To add third-party OAuth in Supabase, enable the provider in Dashboard under Authentication then Providers, paste the Client ID and Client Secret from the provider's developer console, and set the callback URL to https://your-project-ref.supabase.co/auth/v1/callback. In your client code, call supabase.auth.signInWithOAuth({ provider: 'google' }) to initiate the OAuth flow. Supabase handles token exchange and session creation automatically.
Configuring Third-Party OAuth Providers in Supabase
Supabase Auth supports 19+ social OAuth providers including Google, GitHub, Discord, Apple, and many more. This tutorial walks you through enabling a provider in the Dashboard, creating OAuth credentials in the provider's developer console, and implementing the sign-in flow in your application. Supabase handles the OAuth token exchange, user creation, and session management automatically.
Prerequisites
- A Supabase project (free tier or above)
- A developer account on the OAuth provider you want to configure (Google, GitHub, etc.)
- The @supabase/supabase-js library installed in your project
- Your application's production URL (for redirect configuration)
Step-by-step guide
Create an OAuth app in the provider's developer console
Create an OAuth app in the provider's developer console
Each OAuth provider requires you to register an application in their developer console. For Google, go to the Google Cloud Console, create or select a project, navigate to APIs and Services, then Credentials, and create an OAuth 2.0 Client ID. For GitHub, go to Settings, then Developer settings, then OAuth Apps, and create a new app. In both cases, you need to set the callback/redirect URL to your Supabase project's auth callback endpoint.
1# Your Supabase OAuth callback URL (same for all providers)2https://<your-project-ref>.supabase.co/auth/v1/callback34# Example for Google Cloud Console:5# Authorized redirect URIs: https://abcdef123456.supabase.co/auth/v1/callback67# Example for GitHub OAuth App:8# Authorization callback URL: https://abcdef123456.supabase.co/auth/v1/callbackExpected result: You have a Client ID and Client Secret from the OAuth provider, and the callback URL is configured.
Enable the provider in the Supabase Dashboard
Enable the provider in the Supabase Dashboard
Open your Supabase Dashboard and go to Authentication in the left sidebar, then click Providers. Find the provider you want to enable (Google, GitHub, Discord, etc.) and toggle it on. Paste the Client ID and Client Secret from the previous step into the corresponding fields. Some providers like Google have additional options like enabling refresh tokens or restricting to specific hosted domains. Click Save when done.
Expected result: The OAuth provider is enabled in your Supabase project and shows a green status indicator.
Implement the OAuth sign-in flow in your client
Implement the OAuth sign-in flow in your client
Use supabase.auth.signInWithOAuth() to initiate the OAuth flow. This redirects the user to the provider's login page. After they authorize your app, the provider redirects back to Supabase's callback URL, which exchanges the code for tokens and redirects the user to your specified redirectTo URL. The session is created automatically.
1import { createClient } from '@supabase/supabase-js'23const supabase = createClient(4 process.env.NEXT_PUBLIC_SUPABASE_URL!,5 process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!6)78// Sign in with Google9async function signInWithGoogle() {10 const { data, error } = await supabase.auth.signInWithOAuth({11 provider: 'google',12 options: {13 redirectTo: 'http://localhost:3000/auth/callback',14 },15 })16 if (error) console.error('OAuth error:', error.message)17 // data.url contains the OAuth authorization URL18 // The browser is automatically redirected19}2021// Sign in with GitHub22async function signInWithGitHub() {23 const { data, error } = await supabase.auth.signInWithOAuth({24 provider: 'github',25 options: {26 redirectTo: 'http://localhost:3000/auth/callback',27 },28 })29}Expected result: Clicking the sign-in button redirects the user to the provider's login page, then back to your app with an active session.
Handle the OAuth callback in your application
Handle the OAuth callback in your application
After the OAuth flow completes, Supabase redirects the user to your redirectTo URL with an auth code in the URL. Your application needs to exchange this code for a session. With @supabase/ssr or the standard client, this exchange happens automatically if the client is initialized on the callback page. For server-side frameworks like Next.js or SvelteKit, create a dedicated callback route that handles the code exchange.
1// For client-side apps (React, Vue, etc.)2// The Supabase client automatically handles the code exchange3// when it detects auth parameters in the URL hash45// For Next.js App Router — create app/auth/callback/route.ts6import { createClient } from '@/lib/supabase/server'7import { NextResponse } from 'next/server'89export async function GET(request: Request) {10 const { searchParams, origin } = new URL(request.url)11 const code = searchParams.get('code')12 const next = searchParams.get('next') ?? '/dashboard'1314 if (code) {15 const supabase = await createClient()16 const { error } = await supabase.auth.exchangeCodeForSession(code)17 if (!error) {18 return NextResponse.redirect(`${origin}${next}`)19 }20 }2122 return NextResponse.redirect(`${origin}/login?error=auth_callback_failed`)23}Expected result: The callback page exchanges the auth code for a session and redirects the user to the dashboard.
Configure URL allowlists and production settings
Configure URL allowlists and production settings
In the Supabase Dashboard, go to Authentication then URL Configuration. Add all the URLs your application will redirect to after OAuth sign-in. This includes your localhost URL for development and your production domain. Supabase will reject redirects to URLs not in this list for security. Also update the OAuth provider's developer console with your production callback URL when you deploy.
1# Supabase Dashboard → Authentication → URL Configuration2# Site URL: https://yourapp.com3# Redirect URLs:4# http://localhost:3000/auth/callback5# https://yourapp.com/auth/callback6# https://staging.yourapp.com/auth/callbackExpected result: OAuth flows work in both development and production with proper redirect URLs configured.
Complete working example
1import { createClient } from '@supabase/supabase-js'23const supabase = createClient(4 process.env.NEXT_PUBLIC_SUPABASE_URL!,5 process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!6)78// Available OAuth providers in Supabase9type OAuthProvider =10 | 'google'11 | 'github'12 | 'discord'13 | 'apple'14 | 'twitter'15 | 'facebook'16 | 'gitlab'17 | 'bitbucket'18 | 'linkedin_oidc'19 | 'slack_oidc'20 | 'spotify'21 | 'twitch'22 | 'azure'23 | 'keycloak'24 | 'notion'25 | 'zoom'26 | 'figma'27 | 'kakao'28 | 'workos'2930export async function signInWithOAuth(provider: OAuthProvider) {31 const { data, error } = await supabase.auth.signInWithOAuth({32 provider,33 options: {34 redirectTo: `${window.location.origin}/auth/callback`,35 // Scopes vary by provider36 ...(provider === 'google' && {37 queryParams: {38 access_type: 'offline',39 prompt: 'consent',40 },41 }),42 },43 })4445 if (error) {46 console.error(`OAuth sign-in error (${provider}):`, error.message)47 throw error48 }4950 return data51}5253export async function getOAuthUser() {54 const { data: { user }, error } = await supabase.auth.getUser()5556 if (error || !user) return null5758 return {59 id: user.id,60 email: user.email,61 provider: user.app_metadata.provider,62 name: user.user_metadata.full_name ?? user.user_metadata.name,63 avatar: user.user_metadata.avatar_url,64 }65}6667export async function signOut() {68 const { error } = await supabase.auth.signOut()69 if (error) console.error('Sign-out error:', error.message)70}Common mistakes when using Third-Party OAuth Providers with Supabase
Why it's a problem: Setting the callback URL in the provider's console to your app URL instead of the Supabase callback URL
How to avoid: The callback URL in the provider's developer console must be https://<project-ref>.supabase.co/auth/v1/callback. Your app URL goes in the redirectTo option of signInWithOAuth().
Why it's a problem: Not adding production URLs to the Redirect URLs allowlist in Supabase
How to avoid: Go to Authentication then URL Configuration in the Dashboard and add all your app's callback URLs (localhost for dev, production domain for live). Supabase blocks redirects to unlisted URLs.
Why it's a problem: Google OAuth not returning a refresh token, causing sessions to expire quickly
How to avoid: Add access_type: 'offline' and prompt: 'consent' to the queryParams in the signInWithOAuth options. Without these, Google only returns an access token with no refresh capability.
Why it's a problem: Forgetting to update OAuth redirect URLs when deploying to a new domain
How to avoid: Update both the Supabase Dashboard redirect URLs list and the OAuth provider's developer console callback URL with your new production domain.
Best practices
- Always use the Supabase callback URL format (https://<ref>.supabase.co/auth/v1/callback) in the OAuth provider's developer console
- Add both development and production URLs to the Supabase redirect URL allowlist
- For Google OAuth, include access_type: 'offline' and prompt: 'consent' to get refresh tokens
- Create a dedicated callback route in your app to handle the code-to-session exchange
- Store user profile data (name, avatar) from user_metadata in a public profiles table after signup
- Test each OAuth provider in development before deploying — provider configurations are a common source of errors
- Use the same Supabase callback URL for all providers — Supabase routes each provider correctly
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I want to add Google and GitHub login to my app using Supabase Auth. Walk me through creating OAuth apps in both developer consoles, configuring the providers in Supabase Dashboard, and implementing signInWithOAuth in TypeScript.
Set up Google and GitHub OAuth providers in my Supabase project. Create the signInWithOAuth functions, a callback route handler that exchanges the auth code for a session, and show me how to read the user's name and avatar from the OAuth metadata.
Frequently asked questions
Which OAuth providers does Supabase support?
Supabase supports 19+ providers including Google, GitHub, Discord, Apple, Facebook, Twitter, GitLab, Bitbucket, LinkedIn, Slack, Spotify, Twitch, Azure, Keycloak, Notion, Zoom, Figma, Kakao, and WorkOS. You can also configure any custom OAuth2 or OIDC provider.
Is the callback URL the same for all OAuth providers?
Yes, all providers use the same Supabase callback URL: https://<your-project-ref>.supabase.co/auth/v1/callback. Supabase internally routes each provider to the correct handler.
Can I use multiple OAuth providers on the same project?
Yes, you can enable as many providers as you need. Each provider is configured independently in the Dashboard. If a user signs in with different providers using the same email, Supabase can link the accounts automatically.
How do I get the user's profile picture from OAuth?
After sign-in, the user's OAuth profile data is stored in user_metadata. Access it with user.user_metadata.avatar_url for the profile picture and user.user_metadata.full_name for the display name.
Why does my OAuth redirect fail in production?
Your production URL is likely not in the Redirect URLs allowlist. Go to Supabase Dashboard, Authentication, URL Configuration, and add your production callback URL. Also verify that the OAuth provider's developer console has the correct Supabase callback URL.
Can I restrict which email domains can sign in via OAuth?
Yes, create a database trigger on auth.users that checks the email domain on INSERT and raises an exception if the domain is not allowed. Google also supports a hosted domain parameter (hd) to restrict to a specific Google Workspace domain.
Can RapidDev help configure OAuth for my Supabase project?
Yes, RapidDev can set up multiple OAuth providers, configure callback routes for your framework, handle account linking, and implement domain-based restrictions for your authentication flow.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation