We are using Supabase with Next.js as an admin dashboard and an API server. I want to use Supabase's auth system for 2 things: 1. I can pre-create a user's account by supplying an email address and some long random password. Then I can send them a password reset link for them to claim their account. 2. I can detect whether a user has confirmed their email address My questions are: (A) Can I send a user an email confirmation and have that set their

email_confirmed == true

, while still allowing them to sign in with their account even before email confirmation? (B) What columns in the database are set when a user confirms their email address? If I were to check just one DB column, which one should I check? (C) Can I consider the database table for

auth.users

(or a view of that table) stable in terms of an API? AKA can I rely on it for important auth decisions, or must I rely on Supabase SDKs? (C) If a user changes the email address for the

auth.user

entry, does the new email become "unconfirmed"? (D) Do OAuth signups automatically set the underlying email address as confirmed? (E) Can I have a successful password reset move an email address from unconfirmed to confirmed? This would be necessary for goal (1) that I'm trying to achieve above. Thanks.

A: no B: there is an email_confirmed_at and confirmed_at column (you can see all the columns in the table UI so play around a bit and see what happens) C1: You should minimize the use of auth.users unless you see it used in a supabase example. For instance they changed the email column to not be unique which broke users who had it as foreign key. IMO id, email (data only), app/user meta data, role are safe. Others have risk of changing but people are using confirmed_at. C2 I believe it has to be confirmed again yes D I believe yes but you should check E You already have to be confirmed to do password reset I am not an employee so all my opinion

Thanks for the info! Would love a clarification from a Supabase employee on some of the remaining unknowns