diff --git a/.github/workflows/mirror-image.yml b/.github/workflows/mirror-image.yml
index 9423799ce..d55881de5 100644
--- a/.github/workflows/mirror-image.yml
+++ b/.github/workflows/mirror-image.yml
@@ -29,7 +29,7 @@ jobs:
           TAG=${{ inputs.image }}
           echo "image=${TAG##*/}" >> $GITHUB_OUTPUT
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v5.0.0
+        uses: aws-actions/configure-aws-credentials@v5.1.0
         with:
           role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
           aws-region: us-east-1
diff --git a/cmd/login.go b/cmd/login.go
index ca9aea666..d1d4086fd 100644
--- a/cmd/login.go
+++ b/cmd/login.go
@@ -6,6 +6,7 @@ import (
 	"github.com/go-errors/errors"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 	"github.com/supabase/cli/internal/login"
 	"github.com/supabase/cli/internal/utils"
 	"golang.org/x/term"
@@ -38,6 +39,13 @@ var (
 			}
 			return login.Run(cmd.Context(), os.Stdout, params)
 		},
+		PostRunE: func(cmd *cobra.Command, args []string) error {
+			if prof := viper.GetString("PROFILE"); viper.IsSet("PROFILE") {
+				// Failure to save should block subsequent commands on CI
+				return utils.WriteFile(utils.ProfilePath, []byte(prof), afero.NewOsFs())
+			}
+			return nil
+		},
 	}
 )
 
diff --git a/cmd/root.go b/cmd/root.go
index db1cfabbc..8329cd86c 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -120,6 +120,7 @@ var (
 			if viper.GetBool("DEBUG") {
 				http.DefaultTransport = debug.NewTransport()
 				fmt.Fprintln(os.Stderr, cmd.Root().Short)
+				fmt.Fprintf(os.Stderr, "Using profile: %s (%s)\n", utils.CurrentProfile.Name, utils.CurrentProfile.ProjectHost)
 			}
 			cmd.SetContext(ctx)
 			// Setup sentry last to ignore errors from parsing cli flags
diff --git a/go.mod b/go.mod
index b1aae5c68..c142207f5 100644
--- a/go.mod
+++ b/go.mod
@@ -13,14 +13,15 @@ require (
 	github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834
 	github.com/containerd/errdefs v1.0.0
 	github.com/containers/common v0.64.2
-	github.com/docker/cli v28.4.0+incompatible
-	github.com/docker/docker v28.4.0+incompatible
+	github.com/docker/cli v28.5.0+incompatible
+	github.com/docker/docker v28.5.0+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/getsentry/sentry-go v0.35.3
 	github.com/go-errors/errors v1.5.1
-	github.com/go-git/go-git/v5 v5.16.2
-	github.com/go-playground/validator/v10 v10.27.0
+	github.com/go-git/go-git/v5 v5.16.3
+	github.com/go-playground/validator/v10 v10.28.0
+	github.com/go-viper/mapstructure/v2 v2.4.0
 	github.com/go-xmlfmt/xmlfmt v1.1.3
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/go-github/v62 v62.0.0
@@ -51,7 +52,7 @@ require (
 	golang.org/x/net v0.44.0
 	golang.org/x/oauth2 v0.31.0
 	golang.org/x/term v0.35.0
-	google.golang.org/grpc v1.75.1
+	google.golang.org/grpc v1.76.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -134,7 +135,7 @@ require (
 	github.com/firefart/nonamedreturns v1.0.6 // indirect
 	github.com/fvbommel/sortorder v1.1.0 // indirect
 	github.com/fzipp/gocyclo v0.6.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
 	github.com/getkin/kin-openapi v0.131.0 // indirect
 	github.com/ghostiam/protogetter v0.3.15 // indirect
 	github.com/go-critic/go-critic v0.13.0 // indirect
@@ -153,7 +154,6 @@ require (
 	github.com/go-toolsmith/astp v1.1.0 // indirect
 	github.com/go-toolsmith/strparse v1.1.0 // indirect
 	github.com/go-toolsmith/typep v1.1.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
@@ -345,8 +345,8 @@ require (
 	golang.org/x/tools v0.36.0 // indirect
 	golang.org/x/tools/go/expect v0.1.1-deprecated // indirect
 	golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
diff --git a/go.sum b/go.sum
index 718c44908..4a150c8c2 100644
--- a/go.sum
+++ b/go.sum
@@ -237,13 +237,13 @@ github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZ
 github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dnephin/pflag v1.0.7 h1:oxONGlWxhmUct0YzKTgrpQv9AUA1wtPBn7zuSjJqptk=
 github.com/dnephin/pflag v1.0.7/go.mod h1:uxE91IoWURlOiTUIA8Mq5ZZkAv3dPUfZNaT80Zm7OQE=
-github.com/docker/cli v28.4.0+incompatible h1:RBcf3Kjw2pMtwui5V0DIMdyeab8glEw5QY0UUU4C9kY=
-github.com/docker/cli v28.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v28.5.0+incompatible h1:crVqLrtKsrhC9c00ythRx435H8LiQnUKRtJLRR+Auxk=
+github.com/docker/cli v28.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v28.4.0+incompatible h1:KVC7bz5zJY/4AZe/78BIvCnPsLaC9T/zh72xnlrTTOk=
-github.com/docker/docker v28.4.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.5.0+incompatible h1:ZdSQoRUE9XxhFI/B8YLvhnEFMmYN9Pp8Egd2qcaFk1E=
+github.com/docker/docker v28.5.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
 github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
@@ -296,8 +296,8 @@ github.com/fvbommel/sortorder v1.1.0 h1:fUmoe+HLsBTctBDoaBwpQo5N+nrCp8g/BjKb/6ZQ
 github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
 github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo=
 github.com/fzipp/gocyclo v0.6.0/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA=
-github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
-github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
+github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/getkin/kin-openapi v0.131.0 h1:NO2UeHnFKRYhZ8wg6Nyh5Cq7dHk4suQQr72a4pMrDxE=
 github.com/getkin/kin-openapi v0.131.0/go.mod h1:3OlG51PCYNsPByuiMB0t4fjnNlIDnaEDsjiKUV8nL58=
 github.com/getsentry/sentry-go v0.35.3 h1:u5IJaEqZyPdWqe/hKlBKBBnMTSxB/HenCqF3QLabeds=
@@ -316,8 +316,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
 github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM=
-github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
+github.com/go-git/go-git/v5 v5.16.3 h1:Z8BtvxZ09bYm/yYNgPKCzgWtaRqDTgIKRgIRHBfU6Z8=
+github.com/go-git/go-git/v5 v5.16.3/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -342,8 +342,8 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
-github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
+github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
 github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-sql-driver/mysql v1.3.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
@@ -1472,10 +1472,10 @@ google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7Fc
 google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 h1:FiusG7LWj+4byqhbvmB+Q93B/mOxJLN2DTozDuZm4EU=
-google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:kXqgZtrWaf6qS3jZOCnCH7WYfrvFjkC51bM8fz3RsCA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 h1:pFyd6EwwL2TqFf8emdthzeX+gZE1ElRq3iM8pui4KBY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b h1:ULiyYQ0FdsJhwwZUwbaXpZF5yUE3h+RA+gxvBu37ucc=
+google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:oDOGiMSXHL4sDTJvFvIB9nRQCGdLP1o/iVaqQK8zB+M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b h1:zPKJod4w6F1+nRGDI9ubnXYhU9NSWoFAijkHkUXeTK8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.0.5/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
@@ -1489,8 +1489,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI=
-google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ=
+google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
+google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
diff --git a/internal/db/start/start.go b/internal/db/start/start.go
index 7febc9294..344227040 100644
--- a/internal/db/start/start.go
+++ b/internal/db/start/start.go
@@ -272,7 +272,7 @@ func InitSchema14(ctx context.Context, conn *pgx.Conn) error {
 	return file.ExecBatch(ctx, conn)
 }
 
-func initRealtimeJob(host string) utils.DockerJob {
+func initRealtimeJob(host, jwks string) utils.DockerJob {
 	return utils.DockerJob{
 		Image: utils.Config.Realtime.Image,
 		Env: []string{
@@ -284,6 +284,7 @@ func initRealtimeJob(host string) utils.DockerJob {
 			"DB_NAME=postgres",
 			"DB_AFTER_CONNECT_QUERY=SET search_path TO _realtime",
 			"DB_ENC_KEY=" + utils.Config.Realtime.EncryptionKey,
+			fmt.Sprintf("API_JWT_JWKS=%s", jwks),
 			"API_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 			"METRICS_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 			"APP_NAME=realtime",
@@ -341,7 +342,11 @@ func initSchema15(ctx context.Context, host string) error {
 	// Apply service migrations
 	var initJobs []utils.DockerJob
 	if utils.Config.Realtime.Enabled {
-		initJobs = append(initJobs, initRealtimeJob(host))
+		jwks, err := utils.Config.Auth.ResolveJWKS(context.Background())
+		if err != nil {
+			return err
+		}
+		initJobs = append(initJobs, initRealtimeJob(host, jwks))
 	}
 	if utils.Config.Storage.Enabled {
 		initJobs = append(initJobs, initStorageJob(host))
diff --git a/internal/start/start.go b/internal/start/start.go
index f0fa76e75..c1a57293f 100644
--- a/internal/start/start.go
+++ b/internal/start/start.go
@@ -87,6 +87,7 @@ type kongConfig struct {
 	ApiHost       string
 	ApiPort       uint16
 	BearerToken   string
+	QueryToken    string
 }
 
 var (
@@ -145,7 +146,7 @@ func run(ctx context.Context, fsys afero.Fs, excludedContainers []string, dbConf
 		excluded[name] = true
 	}
 
-	jwks, err := utils.Config.Auth.ResolveJWKS(ctx, fsys)
+	jwks, err := utils.Config.Auth.ResolveJWKS(ctx)
 	if err != nil {
 		return err
 	}
@@ -362,6 +363,13 @@ EOF
 				utils.Config.Auth.PublishableKey.Value,
 				utils.Config.Auth.AnonKey.Value,
 			),
+			QueryToken: fmt.Sprintf(
+				`$((function() return (query_params.apikey == '%s' and '%s') or (query_params.apikey == '%s' and '%s') or query_params.apikey end)())`,
+				utils.Config.Auth.SecretKey.Value,
+				utils.Config.Auth.ServiceRoleKey.Value,
+				utils.Config.Auth.PublishableKey.Value,
+				utils.Config.Auth.AnonKey.Value,
+			),
 		}); err != nil {
 			return errors.Errorf("failed to exec template: %w", err)
 		}
@@ -685,6 +693,7 @@ EOF
 				fmt.Sprintf("GOTRUE_EXTERNAL_%s_CLIENT_ID=%s", strings.ToUpper(name), config.ClientId),
 				fmt.Sprintf("GOTRUE_EXTERNAL_%s_SECRET=%s", strings.ToUpper(name), config.Secret.Value),
 				fmt.Sprintf("GOTRUE_EXTERNAL_%s_SKIP_NONCE_CHECK=%t", strings.ToUpper(name), config.SkipNonceCheck),
+				fmt.Sprintf("GOTRUE_EXTERNAL_%s_EMAIL_OPTIONAL=%t", strings.ToUpper(name), config.EmailOptional),
 			)
 
 			redirectUri := config.RedirectUri
diff --git a/internal/start/templates/kong.yml b/internal/start/templates/kong.yml
index d722139af..21489ce08 100644
--- a/internal/start/templates/kong.yml
+++ b/internal/start/templates/kong.yml
@@ -45,6 +45,16 @@ services:
           replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
+  - name: well-known-oauth
+    _comment: "GoTrue: /.well-known/oauth-authorization-server -> http://auth:9999/.well-known/oauth-authorization-server"
+    url: http://{{ .GotrueId }}:9999/.well-known/oauth-authorization-server
+    routes:
+      - name: well-known-oauth
+        strip_path: true
+        paths:
+          - /.well-known/oauth-authorization-server
+    plugins:
+      - name: cors
   - name: auth-v1
     _comment: "GoTrue: /auth/v1/* -> http://auth:9999/*"
     url: http://{{ .GotrueId }}:9999/
@@ -122,9 +132,9 @@ services:
       - name: request-transformer
         config:
           replace:
-            headers:
-              - "Authorization: {{ .BearerToken }}"
-  - name: realtime-v1-longpoll
+            querystring:
+              - "apikey:{{ .QueryToken }}"
+  - name: realtime-v1-longpoll-not-working
     _comment: "Realtime: /realtime/v1/* -> ws://realtime:4000/socket/longpoll"
     url: http://{{ .RealtimeId }}:4000/socket
     protocol: http
diff --git a/internal/utils/misc.go b/internal/utils/misc.go
index 80fb13b27..84d65eaeb 100644
--- a/internal/utils/misc.go
+++ b/internal/utils/misc.go
@@ -74,6 +74,7 @@ var (
 	PoolerVersionPath     = filepath.Join(TempDir, "pooler-version")
 	RealtimeVersionPath   = filepath.Join(TempDir, "realtime-version")
 	CliVersionPath        = filepath.Join(TempDir, "cli-latest")
+	ProfilePath           = filepath.Join(TempDir, "profile")
 	CurrBranchPath        = filepath.Join(SupabaseDirPath, ".branches", "_current_branch")
 	SchemasDir            = filepath.Join(SupabaseDirPath, "schemas")
 	MigrationsDir         = filepath.Join(SupabaseDirPath, "migrations")
diff --git a/internal/utils/profile.go b/internal/utils/profile.go
index 53da75858..d05d493f3 100644
--- a/internal/utils/profile.go
+++ b/internal/utils/profile.go
@@ -43,10 +43,9 @@ var allProfiles = []Profile{{
 var CurrentProfile Profile
 
 func LoadProfile(ctx context.Context, fsys afero.Fs) error {
-	prof := viper.GetString("PROFILE")
+	prof := getProfileName(fsys)
 	for _, p := range allProfiles {
 		if strings.EqualFold(p.Name, prof) {
-			fmt.Fprintln(GetDebugLogger(), "Using project host:", p.ProjectHost)
 			CurrentProfile = p
 			return nil
 		}
@@ -68,3 +67,17 @@ func LoadProfile(ctx context.Context, fsys afero.Fs) error {
 	}
 	return nil
 }
+
+func getProfileName(fsys afero.Fs) string {
+	debuglogger := GetDebugLogger()
+	if prof := viper.GetString("PROFILE"); viper.IsSet("PROFILE") {
+		fmt.Fprintln(debuglogger, "Loading profile from flag:", prof)
+		return prof
+	} else if content, err := afero.ReadFile(fsys, ProfilePath); err == nil {
+		fmt.Fprintln(debuglogger, "Loading profile from file:", ProfilePath)
+		return string(content)
+	} else {
+		fmt.Fprintln(debuglogger, err)
+		return prof
+	}
+}
diff --git a/pkg/config/auth.go b/pkg/config/auth.go
index 053c8296c..c8f017a5c 100644
--- a/pkg/config/auth.go
+++ b/pkg/config/auth.go
@@ -354,6 +354,7 @@ type (
 		Url            string `toml:"url"`
 		RedirectUri    string `toml:"redirect_uri"`
 		SkipNonceCheck bool   `toml:"skip_nonce_check"`
+		EmailOptional  bool   `toml:"email_optional"`
 	}
 
 	solana struct {
@@ -952,6 +953,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalAppleSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalAppleEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["azure"]; ok {
@@ -961,6 +963,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 				body.ExternalAzureSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
 			body.ExternalAzureUrl = nullable.NewNullableWithValue(p.Url)
+			body.ExternalAzureEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["bitbucket"]; ok {
@@ -969,6 +972,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalBitbucketSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalBitbucketEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["discord"]; ok {
@@ -977,6 +981,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalDiscordSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalDiscordEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["facebook"]; ok {
@@ -985,6 +990,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalFacebookSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalFacebookEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["figma"]; ok {
@@ -993,6 +999,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalFigmaSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalFigmaEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["github"]; ok {
@@ -1001,6 +1008,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalGithubSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalGithubEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["gitlab"]; ok {
@@ -1010,6 +1018,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 				body.ExternalGitlabSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
 			body.ExternalGitlabUrl = nullable.NewNullableWithValue(p.Url)
+			body.ExternalGitlabEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["google"]; ok {
@@ -1019,6 +1028,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 				body.ExternalGoogleSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
 			body.ExternalGoogleSkipNonceCheck = nullable.NewNullableWithValue(p.SkipNonceCheck)
+			body.ExternalGoogleEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["kakao"]; ok {
@@ -1027,6 +1037,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalKakaoSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalKakaoEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["keycloak"]; ok {
@@ -1036,6 +1047,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 				body.ExternalKeycloakSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
 			body.ExternalKeycloakUrl = nullable.NewNullableWithValue(p.Url)
+			body.ExternalKeycloakEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["linkedin_oidc"]; ok {
@@ -1044,6 +1056,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalLinkedinOidcSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalLinkedinOidcEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["notion"]; ok {
@@ -1052,6 +1065,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalNotionSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalNotionEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["slack_oidc"]; ok {
@@ -1060,6 +1074,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalSlackOidcSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalSlackOidcEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["spotify"]; ok {
@@ -1068,6 +1083,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalSpotifySecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalSpotifyEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["twitch"]; ok {
@@ -1076,6 +1092,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalTwitchSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalTwitchEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["twitter"]; ok {
@@ -1084,6 +1101,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalTwitterSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalTwitterEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 	if p, ok := e["workos"]; ok {
@@ -1101,6 +1119,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 			if len(p.Secret.SHA256) > 0 {
 				body.ExternalZoomSecret = nullable.NewNullableWithValue(p.Secret.Value)
 			}
+			body.ExternalZoomEmailOptional = nullable.NewNullableWithValue(p.EmailOptional)
 		}
 	}
 }
@@ -1119,6 +1138,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalAppleSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalAppleEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalAppleEnabled, false)
 		e["apple"] = p
@@ -1131,6 +1151,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalAzureSecret, "")
 			}
 			p.Url = ValOrDefault(remoteConfig.ExternalAzureUrl, "")
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalAzureEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalAzureEnabled, false)
 		e["azure"] = p
@@ -1142,6 +1163,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalBitbucketSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalBitbucketEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalBitbucketEnabled, false)
 		e["bitbucket"] = p
@@ -1153,6 +1175,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalDiscordSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalDiscordEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalDiscordEnabled, false)
 		e["discord"] = p
@@ -1164,6 +1187,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalFacebookSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalFacebookEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalFacebookEnabled, false)
 		e["facebook"] = p
@@ -1175,6 +1199,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalFigmaSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalFigmaEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalFigmaEnabled, false)
 		e["figma"] = p
@@ -1186,6 +1211,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalGithubSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalGithubEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalGithubEnabled, false)
 		e["github"] = p
@@ -1198,6 +1224,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalGitlabSecret, "")
 			}
 			p.Url = ValOrDefault(remoteConfig.ExternalGitlabUrl, "")
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalGitlabEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalGitlabEnabled, false)
 		e["gitlab"] = p
@@ -1213,6 +1240,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalGoogleSecret, "")
 			}
 			p.SkipNonceCheck = ValOrDefault(remoteConfig.ExternalGoogleSkipNonceCheck, false)
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalGoogleEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalGoogleEnabled, false)
 		e["google"] = p
@@ -1224,6 +1252,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalKakaoSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalKakaoEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalKakaoEnabled, false)
 		e["kakao"] = p
@@ -1236,6 +1265,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalKeycloakSecret, "")
 			}
 			p.Url = ValOrDefault(remoteConfig.ExternalKeycloakUrl, "")
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalKeycloakEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalKeycloakEnabled, false)
 		e["keycloak"] = p
@@ -1247,6 +1277,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalLinkedinOidcSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalLinkedinOidcEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalLinkedinOidcEnabled, false)
 		e["linkedin_oidc"] = p
@@ -1258,6 +1289,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalNotionSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalNotionEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalNotionEnabled, false)
 		e["notion"] = p
@@ -1269,6 +1301,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalSlackOidcSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalSlackOidcEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalSlackOidcEnabled, false)
 		e["slack_oidc"] = p
@@ -1280,6 +1313,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalSpotifySecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalSpotifyEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalSpotifyEnabled, false)
 		e["spotify"] = p
@@ -1291,6 +1325,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalTwitchSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalTwitchEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalTwitchEnabled, false)
 		e["twitch"] = p
@@ -1302,6 +1337,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalTwitterSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalTwitterEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalTwitterEnabled, false)
 		e["twitter"] = p
@@ -1325,6 +1361,7 @@ func (e external) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 			if len(p.Secret.SHA256) > 0 {
 				p.Secret.SHA256 = ValOrDefault(remoteConfig.ExternalZoomSecret, "")
 			}
+			p.EmailOptional = ValOrDefault(remoteConfig.ExternalZoomEmailOptional, false)
 		}
 		p.Enabled = ValOrDefault(remoteConfig.ExternalZoomEnabled, false)
 		e["zoom"] = p
diff --git a/pkg/config/config.go b/pkg/config/config.go
index d21f1847c..ea49a76ca 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -28,7 +28,6 @@ import (
 	"github.com/go-errors/errors"
 	"github.com/go-viper/mapstructure/v2"
 	"github.com/joho/godotenv"
-	"github.com/spf13/afero"
 	"github.com/spf13/viper"
 	"github.com/supabase/cli/pkg/cast"
 	"github.com/supabase/cli/pkg/fetcher"
@@ -1428,7 +1427,7 @@ type (
 // ResolveJWKS creates the JWKS from the JWT secret and Third-Party Auth
 // configs by resolving the JWKS via the OIDC discovery URL.
 // It always returns a JWKS string, except when there's an error fetching.
-func (a *auth) ResolveJWKS(ctx context.Context, fsys afero.Fs) (string, error) {
+func (a *auth) ResolveJWKS(ctx context.Context) (string, error) {
 	var jwks remoteJWKS
 
 	if issuerURL := a.ThirdParty.IssuerURL(); issuerURL != "" {
diff --git a/pkg/config/templates/Dockerfile b/pkg/config/templates/Dockerfile
index 1afea6435..296857341 100644
--- a/pkg/config/templates/Dockerfile
+++ b/pkg/config/templates/Dockerfile
@@ -1,17 +1,17 @@
 # Exposed for updates by .github/dependabot.yml
-FROM supabase/postgres:17.6.1.011 AS pg
+FROM supabase/postgres:17.6.1.015 AS pg
 # Append to ServiceImages when adding new dependencies below
 FROM library/kong:2.8.1 AS kong
 FROM axllent/mailpit:v1.22.3 AS mailpit
 FROM postgrest/postgrest:v13.0.7 AS postgrest
 FROM supabase/postgres-meta:v0.91.6 AS pgmeta
-FROM supabase/studio:2025.10.01-sha-8460121 AS studio
+FROM supabase/studio:2025.10.06-sha-426fda2 AS studio
 FROM darthsim/imgproxy:v3.8.0 AS imgproxy
 FROM supabase/edge-runtime:v1.69.12 AS edgeruntime
 FROM timberio/vector:0.28.1-alpine AS vector
-FROM supabase/supavisor:2.7.0 AS supavisor
+FROM supabase/supavisor:2.7.1 AS supavisor
 FROM supabase/gotrue:v2.180.0 AS gotrue
-FROM supabase/realtime:v2.51.11 AS realtime
+FROM supabase/realtime:v2.53.0 AS realtime
 FROM supabase/storage-api:v1.28.0 AS storage
 FROM supabase/logflare:1.22.4 AS logflare
 # Append to JobImages when adding new dependencies below
diff --git a/pkg/config/templates/config.toml b/pkg/config/templates/config.toml
index 5be2af89a..ebdb83103 100644
--- a/pkg/config/templates/config.toml
+++ b/pkg/config/templates/config.toml
@@ -275,6 +275,8 @@ redirect_uri = ""
 url = ""
 # If enabled, the nonce check will be skipped. Required for local sign in with Google auth.
 skip_nonce_check = false
+# If enabled, it will allow the user to successfully authenticate when the provider does not return an email address.
+email_optional = false
 
 # Allow Solana wallet holders to sign in to your project via the Sign in with Solana (SIWS, EIP-4361) standard.
 # You can configure "web3" rate limit in the [auth.rate_limit] section and set up [auth.captcha] if self-hosting.
diff --git a/pkg/config/testdata/config.toml b/pkg/config/testdata/config.toml
index 10d439399..cc3e7e907 100644
--- a/pkg/config/testdata/config.toml
+++ b/pkg/config/testdata/config.toml
@@ -285,6 +285,8 @@ secret = "env(AZURE_SECRET)"
 url = "https://login.microsoftonline.com/tenant"
 # If enabled, the nonce check will be skipped. Required for local sign in with Google auth.
 skip_nonce_check = true
+# If enabled, it will allow the user to successfully authenticate when the provider does not return an email address.
+email_optional = true
 
 # Allow Solana wallet holders to sign in to your project via the Sign in with Solana (SIWS, EIP-4361) standard.
 # You can configure "web3" rate limit in the [auth.rate_limit] section and set up [auth.captcha] if self-hosting.
diff --git a/pkg/go.mod b/pkg/go.mod
index 78d0b999c..26264d477 100644
--- a/pkg/go.mod
+++ b/pkg/go.mod
@@ -11,7 +11,6 @@ require (
 	github.com/go-errors/errors v1.5.1
 	github.com/go-viper/mapstructure/v2 v2.4.0
 	github.com/golang-jwt/jwt/v5 v5.3.0
-	github.com/google/uuid v1.6.0
 	github.com/h2non/gock v1.2.0
 	github.com/jackc/pgconn v1.14.3
 	github.com/jackc/pgerrcode v0.0.0-20240316143900-6e2875d9b438
@@ -27,7 +26,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/tidwall/jsonc v0.3.2
 	golang.org/x/mod v0.28.0
-	google.golang.org/grpc v1.75.1
+	google.golang.org/grpc v1.76.0
 )
 
 require (
@@ -36,6 +35,7 @@ require (
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/ethereum/go-ethereum v1.15.8 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 // indirect
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
@@ -52,8 +52,8 @@ require (
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/crypto v0.40.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/pkg/go.sum b/pkg/go.sum
index 58135e559..33e3f8def 100644
--- a/pkg/go.sum
+++ b/pkg/go.sum
@@ -217,8 +217,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
+golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
@@ -255,8 +255,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -290,8 +290,8 @@ golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI=
-google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ=
+google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
+google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=