Supabase Auth with JWT cookies, RLS-enforced tenant isolation, and a four-tier role hierarchy
Auth & Multi-Tenancy
Supabase Auth with JWT cookies, RLS-enforced tenant isolation, and a four-tier role hierarchy.
Authentication Flow
User Login
→
Supabase Auth
JWT + Cookie
JWT + Cookie
→
Middleware
getUser()
getUser()
→
Profile +
Org Lookup
Org Lookup
→
SessionContext
userId, orgId, role
userId, orgId, role
→
RLS Filters
by org_id
by org_id
Three Supabase Client Types
| Client | Used By | RLS |
|---|---|---|
createBrowserClient() | React components | Enforced |
createSupabaseServer() | API routes, server components | Enforced |
supabaseAdmin() | Webhooks, migrations only | Bypassed |
Role Hierarchy
| Role | Can Do |
|---|---|
| Owner | Everything + delete org + manage billing |
| Admin | Everything + manage team members |
| Member | Create, edit, publish documents |
| Viewer | Read-only access to all documents |
Defense in depth: Auth is checked at THREE layers. (1) Middleware validates JWT and blocks unauthenticated requests. (2) API routes call
requireSession() and optionally requireRole(). (3) PostgreSQL RLS policies filter every query by org_id. Even if layers 1 and 2 fail, RLS prevents data leaks.
Ready to create AI-powered proposals?
Start Free