Supabase Auth · The Security Settings That Matter
Supabase Auth defaults are reasonable but not tight. Six settings measurably move your security posture: email confirmation on, leaked-password protection on, JWT expiry short, refresh-token rotation on, OTP length reasonable, and MFA offered where value justifies friction. Everything else is cosmetic.
Common misconfigurations
- Auto-confirm signups · Anyone can create an account with any email address · including yours. Turn on email confirmation.
- Leaked-password protection off · One toggle. See the dedicated guide.
- OTP too short or long · 6 digits is the sweet spot. 4 is guessable; 8+ is friction with little added security.
- Redirect URLs not restricted · Add every production and preview URL to the allow-list. Anything else lets attackers redirect flow.
Frequently asked
Should I turn off auto-confirm?
Yes, unless you have a very specific reason to allow instant login with unverified emails.
What's the right JWT expiry?
1 hour is the Supabase default. Combined with refresh-token rotation, that's fine for most apps.
Does Supabase support MFA?
Yes · TOTP is built in. Enable it for high-value accounts.
Scan for this issue →