/
Contact usSee pricingStart building
Node
​

    About Stytch

    Introduction
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Migrations
      Migration overview
      Migrating users statically
      Migrating users dynamically
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for users
      Migrating from Stytch Consumer to B2B
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    Magic Links

    • Email Magic Links

        • Getting started with the API
        Getting started with the SDK
        Replacing your password reset flow
        Building an invite user flow
        Add magic links to an existing auth flow
        Adding PKCE to a Magic Link flow
        Magic Link redirect routing

    • Embeddable Magic Links

        • Getting started with the API
    MFA
      Overview
      Backend integration
      Frontend integration
      Remembered device flow
    Mobile Biometrics
      Overview
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0
    OAuth

    • Identity providers

        • Overview
        Provider setup
      Getting started with the API (Google)
      Add Google One Tap via the SDK
      Email address behavior
      Adding PKCE to an OAuth flow
    Connected Apps
      Overview
      Getting started with the SDK
      Client types
      OAuth scopes

    • Integration Guides

        • MCP Authorization Overview
        Integrate with MCP servers deployed on Cloudflare
        Integrate with MCP servers on Vercel
        Integrate with CLI Apps
        Integrate with AI agents

    • Resources

        • Consent Management
    Passcodes
      Getting started with the API
      Getting started with the SDK

    • Toll fraud

        • What is SMS toll fraud?
        How you can prevent toll fraud
      Unsupported countries
    Passkeys & WebAuthn

    • Passkeys

        • Passkeys overview
        Set up Passkeys with the frontend SDK

    • WebAuthn

        • Getting started with the API
        Getting started with the SDK
    Passwords
      Getting started with the API
      Getting started with the SDK
      Password strength policy

    • Email verification

        • Overview
        Email verification before password creation
        Email verification after password creation
    Sessions
      How to use sessions
      Backend integrations
      Frontend integrations
      Custom claims
      Custom claim templates
      Session tokens vs JWTs
      How to use Stytch JWTs
    TOTP
      Getting started with the API
      Getting started with the SDK
    Web3
      Getting started with the API
      Getting started with the SDK
    Trusted Auth Tokens
      Overview
      Getting Started with External IDPs
      Getting Started with Custom Auth Factors
    Device History
      New Device Notifications

    RBAC

    Resources
      Overview
      Role assignment
    Integration Guides
      Start here
      Backend integration
      Headless frontend integration
      (Legacy) Implement RBAC with metadata

    3rd Party Integrations

    Planetscale
    Supabase
    Feathery
    Unit

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

Consumer Authentication

/

Guides

/

Authentication

/

Trusted Auth Tokens

/

Getting Started with External IDPs

Accept Credentials from an External Identity Provider

The Trusted Auth Tokens feature allows developers to attest end-user identities by exchanging signed JWTs for Stytch sessions. Many existing identity infrastructure tools will provide a JWT that can be used for this purpose such as an access_token or id_token. Stytch will use the JWKS endpoint hosted by your existing infrastructure to validate these JWTs.

This may be useful if you need to deal with many applications with different sources of identity. For example, an internal tool built with Supabase Auth may need to call out to another project built with Stytch. We'll show how Trusted Auth Tokens allow you to accept Supabase credentials within your Stytch project.

The concepts shown here are not Supabase specific - they can be applicable to any identity provider with a public JWKs.

Configuring the Trusted Auth Token Profile

Create a new Trusted Auth Token profile in the Stytch dashboard here. In order to validate JWTs from Supabase, we need to set three values:

NameValue
Issuerhttps://$project-id.supabase.co/auth/v1/
Audienceauthenticated
JWKShttps://$project-id.supabase.co/auth/v1/.well-known/jwks.json

We also need to map the Supabase user information to Stytch via an attribute mapping:

NameValue
emailemail
token_idsession_id

With these values set, we are ready to exchange Supabase Access Tokens for Stytch sessions

Logging a user in

Obtain After you have minted your JWT, use the Supabase SDK to retrieve an access token JWT.

// On the frontend
// Retrieve the session to be sent to the backend for authentication
const { data } = await supabase.auth.getSession()
fetch('/api/exchange-supabase-session', {
  method: 'POST',
  data: JSON.stringify({access_token: data.session.access_token})
})

Call the Attest Session API endpoint to exchange the JWT for a Stytch Session.

// On the backend, exchange the Supabase access token for a Stytch session
const client = new stytch.Client({
  project_id: 'PROJECT_ID',
  secret: 'SECRET',
});

const params = {
  profile_id: "trusted-auth-token-profile-test-41920359-8bbb-4fe8-8fa3-aaa83f35f02c",
  token: "eyJhb...", // the accessToken from Supabase
};

client.sessions.attest(params)
  .then(resp => {
    console.log(resp)
  })
  .catch(err => {
    console.log(err)
  });

You should now have an authenticated Stytch session linked to the external Supabase user.

Configuring the Trusted Auth Token Profile

Logging a user in