Added SAML 2.0 enable prerequisite, updated pricing to note 50 included MAUs, added MFA amr array caveat.

• https://supabase.com/docs/guides/auth/enterprise-sso/auth-sso-saml#prerequisites
• https://supabase.com/docs/guides/platform/manage-your-usage/monthly-active-users-sso

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

🗂️ Base branches to auto review (2)

• !master
• !main

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/auth-agent-references

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}