User Management
View, delete, and export user information.
You can view your users on the Users page of the Dashboard. You can also view the contents of the Auth schema in the Table Editor.
Accessing user data via API
For security, the Auth schema is not exposed in the auto-generated API. If you want to access users data via the API, you can create your own user tables in the public
schema.
Make sure to protect the table by enabling Row Level Security. Reference the auth.users
table to ensure data integrity. Specify on delete cascade
in the reference. For example, a public.profiles
table might look like this:
_10create table public.profiles (_10 id uuid not null references auth.users on delete cascade,_10 first_name text,_10 last_name text,_10_10 primary key (id)_10);_10_10alter table public.profiles enable row level security;
Only use primary keys as foreign key references for schemas and tables like auth.users
which are managed by Supabase. PostgreSQL lets you specify a foreign key reference for columns backed by a unique index (not necessarily primary keys).
Primary keys are guaranteed not to change. Columns, indices, constraints or other database objects managed by Supabase may change at any time and you should be careful when referencing them directly.
To update your public.profiles
table every time a user signs up, set up a trigger. If the trigger fails, it could block signups, so test your code thoroughly.
_17-- inserts a row into public.profiles_17create function public.handle_new_user()_17returns trigger_17language plpgsql_17security definer set search_path = ''_17as $$_17begin_17 insert into public.profiles (id, first_name, last_name)_17 values (new.id, new.raw_user_meta_data ->> 'first_name', new.raw_user_meta_data ->> 'last_name');_17 return new;_17end;_17$$;_17_17-- trigger the function every time a user is created_17create trigger on_auth_user_created_17 after insert on auth.users_17 for each row execute procedure public.handle_new_user();
Adding and retrieving user metadata
You can assign metadata to users on sign up:
_10const { data, error } = await supabase.auth.signUp({_10 email: 'example@email.com',_10 password: 'example-password',_10 options: {_10 data: {_10 first_name: 'John',_10 age: 27,_10 },_10 },_10})
User metadata is stored on the raw_user_meta_data
column of the auth.users
table. To view the metadata:
_10const {_10 data: { user },_10} = await supabase.auth.getUser()_10let metadata = user.user_metadata
Deleting users
You may delete users directly or via the management console at Authentication > Users. Note that deleting a user from the auth.users
table does not automatically sign out a user. As Supabase makes use of JSON Web Tokens (JWT), a user's JWT will remain "valid" until it has expired. Should you wish to immediately revoke access for a user, do consider making use of a Row Level Security policy as described below.
You cannot delete a user if they are the owner of any objects in Supabase Storage.
You will encounter an error when you try to delete an Auth user that owns any Storage objects. If this happens, try deleting all the objects for that user, or reassign ownership to another user.
Exporting users
As Supabase is built on top of Postgres, you can query the auth.users
and auth.identities
table via the SQL Editor
tab to extract all users:
_10select * from auth.users;
You can then export the results as CSV.