Authentication can often feel like a complex hurdle when building with Next.js. However, Supabase transforms this challenge into a straightforward and secure experience—especially with the advancements in Next.js 14, including the new app router and server actions. Let’s cut through the complexity and establish a battle-tested, elegant authentication flow that just works.
Why Supabase + Next.js Is the Ultimate Power Move
Imagine zero backend configuration, native React integration, and reliable session management that effortlessly scales with your app. Supabase delivers all this and more:
- Zero backend maintenance: Supabase provides a fully managed Postgres database and authentication system, eliminating the need to build from scratch.
- Optimized for Next.js: Official libraries integrate seamlessly with server components, middleware, and client-side rendering.
- Effortless session synchronization: Server-side sessions protect your pages, while client-side updates keep your UI reactive.
- Flexible growth options: Effortlessly add social logins, Row Level Security, and email confirmation.
In short, Supabase equips you with a secure, production-ready auth foundation from day one.
Setup Essentials: Checklist Before You Start
Before diving in, ensure you have:
- Created a free Supabase project at database.new.
- Initialized a Next.js 14+ app (
npx create-next-app@latest my-app). - Installed the server-rendering-aware Supabase SDK:
npm install @supabase/ssr - Configured your
.env.localwith your Supabase URL and public anon key:
You can find these credentials in your Supabase dashboard under Settings > API.NEXT_PUBLIC_SUPABASE_URL=https://xyzcompany.supabase.co NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-public-key
This setup ensures secure access to Supabase from both server and client environments.
Step 1: Create Dual Supabase Clients for Server and Client
Your Next.js app requires two distinct Supabase clients for optimal security and reactivity:
- Server-side client: Manages sessions securely via cookies.
- Client-side client: Handles interactive UI updates.
Server-side client (utils/supabase/server.ts):
import { createServerClient } from '@supabase/ssr'
import { cookies } from 'next/headers'
export async function createClient() {
const cookieStore = cookies()
return createServerClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{
cookies: {
getAll() {
return cookieStore.getAll()
},
setAll(cookiesToSet) {
cookiesToSet.forEach(({ name, value, options }) => {
cookieStore.set(name, value, options)
})
},
},
}
)
}
Client-side client (utils/supabase/client.ts):
import { createBrowserClient } from '@supabase/ssr'
export function createClient() {
return createBrowserClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
)
}
This configuration ensures your sessions are secure and authentication states stay in sync, delivering smooth user experiences.
Step 2: Use Middleware to Synchronize Sessions
Middleware plays a vital role by syncing auth cookies on every request, maintaining SSR page awareness of user sessions.
Add the following middleware.ts at your project root:
import { type NextRequest } from 'next/server'
import { updateSession } from '@/utils/supabase/middleware'
export async function middleware(request: NextRequest) {
return await updateSession(request)
}
export const config = {
matcher: [
'/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
],
}
This middleware is the crucial glue that keeps users signed in seamlessly across all server-rendered pages.
Step 3: Leverage Next.js Server Actions for Secure Login & Signup
Handling authentication purely on the client exposes risks. Next.js 14’s server actions empower you to manage sensitive operations like login and signup securely on the server.
Client component (app/login/page.tsx):
'use client'
import { login, signup } from './actions'
export default function LoginPage() {
return (
<form>
<label htmlFor="email">Email:</label>
<input id="email" name="email" type="email" required />
<label htmlFor="password">Password:</label>
<input id="password" name="password" type="password" required />
<button formAction={login}>Log in</button>
<button formAction={signup}>Sign up</button>
</form>
)
}
Server actions (app/login/actions.ts):
'use server'
import { revalidatePath } from 'next/cache'
import { redirect } from 'next/navigation'
import { createClient } from '@/utils/supabase/server'
export async function login(formData: FormData) {
const supabase = await createClient()
const { error } = await supabase.auth.signInWithPassword({
email: formData.get('email') as string,
password: formData.get('password') as string,
})
if (error) redirect('/error')
revalidatePath('/', 'layout')
redirect('/account')
}
export async function signup(formData: FormData) {
const supabase = await createClient()
const { error } = await supabase.auth.signUp({
email: formData.get('email') as string,
password: formData.get('password') as string,
})
if (error) redirect('/error')
revalidatePath('/', 'layout')
redirect('/account')
}
This approach provides robust, scalable authentication flows leveraging Next.js’s latest server capabilities.
Step 4: Protect Routes with Server-Side Authentication
Securing user-only pages is essential. Use Supabase’s auth.getUser() inside Next.js server components to gatekeep access expertly.
Example in app/account/page.tsx:
import { createClient } from '@/utils/supabase/server'
import { redirect } from 'next/navigation'
export default async function Account() {
const supabase = await createClient()
const {
data: { user },
} = await supabase.auth.getUser()
if (!user) redirect('/login')
return <div>Welcome, {user.email}</div>
}
Simple, elegant, and secure — unauthorized users are instantly redirected, ensuring airtight protection.
Step 5: Smoothly Handle Email Confirmations & OAuth Callbacks
For email verification and social login redirects, API route handlers are indispensable.
Example app/auth/callback/route.ts:
import { createClient } from '@/utils/supabase/server'
import { NextRequest, NextResponse } from 'next/server'
export async function GET(request: NextRequest) {
const requestUrl = new URL(request.url)
const code = requestUrl.searchParams.get('code')
if (code) {
const supabase = await createClient()
await supabase.auth.exchangeCodeForSession(code)
}
return NextResponse.redirect(requestUrl.origin)
}
Remember to configure your signup flow with the emailRedirectTo option:
await supabase.auth.signUp({
email,
password,
options: { emailRedirectTo: `${origin}/auth/callback` },
})
This guarantees a seamless, secure user experience.
Bonus: Accelerate Growth with Social Logins
Enable providers like Google or GitHub directly in the Supabase dashboard, then trigger OAuth flows from your front end:
await supabase.auth.signInWithOAuth({
provider: 'google',
options: { redirectTo: `${origin}/auth/callback` },
})
Social authentication is a high-ROI strategy for rapid user acquisition.
Wrapping Up: Your Strategic Authentication Edge in 2024
By integrating Next.js 14 with Supabase authentication, you now have:
- Dual Supabase clients securing sessions
- Middleware that syncs auth cookies flawlessly
- Server action based login and signup with unmatched security
- Server component route protection that’s failproof
- Robust handling of email confirmations and OAuth callbacks
Next steps to elevate your app:
- Integrate client-side hooks for dynamic, reactive interfaces
- Expand social login providers without friction
- Enforce Row Level Security to protect your data
- Enhance user profiles and real-time capabilities with Supabase Realtime
This stack not only eliminates authentication headaches but scales elegantly to meet the demands of your growing startup or project. It’s your definitive competitive advantage in 2024.
Pro tip: Bookmark and leverage the official documentation and cutting-edge tutorials as you refine your authentication workflows:
- Supabase Docs: Next.js Quickstart
- Supabase and Next.js 14 Authentication
- LogRocket Fullstack Next.js + Supabase Auth
Take this guide, build confidently, and watch your authentication challenges dissolve.