/
Contact usSee pricingStart building

    About B2B SaaS Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs
      Migrating from Stytch Consumer to B2B
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On

    • Resources

        • Overview
        External SSO Connections
        Standalone SSO

    • Integration Guides

        • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected Apps
      Overview
      Getting started with the SDK
      Client types
      OAuth scopes

    • Integration Guides

        • MCP Authorization Overview
        Integrate with a remote MCP server
        Integrate with AI agents

    • Resources

        • Consent Management
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords

    • Resources

        • Overview
        Strength policy

    • Integration Guides

        • Pre-built UI frontend integration
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0
    Trusted Auth Tokens
      Overview
      Getting Started with External IDPs
      Getting Started with Custom Auth Factors
    Device History
      New Device Notifications

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B SaaS Authentication

/

Guides

/

Authentication

/

Trusted Auth Tokens

/

Getting Started with External IDPs

Accept Credentials from an External Identity Provider

The Trusted Auth Tokens feature allows developers to attest end-user identities by exchanging signed JWTs for Stytch sessions. Many existing identity infrastructure tools will provide a JWT that can be used for this purpose such as an access_token or id_token. Stytch will use the JWKS endpoint hosted by your existing infrastructure to validate these JWTs.

This may be useful if you need to deal with many applications with different sources of identity. For example, an internal tool built with Supabase Auth may need to call out to another project built with Stytch. We'll show how Trusted Auth Tokens allow you to accept Supabase credentials within your Stytch project.

The concepts shown here are not Supabase specific - they can be applicable to any identity provider with a public JWKs.

Configuring the Trusted Auth Token Profile

Create a new Trusted Auth Token profile in the Stytch dashboard here. In order to validate JWTs from Supabase, we need to set three values:

NameValue
Issuerhttps://$project-id.supabase.co/auth/v1/
Audienceauthenticated
JWKShttps://$project-id.supabase.co/auth/v1/.well-known/jwks.json

We also need to map the Supabase user information to Stytch via an attribute mapping:

NameValue
emailemail
token_idsession_id

With these values set, we are ready to exchange Supabase Access Tokens for Stytch sessions

Logging a user in

Obtain After you have minted your JWT, use the Supabase SDK to retrieve an access token JWT.

// On the frontend
// Retrieve the session to be sent to the backend for authentication
const { data } = await supabase.auth.getSession()
fetch('/api/exchange-supabase-session', {
  method: 'POST',
  data: JSON.stringify({access_token: data.session.access_token})
})

Call the Attest Session API endpoint to exchange the JWT for a Stytch Session.

// On the backend, exchange the Supabase access token for a Stytch session
const client = new stytch.B2BClient({
  project_id: 'PROJECT_ID',
  secret: 'SECRET',
});

const params = {
  profile_id: "trusted-auth-token-profile-test-41920359-8bbb-4fe8-8fa3-aaa83f35f02c",
  organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
  token: "eyJhb...", // the accessToken from Supabase
};

client.sessions.attest(params)
  .then(resp => {
    console.log(resp)
  })
  .catch(err => {
    console.log(err)
  });

You should now have an authenticated Stytch session linked to the external Supabase user.

Configuring the Trusted Auth Token Profile

Logging a user in