Supabase auth example

[tleyden]

Description

Complete working example of using Supabase Auth. I found this to be a very non-trivial task, so hopefully this will save someone the iterations I had to go through!

Closes #4063

Contribution type

• Bug fix (simple, well-scoped fix for a clearly broken behavior)
• Documentation improvement
• Enhancement (maintainers typically implement enhancements — see CONTRIBUTING.md)

Checklist

• This PR addresses an existing issue (or fixes a self-evident bug).

But to be fair I filed it!

• I have read CONTRIBUTING.md

• I have added tests that cover my changes

This is an example. Automated tests probably not appropriate.

• I have run uv run prek run --all-files and all checks pass
• I have self-reviewed my changes
• If I used an LLM, it followed the repo's contributing conventions (not generic output)

Guilty as charged, except for the README.md which was entirely hand-crafted.

Happy to clean up the AI slop, but I'd like to get a round of feedback before I go too deep on that. I just want to make sure the PR will be accepted in it's current form, or if there is an example template I should follow for an example like this.

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d2e2773182

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Configure SupabaseProvider with the JWT algorithm you require

This example tells users to migrate to asymmetric RS256 keys, but SupabaseProvider(...) is instantiated without algorithm, so it defaults to ES256. If users follow the setup guidance and Supabase issues RS256 tokens, token verification will fail and the OAuth flow cannot complete. Set algorithm="RS256" here (or update the setup guidance to match ES256) so verifier and issuer are consistent.

Useful? React with 👍 / 👎.

[tleyden]

I don't know if this comment is correct, however I can say that the code in this PR definitely works on my machine. In Supabase, my JWT signing key is listed as: "ECC (P-256)"

[chatgpt-codex-connector]

Invoke the client via uv so dependencies resolve

After uv sync, the README instructs running python client.py, which uses the system interpreter unless the user manually activates .venv. In a fresh setup this commonly raises ModuleNotFoundError for fastmcp/dotenv; using uv run python client.py is required for the documented workflow to work reliably.

Useful? React with 👍 / 👎.

[tleyden]

I updated the readme to tell the user to source .venv/bin/activate

[tleyden]

cc @aaazzam - since it looks like you worked on the original PR. Any chance you could take a look and let me know what would be needed to get this example merged?

[jlowin]

A few things that stand out:

• README Step 5 documents an unresolved error ("You will see error in browser window. I am not sure what's going on here.").
• hello_supabase.py has substantial debug scaffolding: the InstrumentedJWTVerifier (lines 31-96) with emoji logging and manual JWT decoding, and RequestLoggingMiddleware (lines 99-117). The shape to match is examples/auth/github_oauth/server.py.
• consent_server.py has the same: the inline debugEl / console.log output pane is a debug UI, not consent UI.
• pyproject.toml and a 1,188-line uv.lock inside the example folder. No other example in examples/auth/ ships its own env or lockfile.
• The README's ## Needs Review section still has unresolved questions.

We're happy to accept a Supabase example, but it needs to arrive fully formed — walkthrough verified end-to-end against a real Supabase project, no debug scaffolding, structurally consistent with the other auth examples in the repo. Once it's ready for the world, ping us and we'll take a look.

[marvin-context-protocol]

tl;dr: CI failed on a flaky timing-sensitive test (test_timeout_tool_call_overrides_client_timeout_even_if_lower) unrelated to this PR's Supabase example. Safe to re-run.

The only failing job was Tests with lowest-direct dependencies. The single failure was in tests/client/client/test_timeout.py:37, which configures a Client(timeout=0.1) and then asserts a per-call timeout=2 override lets a 0.5s tool sleep complete. On a slow runner (and against the lowest-pinned mcp==1.24.0), the 0.1s client-level timeout is tight enough to occasionally win the race.

This PR only adds files under examples/auth/supabase_auth/ — it cannot affect client timeout behavior. All other test jobs (Python 3.10/3.13 ubuntu, 3.10 windows, integration, conformance) passed.

Failure excerpt

FAILED tests/client/client/test_timeout.py::TestTimeout::test_timeout_tool_call_overrides_client_timeout_even_if_lower
  - mcp.shared.exceptions.McpError: Timed out while waiting for response to ClientRequest. Waited 0.1 seconds.
======= 1 failed, 5622 passed, 2 skipped, 1 xfailed in 116.56s =======

🤖 Generated with Claude Code

[tleyden]

Thanks for taking a look @jlowin, I will try to find the time to make the changes.

structurally consistent with the other auth examples in the repo

Do you recommend any particular auth example that is most similar to Supabase, or are they all about the same?