kotlin Client Library

Create Supabase Client#

Independently of which Supabase module you are using, you will need to initialize the main client first and install the module.

To create a new client, you can use the createSupabaseClient function.

When installing a module, you can pass a block to configure it.

OAuth and OTP link verification#

supabase-kt provides several platform implementations for OAuth and OTP link verification.

On Desktop platforms (JVM, MacOS*, Linux), it uses a HTTP Callback Server to receive the session data from a successful OAuth login. The success page can be customized via AuthConfig#httpCallbackConfig
* If no deeplinks are being used.

Note: OTP link verification such as sign ups are not supported on JVM. You may have to send a verification token rather than a url in your email. To send the token, rather than a redirect url, change {{ .ConfirmationURL }} in your sign up email to {{ .Token }}

On Android, iOS & MacOS, OAuth and OTP verification use deeplinks. Refer to the guide below on how to setup deeplinks. Alternatively you can use Native Google Auth.
On JS, it uses the website origin as the callback url. Session importing gets handled automatically.
Windows, tvOS, watchOS & Linux currently have no default implementation. Feel free to create a PR.

You always make your own implementation and use auth.parseSessionFromFragment(fragment) or auth.parseSessionFromUrl(url) to let supabase-kt handle the parsing after receiving a callback. Then you can simply use auth.importSession(session).

Configure deeplink callbacks for Authentication#

Deeplinks are supported on Android, iOS and MacOS.

1. Set up a deeplink
   On Android, set up a deeplink in your Android manifest.
   On iOS and MacOS, set up a url scheme.
2. Add your deeplink to the redirect URLs
   Pattern: scheme://host
3. Configure the Auth plugin Set the host and scheme in the Auth config:

   1
   2
   3
   4
   5
   6
   7
   install(Auth) {   host = "deeplink host" // this can be anything, eg. your package name or app/company url (not your Supabase url)   scheme = "deeplink scheme"   // On Android only, you can set OAuth and SSO logins to open in a custom tab, rather than an external browser:   defaultExternalAuthAction = ExternalAuthAction.CustomTabs() //defaults to ExternalAuthAction.ExternalBrowser}

4. Call platform specific function on startup
   On Android: supabase.handleDeeplinks(intent)
   If you don't want a separate activity, just call this function at the top of your onCreate function in your MainActivity.
   On iOS/MacOS: supabase.handleDeeplinks(url)

Then you can log in using OAuth:

1
supabase.auth.signInWith(Google)

Or open OTP links directly in your app.

PKCE Authentication flow#

supabase-kt supports the PKCE authentication flow. To use it, change the flowType in the Auth configuration:

1
2
3
install(Auth) {  flowType = FlowType.PKCE}

That's it! If you already implemented deeplinks to handle OTPs and OAuth you don't have to change anything!

Perform a SELECT query on the table or view.

• When calling a decode method, you have to provide a serializable class as the type parameter.
• You can provide a Columns object to select specific columns.
• You can provide a filter block to filter the results

Perform an INSERT into the table or view.

• When calling an insert method, you have to provide a serializable value.
• By default, insert will not return the inserted data. If you want to return the inserted data, you can use the select() method inside the request.

Perform an UPDATE on the table or view.

• update() should always be combined with a filter block to avoid updating all records.
• When calling insert or update, you have to provide a serializable value in the function parameter.
• By default, update will not return the inserted data. If you want to return the inserted data, you can use the select() method inside the request.

Perform an UPSERT on the table or view. Depending on the column(s) passed to onConflict, .upsert() allows you to perform the equivalent of .insert() if a row with the corresponding onConflict columns doesn't exist, or if it does exist, perform an alternative action depending on ignoreDuplicates.

• Primary keys should be included in the data payload in order for an update to work correctly.
• Primary keys must be natural, not surrogate. There are however, workarounds for surrogate primary keys.
• If you need to insert new data and update existing data at the same time, use Postgres triggers.
• When calling insert or update, you have to provide a serializable value in the function parameter.
• By default, upsert will not return the inserted data. If you want to return the inserted data, you can use the select() method inside the request.

Perform a DELETE on the table or view.

• delete() should always be combined with a filter block to target the item(s) you wish to delete.
• If you use delete() with filters and you have RLS enabled, only rows visible through SELECT policies are deleted. Note that by default no rows are visible, so you need at least one SELECT/ALL policy that makes the rows visible.
• By default, delete will not return the deleted data. If you want to return the deleted data, you can use the select() method inside the request.

You can call stored procedures as a "Remote Procedure Call".

That's a fancy way of saying that you can put some logic into your database then call it from anywhere. It's especially useful when the logic rarely changes - like password resets and updates.

• When calling rpc with parameters, you have to provide a serializable value in the function parameter.

Filters allow you to only return rows that match certain conditions.

Filters can be used on select(), update(), and delete() queries.

You can use two different types for applying filters:

1
eq("country_id", 1)

And using a class property:

1
City::countryId eq 1

As you can see on the property syntax: the name of the countryId gets converted to country_id.

By default, this is done by converting camel case to snake case, but you can customize this by changing the propertyConversionMethod in the Postgrest Config

If a database function returns a table response, you can also apply filters.

Finds all rows whose value on the stated column exactly matches the specified value.

Finds all rows whose value on the stated column doesn't match the specified value.

Finds all rows whose value on the stated column is greater than the specified value.

Finds all rows whose value on the stated column is greater than or equal to the specified value.

Finds all rows whose value on the stated column is less than the specified value.

Finds all rows whose value on the stated column is less than or equal to the specified value.

Finds all rows whose value in the stated column matches the supplied pattern (case sensitive).

Finds all rows whose value in the stated column matches the supplied pattern (case insensitive).

A check for exact equality (null, true, false), finds all rows whose value on the stated column exactly match the specified value.

is_ and in_ filter methods are suffixed with _ to avoid collisions with reserved keywords.

Finds all rows whose value on the stated column is found on the specified values.

Only relevant for jsonb, array, and range columns. Match only rows where column contains every element appearing in value.

Only relevant for range columns. Match only rows where every element in column is greater than any element in range.

Only relevant for range columns. Match only rows where every element in column is either contained in range or greater than any element in range.

Only relevant for range columns. Match only rows where every element in column is less than any element in range.

Only relevant for range columns. Match only rows where every element in column is either contained in range or less than any element in range.

Only relevant for range columns. Match only rows where column is mutually exclusive to range and there can be no element between the two ranges.

Only relevant for array and range columns. Match only rows where column and value have an element in common.

Only relevant for text and tsvector columns. Match only rows where column matches the query string in query.

For more information, see Postgres full text search.

Finds all rows that don't satisfy the filter.

• .filterNot() expects you to use the raw PostgREST syntax for the filter names and values.

Finds all rows satisfying at least one of the filters.

filter() expects you to use the raw PostgREST syntax for the filter values.

Filters work on the row level—they allow you to return rows that only match certain conditions without changing the shape of the rows. Modifiers are everything that don't fit that definition—allowing you to change the format of the response (e.g., returning a CSV string).

Modifiers are be specified next to the filter block. Some modifiers only apply for queries that return rows (e.g., select() or rpc() on a function that returns a table response).

Order the query result by column.

Limit the query result by count.

Limit the query result by from and to inclusively.

For debugging slow queries, you can get the Postgres EXPLAIN execution plan of a query using the explain() method. This works on any query, even for rpc() or writes.

Explain is not enabled by default as it can reveal sensitive information about your database. It's best to only enable this for testing environments but if you wish to enable it for production you can provide additional protection by using a pre-request function.

Follow the Performance Debugging Guide to enable the functionality on your project.

• The auth methods can be accessed via the Supabase Auth client.

Creates a new user.

• By default, the user needs to verify their email address before logging in. To turn this off, disable Confirm email in your project.
• Confirm email determines if users need to confirm their email address after signing up.
  • If Confirm email is enabled, the return value is the user and you won't be logged in automatically.
  • If Confirm email is disabled, the return value is null and you will be logged in instead.
• When the user confirms their email address, they are redirected to the SITE_URL by default. You can modify your SITE_URL or add additional redirect URLs in your project.
• To learn how to handle OTP links & OAuth refer to initializing
• If signUpWith() is called for an existing confirmed user:
  • When both Confirm email and Confirm phone (even when phone provider is disabled) are enabled in your project, an obfuscated/fake user object is returned.
  • When either Confirm email or Confirm phone (even when phone provider is disabled) is disabled, the error message, User already registered is returned.

Listen to session changes.

• Creates an anonymous user.
• The user can be retrieved by calling supabase.auth.currentUserOrNull().
• It is recommended to set up captcha for anonymous sign-ins to prevent abuse. You can pass in the captcha token in the options param.

Logs in an existing user.

• Requires either an email and password or a phone number and password.

Sends a OTP to the user's email or phone number.

• Requires either an email or phone number.
• This method is used for passwordless sign-ins where a OTP is sent to the user's email or phone number.
• If the user doesn't exist, signInWith(OTP) will signup the user instead. To restrict this behavior, you can set createUser to false.
• The method signUpWith(OTP) does the exact same thing as signInWith(OTP), so it doesn't matter which one you use.
• If you're using an email, you can configure whether you want the user to receive a magiclink or a OTP.
• If you're using phone, you can configure whether you want the user to receive a OTP.
• The magic link's destination URL is determined by the SITE_URL.
• See redirect URLs and wildcards to add additional redirect URLs to your project.
• To learn how to handle OTP links & OAuth refer to initializing
• Magic links and OTPs share the same implementation. To send users a one-time code instead of a magic link, modify the magic link email template to include {{ .Token }} instead of {{ .ConfirmationURL }}.

• This method is used for signing in using a third-party provider.
• Supabase supports many different third-party providers.
• To learn how to handle OTP links & OAuth refer to initializing

• Before you can call this method you need to establish a connection to an identity provider. Use the CLI commands to do this.
• If you've associated an email domain to the identity provider, you can change the domain property in the signInWith(SSO) method to start a sign-in flow.
• In case you need to use a different way to start the authentication flow with an identity provider, you can change the providerId property. For example:
  • Mapping specific user email addresses with an identity provider.
  • Using different hints to identity the identity provider to be used by the user, like a company-specific page, IP address or other tracking information.
• To learn how to handle OTP links & OAuth refer to initializing

Logs out the current user.

• In order to use the signOut() method, the user needs to be signed in first.

Sends a password reset request to the given email address.

• The password reset flow consist of 2 broad steps: (i) Allow the user to login via the password reset link; (ii) Update the user's password.
• The resetPasswordForEmail() only sends a password reset link to the user's email. To update the user's password, see updateUser().
• The user gets redirected back to your app, assuming you setup OTP handling
• After the user has been redirected successfully, prompt them for a new password and call updateUser():

  1
  2
  3
  supabase.auth.updateUser {    password = "1234567"}

• Verifying an OTP is done through either verifyPhoneOtp or verifyEmailOtp.
• The verification type used should be determined based on the corresponding auth method called before using verifyPhoneOtp/verifyEmailOtp to sign up / sign-in a user.

Returns the current session, or null if there is none.

This method will refresh the session whether the current one is expired or not.

• This is done automatically, but can be disabled in the Auth config.

• This method gets the user object from the current session.
• Fetches the user object from the database instead of local session.
• Should be used only when you require the most current user data. For faster results, getCurrentSessionOrNull()?.user is recommended.

Modifies the user data.

• In order to use the updateUser() method, the user needs to be signed in first.
• By default, email updates sends a confirmation link to both the user's current and new email. To only send a confirmation link to the user's new email, disable Secure email change in your project's email auth provider settings.

• The user needs to be signed in to call currentIdentitiesOrNull().

• The Enable Manual Linking option must be enabled from your project's authentication settings.
• The user needs to be signed in to call linkIdentity().
• If the candidate identity is already linked to the existing user or another user, linkIdentity() will fail.
• This method works similarly to signInWith() using an OAuthProvider. To learn how to handle OTP links & OAuth refer to initializing

• The Enable Manual Linking option must be enabled from your project's authentication settings.
• The user needs to be signed in to call unlinkIdentity().
• The user must have at least 2 identities in order to unlink an identity.
• The identity to be unlinked must belong to the user.

• This method is used together with updateUser() when a user's password needs to be updated.
• This method will send a nonce to the user's email. If the user doesn't have a confirmed email address, the method will send the nonce to the user's confirmed phone number instead.

• Resends a signup confirmation, email change or phone change email to the user.
• Passwordless sign-ins can be resent by calling the signInWith(OTP) method again.
• Password recovery emails can be resent by calling the resetPasswordForEmail() method again.
• This method will only resend an email or phone OTP to the user if there was an initial signup, email change or phone change request being made.

Changes the local session.

• importSession() takes in a UserSession.
• Refresh token rotation is enabled by default on all projects to guard against replay attacks.
• You can configure the REFRESH_TOKEN_REUSE_INTERVAL which provides a short window in which the same refresh token can be used multiple times in the event of concurrency or offline issues.

• Used when flowType is set to FlowType.PKCE in the Auth configuration.

This section contains methods commonly used for Multi-Factor Authentication (MFA) and are invoked behind the supabase.auth.mfa namespace.

Currently, we only support time-based one-time password (TOTP) as the 2nd factor. We don't support recovery codes but we allow users to enroll more than 1 TOTP factor, with an upper limit of 10.

Having a 2nd TOTP factor for recovery frees the user of the burden of having to store their recovery codes somewhere. It also reduces the attack surface since multiple recovery codes are usually generated compared to just having 1 backup TOTP factor.

Enrolls a new factor.

• Use FactorType.TOTP or FactorType.Phone as the factorType and use the returned id to create a challenge.
• To create a challenge, see mfa.createChallenge().
• To verify a challenge, see mfa.verifyChallenge().
• To create and verify a challenge in a single step, see mfa.createChallengeAndVerify().

Creates a challenge for a factor.

• An enrolled factor is required before creating a challenge.
• To verify a challenge, see mfa.verifyChallenge().
• A phone factor sends a code to the user upon challenge. The channel defaults to Phone.Channel.SMS unless otherwise specified.

Verifies a challenge for a factor.

• To verify a challenge, please create a challenge first.

Creates and verifies a challenge for a factor.

• Creating and verifying a challenge in a single step is not supported by the Phone factor type.
• An enrolled factor is required before invoking createChallengeAndVerify().
• Executes mfa.createChallenge() and mfa.verifyChallenge() in a single step.

Unenroll removes a MFA factor. A user has to have an AAL2 authentication level in order to unenroll a verified factor.

• Authenticator Assurance Level (AAL) is the measure of the strength of an authentication mechanism.
• In Supabase, having an AAL of aal1 refers to having the 1st factor of authentication such as an email and password or OAuth sign-in while aal2 refers to the 2nd factor of authentication such as a time-based, one-time-password (TOTP).
• If the user has a verified factor, the next field will return AuthenticatorAssuranceLevel.AAL2, else, it will return AuthenticatorAssuranceLevel.AAL1.

• Any method under the supabase.auth.admin namespace requires a service_role key.
• These methods are considered admin methods and should be called on a trusted server. Never expose your service_role key in the browser.

Fetches the user object from the database based on the user's id.

• The retrieveUserById() method requires the user's id which maps to the auth.users.id column.

Retrieves a list of users.

• Defaults to return 50 users per page.

Creates a new user.

• To confirm the user's email address or phone number, set autoConfirm to true. Both arguments default to false.

Deletes a user from the database.

• The deleteUser() method requires the user's ID, which maps to the auth.users.id column.

Sends an invite link to the user's email address.

Generates email links and OTPs to be sent via a custom email provider.

Updates the user data.

Lists all factors associated to a user.

Deletes a factor on a user. This will log the user out of all active sessions if the deleted factor was verified.

Invokes a Supabase Function. See the guide for details on writing Functions.

• When invoking a function with parameters, you have to provide a serializable value in the function parameter.

• Requires an Authorization header.

Return real-time data from your table as a Flow.

• Realtime is disabled by default for new tables. You can turn it on by managing replication.
• selectAsFlow and selectSingleValueAsFlow will emit the initial data and then listen for changes.
• Takes in a filter parameter to filter the data and a primaryKey parameter to cache the data by the primary key.
• This method requires both the Realtime and Postgrest plugins to be installed.
• The type parameter T must be a serializable class.
• If you want more control over the realtime updates, you can use the Realtime plugin directly.

Subscribe to realtime changes in your database.

• Realtime is disabled by default for new Projects for better database performance and security. You can turn it on by managing replication.
• If you want to receive the "previous" data for updates and deletes, you will need to set REPLICA IDENTITY to FULL, like this: ALTER TABLE your_table REPLICA IDENTITY FULL;
• When using a method with a generic type like track, broadcast or broadcastFlow, you have to provide a serializable class as the type parameter.
• Presence, Broadcast and Database updates are sent through a Flow

Unsubscribes and removes Realtime channel from Realtime client.

• Removing a channel is a great way to maintain the performance of your project's Realtime service as well as your database if you're listening to Postgres changes.
• Supabase will automatically handle cleanup 30 seconds after a client is disconnected, but unused channels may cause degradation as more clients are simultaneously subscribed.
• If you removed all channels, the client automatically disconnects from the Realtime websocket. This can be disabled in the Realtime config by setting disconnectOnNoSubscriptions to false.

Unsubscribes and removes all Realtime channels from Realtime client.

• Removing channels is a great way to maintain the performance of your project's Realtime service as well as your database if you're listening to Postgres changes. Supabase will automatically handle cleanup 30 seconds after a client is disconnected, but unused channels may cause degradation as more clients are simultaneously subscribed.
• If you removed all channels, the client automatically disconnects from the Realtime websocket. This can be disabled in the Realtime config by setting disconnectOnNoSubscriptions to false.

Returns all Realtime channels.

• RLS policy permissions required:
  • buckets table permissions: insert
  • objects table permissions: none
• Refer to the Storage guide on how access control works

• RLS policy permissions required:
  • buckets table permissions: select
  • objects table permissions: none
• Refer to the Storage guide on how access control works

• RLS policy permissions required:
  • buckets table permissions: select
  • objects table permissions: none
• Refer to the Storage guide on how access control works

• RLS policy permissions required:
  • buckets table permissions: select and update
  • objects table permissions: none
• Refer to the Storage guide on how access control works

• RLS policy permissions required:
  • buckets table permissions: select and delete
  • objects table permissions: none
• Refer to the Storage guide on how access control works

• RLS policy permissions required:
  • buckets table permissions: select
  • objects table permissions: select and delete
• Refer to the Storage guide on how access control works

• RLS policy permissions required:
  • buckets table permissions: none
  • objects table permissions: insert
• Refer to the Storage guide on how access control works
• Resumable uploads use a Disk cache by default to store the upload urls. You can customize that in the Auth config by changing the resumable.cache property.

• RLS policy permissions required:
  • buckets table permissions: none
  • objects table permissions: select
• Refer to the Storage guide on how access control works

• RLS policy permissions required:
  • buckets table permissions: none
  • objects table permissions: select
• Refer to the Storage guide on how access control works

• RLS policy permissions required:
  • buckets table permissions: none
  • objects table permissions: update and select
• Refer to the Storage guide on how access control works