> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcp-use.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Supabase Provider
> Configure Supabase OAuth 2.1 server authentication for your MCP server
Use [Supabase's OAuth 2.1 server](https://supabase.com/docs/guides/auth/oauth-server/getting-started) to sign users into your MCP server. Supabase handles the OAuth flow and issues the tokens; your server verifies them and you host the consent page.
## Prerequisites
Before your MCP server will work, configure these in the [Supabase Dashboard](https://app.supabase.com/):
**Authentication → Sign In / Providers → OAuth Server** → toggle on. Also toggle **Allow Dynamic OAuth Apps** so MCP clients can self-register.
Point it at the route your MCP server will host, e.g. `http://localhost:3000/auth/consent`. Supabase redirects the browser here with `?authorization_id=` after `/authorize`.
Users must be signed in before they can consent. Pick one under **Authentication → Sign In / Providers**:
* **Anonymous sign-ins** - one-click guest sessions, ideal for demos
* **Email + password**, **magic links**, or **OAuth providers** (Google, GitHub, etc.) - for real apps
From **Project Settings**:
* **Project ID** (General)
* **Publishable key** - `sb_publishable_...` (API Keys). Used by *your* consent route and by tools that call Supabase - not by the provider itself.
## Host the consent UI
Supabase redirects the browser to the consent screen URL you configured above. Your route signs the user in, loads the authorization details with the Supabase JS SDK, and submits the approve/deny decision back to Supabase - mcp-use is not involved in this step.
Don't want to build it from scratch? Start from the [mcp-oauth-supabase-template](https://github.com/mcp-use/mcp-oauth-supabase-template) - it has sign-in, consent, and approve/deny already wired up. Or follow Supabase's [OAuth Server - Getting Started guide](https://supabase.com/docs/guides/auth/oauth-server/getting-started) to roll your own.
## Environment variables
```bash theme={null}
# Required (hosted Supabase) - read by oauthSupabaseProvider()
MCP_USE_OAUTH_SUPABASE_PROJECT_ID=your-project-id
# Optional override — point the provider at a self-hosted or local Supabase
# instance (e.g. `supabase start`). Required instead of PROJECT_ID when you
# aren't on supabase.co.
# MCP_USE_OAUTH_SUPABASE_URL=http://localhost:54321
# Used by your consent UI and by tools calling Supabase REST/APIs.
# Not read by oauthSupabaseProvider() itself.
MCP_USE_OAUTH_SUPABASE_PUBLISHABLE_KEY=sb_publishable_...
```
## Configure the MCP server
```typescript theme={null}
// server.ts
import { MCPServer, oauthSupabaseProvider } from "mcp-use/server";
const server = new MCPServer({
name: "my-server",
version: "1.0.0",
oauth: oauthSupabaseProvider(), // reads MCP_USE_OAUTH_SUPABASE_PROJECT_ID
});
await server.listen(3000);
```
## Configuration options
```typescript theme={null}
oauthSupabaseProvider({
// Provide one of these (or set the matching env var):
projectId: "your-project-id", // hosted Supabase
// supabaseUrl: "http://localhost:54321", // self-hosted / local
// Skip JWT verification - development only
verifyJwt: process.env.NODE_ENV === "production",
// Override advertised scopes
scopesSupported: ["openid", "profile", "email"],
});
```
### Self-hosted / local Supabase
For `supabase start` or a self-hosted instance, point the provider at your base URL instead of a project ID:
```typescript theme={null}
const server = new MCPServer({
name: "my-server",
version: "1.0.0",
oauth: oauthSupabaseProvider({
supabaseUrl: "http://localhost:54321",
}),
});
```
Or via env var:
```bash theme={null}
MCP_USE_OAUTH_SUPABASE_URL=http://localhost:54321
```
`supabaseUrl` takes precedence over `projectId` when both are set. The provider derives the issuer and JWKS endpoint from this URL, so the local Supabase stack must expose `/auth/v1/.well-known/openid-configuration` (it does, by default).
New Supabase projects sign tokens with **ES256** and expose a JWKS endpoint - the provider fetches it automatically, no secret needed. Legacy **HS256** projects can still pass a `jwtSecret` (or set `MCP_USE_OAUTH_SUPABASE_JWT_SECRET`), but new projects do not need it.
## Accessing user info in tools
```typescript theme={null}
server.tool(
{
name: "get-user-info",
description: "Get authenticated user info",
},
async (_args, ctx) => ({
userId: ctx.auth.user.userId,
email: ctx.auth.user.email,
name: ctx.auth.user.name,
scopes: ctx.auth.scopes,
}),
);
```
You can also call Supabase from within a tool using the user's access token. Create a Supabase client scoped to the request so RLS policies see the caller as the authenticated user:
```typescript theme={null}
import { createClient } from "@supabase/supabase-js";
server.tool(
{
name: "list-notes",
description: "Fetch the user's notes",
},
async (_args, ctx) => {
const supabase = createClient(
`https://${process.env.MCP_USE_OAUTH_SUPABASE_PROJECT_ID}.supabase.co`,
process.env.MCP_USE_OAUTH_SUPABASE_PUBLISHABLE_KEY!,
{
auth: { persistSession: false, autoRefreshToken: false, detectSessionInUrl: false },
global: { headers: { Authorization: `Bearer ${ctx.auth.accessToken}` } },
},
);
const { data, error } = await supabase.from("notes").select();
if (error) return { content: [{ type: "text", text: error.message }], isError: true };
return { content: [{ type: "text", text: JSON.stringify(data) }] };
},
);
```
## Resources
* [mcp-oauth-supabase-template](https://github.com/mcp-use/mcp-oauth-supabase-template) - starter template with the consent UI already wired up
* [Supabase OAuth Server - Getting Started](https://supabase.com/docs/guides/auth/oauth-server/getting-started)
* [Supabase OAuth Server - MCP Authentication](https://supabase.com/docs/guides/auth/oauth-server/mcp-authentication)
* [Row Level Security](https://supabase.com/docs/guides/auth/row-level-security)
## Next Steps
* [User Context](/typescript/server/authentication/user-context) - Access user information in tools