External identity providers

Trusted Auth Tokens let you attest end-user identities by exchanging signed JWTs for Stytch sessions. Many existing identity infrastructure tools will provide a JWT that can be used for this purpose, such as an access_token or id_token. Stytch will use the JWKS endpoint hosted by your existing infrastructure to validate these JWTs. This guide uses Supabase as an example, but the same pattern works for any provider with a public JWKS.

Logging a user in

Configure a Trusted Auth Token Profile

In the Stytch Dashboard, create a Trusted Auth Token Profile for your external provider. In order to validate JWTs from Supabase, set the following values:

Name	Value
Issuer	`https://$project-id.supabase.co/auth/v1/`
Audience	`authenticated`
JWKS	`https://$project-id.supabase.co/auth/v1/.well-known/jwks.json`

Add an attribute mapping for the claims you want to import. To map Supabase user information to Stytch, set the following:

Name	Value
email	`email`
token_id	`session_id`

Send the external token to your backend

After you mint or retrieve the provider JWT, send it to your backend so it can be exchanged for a Stytch session. For Supabase, use the Supabase SDK to retrieve an access token JWT:

// On the frontend
const { data } = await supabase.auth.getSession()
fetch('/api/exchange-supabase-session', {
  method: 'POST',
  data: JSON.stringify({ access_token: data.session.access_token })
})

Exchange the token for a Stytch session

Use the Attest Session endpoint to exchange the token for a Stytch session.

// On the backend
const client = new stytch.Client({
  project_id: 'PROJECT_ID',
  secret: 'SECRET',
});

const params = {
  profile_id: "trusted-auth-token-profile-...",
  token: "eyJhb...", // access token from Supabase
};

client.sessions.attest(params)
  .then(resp => {
    console.log(resp)
  })
  .catch(err => {
    console.log(err)
  });

You're done!

You now have a Stytch session linked to the external user identity.

​Logging a user in

Logging a user in