Auth Routes
Sign in, sign up, and OAuth callback.
Most authentication happens client-side through the Supabase JS SDK — there's little to call directly. The exception is the OAuth callback.
Client-side sign in / sign up
Use the Supabase client, don't write your own API route:
import { getSupabaseClient } from '@/lib/supabase/client';
const supabase = getSupabaseClient();
// Email + password sign up
await supabase.auth.signUp({ email, password });
// Email + password sign in
await supabase.auth.signInWithPassword({ email, password });
// Google OAuth — redirects away
await supabase.auth.signInWithOAuth({
provider: 'google',
options: { redirectTo: `${window.location.origin}/auth/callback` },
});
// Sign out
await supabase.auth.signOut();
// Password reset email
await supabase.auth.resetPasswordForEmail(email, {
redirectTo: `${window.location.origin}/auth/reset`,
});GET /auth/callback
Handles the OAuth redirect after a user signs in with Google (or any other OAuth provider). Supabase sends back an ?code=... param which this route exchanges for a session cookie.
- File:
app/auth/callback/route.ts - Excluded from middleware (so the code exchange isn't interrupted)
- Returns: redirect to
/dashboard(or thenextparam if provided)
You don't call this route directly — Supabase redirects here automatically.
Session refresh
middleware.ts refreshes the auth cookie on every request. You don't have to do anything.
See also
- Authentication — full auth setup
- Supabase Setup — enabling Google OAuth