hey folks, I'm new to supabase and trying to figure out if it's right for me. So far, it looks amazing. I think my only remaining question is quite simple: does supabase auth provide a way for me to generate access tokens for my users to hit my API?

If you use the access_token, it's not likely to last long enough, as the developer would have to re-auth frequently. I run a developer API. Supabase handles user/developer accounts as well as the data, and I use a GQL server in front to handle requests for that data. A developer generates an API key (via a Postgres function), and then they send this key along with all requests to the API. The GQL server: - Checks that the key exists and belongs to a user - Stores details of the request, which can be used for analytics but also allows calculation of how many API calls they've used in the current billing period If the key is invalid or they've exceeded their API call quota, an error is returned. Developers can have multiple keys, and this provides a way for them to perform analytics but also to revoke a key should they need to.

that sounds great

There's a few different ways to do it. There's a ULID option, which uses the pgcrypto library (already included with Supabase extensions): https://gist.github.com/kohenkatz/363eac0f4cef0da6c6d1690b96c4ab02 Using a JWT would also work, and the PGJWT extension is already installed on Supabase. I'm not sure how you'd be able to effectively revoke such a token though. Even just generating a UUID might be enough and that's a really simple option to implement. As long as it's unique and has enough entropy to be resistant to collisions, and you have some way of linking a key to a specific user, there's probably hundreds of different ways which would work.

Got it, super helpful thank you