> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# External identity providers

> Exchange third-party JWTs for Stytch sessions using Trusted Auth Tokens.

Trusted Auth Tokens let you attest end-user identities by exchanging signed JWTs for Stytch sessions.
Many existing identity infrastructure tools will provide a JWT that can be used for this purpose, such as an
`access_token` or `id_token`.
Stytch will use the JWKS endpoint hosted by your existing infrastructure to validate these JWTs.

This guide uses Supabase as an example, but the same pattern works for any provider with a public JWKS.

## Logging a user in

<Steps>
  <Step title="Configure a Trusted Auth Token Profile">
    [In the Stytch Dashboard](https://stytch.com/dashboard/trusted-auth-tokens), create a Trusted Auth Token Profile for your external provider. In order to validate JWTs from Supabase, set the following values:

    | Name     | Value                                                           |
    | -------- | --------------------------------------------------------------- |
    | Issuer   | `https://$project-id.supabase.co/auth/v1/`                      |
    | Audience | `authenticated`                                                 |
    | JWKS     | `https://$project-id.supabase.co/auth/v1/.well-known/jwks.json` |

    Add an attribute mapping for the claims you want to import. To map Supabase user information to Stytch, set the following:

    | Name      | Value        |
    | --------- | ------------ |
    | email     | `email`      |
    | token\_id | `session_id` |
  </Step>

  <Step title="Send the external token to your backend">
    After you mint or retrieve the provider JWT, send it to your backend so it can be exchanged for a Stytch session. For Supabase, use the [Supabase SDK](https://supabase.com/docs/reference/javascript/auth-getsession) to retrieve an access token JWT:

    ```js theme={null}
    // On the frontend
    const { data } = await supabase.auth.getSession()
    fetch('/api/exchange-supabase-session', {
      method: 'POST',
      data: JSON.stringify({ access_token: data.session.access_token })
    })
    ```
  </Step>

  <Step title="Exchange the token for a Stytch session">
    Use the [Attest Session endpoint](/api-reference/consumer/api/sessions/attest-session) to exchange the token for a Stytch session.

    ```js theme={null}
    // On the backend
    const client = new stytch.Client({
      project_id: 'PROJECT_ID',
      secret: 'SECRET',
    });

    const params = {
      profile_id: "trusted-auth-token-profile-...",
      token: "eyJhb...", // access token from Supabase
    };

    client.sessions.attest(params)
      .then(resp => {
        console.log(resp)
      })
      .catch(err => {
        console.log(err)
      });
    ```
  </Step>

  <Step title="You're done!">
    You now have a Stytch session linked to the external user identity.
  </Step>
</Steps>