You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: polish readme, update example.env, and gitignore (#2173)
## What kind of change does this PR introduce?
Docs update / configuration cleanup
## What is the current behavior?
* README contained inconsistent wording, capitalization, and formatting.
* `example.env` provider sections weren’t fully normalized (e.g., brand
naming).
* `.idea` IDE files were not ignored, risking accidental commits.
## What is the new behavior?
* README polished for clarity and consistency (terminology, grammar,
branding).
* `example.env` updated with cleaner provider sections and improved
comments (e.g., explicit **Twitter (X)** naming).
* `.gitignore` updated to exclude `.idea` directories.
* Inherited features section: updated the outdated note on JWT signing.
It now reflects current Supabase Auth behavior: asymmetric signing keys
(RS256 by default, ECC/Ed25519 optional) are supported and recommended,
while HS256 remains for compatibility.
## Additional context
This PR improves documentation and developer ergonomics only. Read
through the readme because I wanted to contribute to the project and
just updated everything that didn't look right. No functional or runtime
changes.
---------
Co-authored-by: Chris Stockton <180184+cstockton@users.noreply.github.com>
ECC/Ed25519 optional). HS256 is still supported for compatibility, but
150
+
migrating to asymmetric keys is recommended for easier validation and
151
+
rotation. Future deprecations will be announced in the changelog. See the
152
+
[JWT Signing Keys](https://supabase.com/docs/guides/auth/signing-keys) and
153
+
[JWTs guide](https://supabase.com/docs/guides/auth/jwts) for details.
151
154
152
155
Note that this is not an exhaustive list and it may change.
153
156
@@ -158,7 +161,7 @@ compatibility with Auth:
158
161
159
162
1. Do not modify the schema managed by Auth. You can see all of the
160
163
migrations in the `migrations` directory.
161
-
2. Do not rely on schema and structure of data in the database. Always use
164
+
2. Do not rely on the schema and the structure of data in the database. Always use
162
165
Auth APIs and JWTs to infer information about users.
163
166
3. Always run Auth behind a TLS-capable proxy such as a load balancer, CDN,
164
167
nginx or other similar software.
@@ -180,7 +183,7 @@ The base URL your site is located at. Currently used in combination with other s
180
183
181
184
`URI_ALLOW_LIST` - `string`
182
185
183
-
A commaseparated list of URIs (e.g. `"https://foo.example.com,https://*.foo.example.com,https://bar.example.com"`) which are permitted as valid `redirect_to` destinations. Defaults to []. Supports wildcard matching through globbing. e.g. `https://*.foo.example.com` will allow `https://a.foo.example.com` and `https://b.foo.example.com` to be accepted. Globbing is also supported on subdomains. e.g. `https://foo.example.com/*` will allow `https://foo.example.com/page1` and `https://foo.example.com/page2` to be accepted.
186
+
A comma-separated list of URIs (e.g. `"https://foo.example.com,https://*.foo.example.com,https://bar.example.com"`) which are permitted as valid `redirect_to` destinations. Defaults to []. Supports wildcard matching through globbing. e.g. `https://*.foo.example.com` will allow `https://a.foo.example.com` and `https://b.foo.example.com` to be accepted. Globbing is also supported on subdomains. e.g. `https://foo.example.com/*` will allow `https://foo.example.com/page1` and `https://foo.example.com/page2` to be accepted.
184
187
185
188
For more common glob patterns, check out the [following link](https://pkg.go.dev/github.com/gobwas/glob#Compile).
186
189
@@ -195,19 +198,19 @@ When signup is disabled the only way to create new users is through invites. Def
195
198
196
199
`GOTRUE_EXTERNAL_EMAIL_ENABLED` - `bool`
197
200
198
-
Use this to disable email signups (users can still use external oauth providers to sign up / sign in)
201
+
Use this to disable email signups (users can still use external OAuth providers to sign up / sign in)
199
202
200
203
`GOTRUE_EXTERNAL_PHONE_ENABLED` - `bool`
201
204
202
-
Use this to disable phone signups (users can still use external oauth providers to sign up / sign in)
205
+
Use this to disable phone signups (users can still use external OAuth providers to sign up / sign in)
203
206
204
207
`GOTRUE_RATE_LIMIT_HEADER` - `string`
205
208
206
209
Header on which to rate limit the `/token` endpoint.
207
210
208
211
`GOTRUE_RATE_LIMIT_EMAIL_SENT` - `string`
209
212
210
-
Rate limit the number of emails sent per hr on the following endpoints: `/signup`, `/invite`, `/magiclink`, `/recover`, `/otp`, & `/user`.
213
+
Rate limit the number of emails sent per hour on the following endpoints: `/signup`, `/invite`, `/magiclink`, `/recover`, `/otp`, & `/user`.
211
214
212
215
`GOTRUE_PASSWORD_MIN_LENGTH` - `int`
213
216
@@ -217,7 +220,7 @@ Minimum password length, defaults to 6.
If refresh token rotation is enabled, auth will automatically detect malicious attempts to reuse a revoked refresh token. When a malicious attempt is detected, gotrue immediately revokes all tokens that descended from the offending token.
223
+
If refresh token rotation is enabled, auth will automatically detect malicious attempts to reuse a revoked refresh token. When a malicious attempt is detected, GoTrue immediately revokes all tokens that descended from the offending token.
@@ -247,7 +250,7 @@ Controls what endpoint Netlify can access this API on.
247
250
248
251
`API_EXTERNAL_URL` - `string`**required**
249
252
250
-
The URL on which Gotrue might be accessed at.
253
+
The URL on which GoTrue might be accessed at.
251
254
252
255
`REQUEST_ID_HEADER` - `string`
253
256
@@ -307,7 +310,7 @@ Auth has basic observability built in. It is able to export
307
310
308
311
To enable tracing configure these variables:
309
312
310
-
`GOTRUE_TRACING_ENABLED` - `boolean`
313
+
`GOTRUE_TRACING_ENABLED` - `bool`
311
314
312
315
`GOTRUE_TRACING_EXPORTER` - `string` only `opentelemetry` supported
313
316
@@ -498,7 +501,7 @@ To try out external authentication with Apple locally, you will need to do the f
498
501
3. Generate the crt and key file. See [here](https://www.freecodecamp.org/news/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec/) for more information.
499
502
4. Generate the `GOTRUE_EXTERNAL_APPLE_SECRET` by following this [post](https://medium.com/identity-beyond-borders/how-to-configure-sign-in-with-apple-77c61e336003)!
500
503
501
-
### E-Mail
504
+
### Email
502
505
503
506
Sending email is not required, but highly recommended for password recovery.
504
507
If enabled, you must provide the required values below.
@@ -546,7 +549,7 @@ If you do not require email confirmation, you may set this to `true`. Defaults t
546
549
547
550
`MAILER_OTP_EXP` - `number`
548
551
549
-
Controls the duration an email link or otp is valid for.
552
+
Controls the duration an email link or OTP is valid for.
550
553
551
554
`MAILER_URLPATHS_INVITE` - `string`
552
555
@@ -831,15 +834,15 @@ If you do not require phone confirmation, you may set this to `true`. Defaults t
831
834
832
835
`SMS_MAX_FREQUENCY` - `number`
833
836
834
-
Controls the minimum amount of time that must pass before sending another sms otp. The value is the number of seconds. Defaults to 60 (1 minute)).
837
+
Controls the minimum amount of time that must pass before sending another SMS OTP. The value is the number of seconds. Defaults to 60 (1 minute).
835
838
836
839
`SMS_OTP_EXP` - `number`
837
840
838
-
Controls the duration an sms otp is valid for.
841
+
Controls the duration an SMS OTP is valid for.
839
842
840
843
`SMS_OTP_LENGTH` - `number`
841
844
842
-
Controls the number of digits of the sms otp sent.
845
+
Controls the number of digits of the SMS OTP sent.
843
846
844
847
`SMS_PROVIDER` - `string`
845
848
@@ -866,7 +869,7 @@ Whether captcha middleware is enabled
866
869
867
870
`SECURITY_CAPTCHA_PROVIDER` - `string`
868
871
869
-
for now the only options supported are: `hcaptcha` and `turnstile`
872
+
for now the only options supported are: hCaptcha and Turnstile
870
873
871
874
-`SECURITY_CAPTCHA_SECRET` - `string`
872
875
-`SECURITY_CAPTCHA_TIMEOUT` - `string`
@@ -1121,7 +1124,7 @@ Returns:
1121
1124
}
1122
1125
```
1123
1126
1124
-
Verify a phone signup or sms otp. Type should be set to `sms`.
1127
+
Verify a phone signup or SMS OTP. Type should be set to `sms`.
1125
1128
1126
1129
```json
1127
1130
{
@@ -1171,7 +1174,7 @@ or show an account confirmed/welcome message in the case of `signup`, or direct
1171
1174
1172
1175
### **POST /otp**
1173
1176
1174
-
One-Time-Password. Will deliver a magiclink or sms otp to the user depending on whether the request body contains an "email" or "phone" key.
1177
+
One-Time-Password. Will deliver a magic link or SMS OTP to the user depending on whether the request body contains an "email" or "phone" key.
1175
1178
1176
1179
If `"create_user": true`, user will not be automatically signed up if the user doesn't exist.
1177
1180
@@ -1217,7 +1220,7 @@ Returns:
1217
1220
{}
1218
1221
```
1219
1222
1220
-
when clicked the magic link will redirect the user to `<SITE_URL>#access_token=x&refresh_token=y&expires_in=z&token_type=bearer&type=magiclink` (see `/verify` above)
1223
+
When the magic link is clicked, it will redirect to `<SITE_URL>#access_token=x&refresh_token=y&expires_in=z&token_type=bearer&type=magiclink` (see `/verify` above)
1221
1224
1222
1225
### **POST /recover**
1223
1226
@@ -1314,7 +1317,7 @@ Returns:
1314
1317
### **PUT /user**
1315
1318
1316
1319
Update a user (Requires authentication). Apart from changing email/password, this
1317
-
method can be used to set custom user data. Changing the email will result in a magiclink being sent out.
1320
+
method can be used to set custom user data. Changing the email will result in a magic link being sent out.
1318
1321
1319
1322
```json
1320
1323
{
@@ -1367,7 +1370,7 @@ headers: {
1367
1370
Logout a user (Requires authentication).
1368
1371
1369
1372
This will revoke all refresh tokens for the user. Remember that the JWT tokens
1370
-
will still be valid for stateless auth until they expires.
1373
+
will still be valid for stateless auth until they expire.
1371
1374
1372
1375
### **GET /authorize**
1373
1376
@@ -1383,11 +1386,11 @@ scopes=<optional additional scopes depending on the provider (email and name are
1383
1386
1384
1387
Redirects to provider and then to `/callback`
1385
1388
1386
-
For apple specific setup see: <https://github.com/supabase/auth#apple-oauth>
1389
+
For Apple-specific setup see: <https://github.com/supabase/auth#apple-oauth>
1387
1390
1388
1391
### **GET /callback**
1389
1392
1390
-
External provider should redirect to here
1393
+
External provider should redirect to this endpoint
1391
1394
1392
1395
Redirects to `<GOTRUE_SITE_URL>#access_token=<access_token>&refresh_token=<refresh_token>&provider_token=<provider_oauth_token>&expires_in=3600&provider=<provider_name>`
1393
1396
If additional scopes were requested then `provider_token` will be populated, you can use this to fetch additional data from the provider or interact with their services
0 commit comments