1) How important is it for a user that was automatically logged out to NOT be able to make manual requests outside the app (e.g. with Postmap) - this will NOT be trivial to implement since Supabase uses JWT for authentication and these tokens CANNOT be revoked unless they expire. If this is important, you should set the JWT expiry to a very low value (e.g. no more than 5min) from the Auth settings

2) If the above is NOT that critical, then the question is how do you signal to device A that it needs to signOut the user if the user logs in to device B (this basically means to remove the JWT from localStorage and memory). For this, you might be able to use the auth.audit_log_entries which records all auth actions (login, logout, etc), however I don't think it will be trivial since that table does NOT contain any information about the device source.

Another table which can be helpful is auth.refresh_tokens - this table records all the refresh tokens which are used to keep a user logged in when the JWT expires

If you can tolerate some delay, maybe you can create a trigger that listens to new entries in that table - when you see that a new refresh token is added whose parent is NULL (I think this only happens when you login), you can revoke all other active refresh tokens. That way, the JWT on the other device will NOT be refresh, which will essentially log the user out from the other device

IMPORTANT: I don't know whether using auth.refresh_tokens and auth.audit_log_entries would be a reliable long-term strategy, because I think Supabase sees them as an implementation detail and they might change