Skip to main content

Authentication & Authorization

Switchyard uses a hybrid authentication approach combining the Switchyard framework with Supabase Auth, providing enterprise-grade security with Role-Based Access Control (RBAC).

Architecture Overview

┌─────────────────────────────────────────────────────────────────┐
│                        Client Applications                       │
│  (Admin UI, Mobile Apps, Scanner Devices, Automated Systems)    │
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                       Switchyard Backend                         │
│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐ │
│  │  Auth Provider  │  │   Middleware    │  │  Route Handlers │ │
│  │   (Supabase)    │  │ (authenticate,  │  │                 │ │
│  │                 │  │   authorize)    │  │                 │ │
│  └────────┬────────┘  └────────┬────────┘  └─────────────────┘ │
│           │                    │                                 │
│           ▼                    ▼                                 │
│  ┌─────────────────────────────────────────────────────────────┐│
│  │                    Auth Identity Store                       ││
│  │              (Switchyard auth_identity table)                ││
│  └─────────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────────┐
│                         Supabase                                 │
│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐ │
│  │   Auth Service  │  │  RBAC Tables    │  │  RLS Policies   │ │
│  │  (auth.users)   │  │ (roles, perms)  │  │                 │ │
│  └─────────────────┘  └─────────────────┘  └─────────────────┘ │
└─────────────────────────────────────────────────────────────────┘

Key Components

ComponentPurpose
Supabase AuthUser authentication, session management, password reset
Supabase RBAC TablesRoles, permissions, and their assignments
Switchyard Auth ProviderBridge between Supabase and Switchyard’s auth system
Auth MiddlewareValidates authentication on protected routes
Authorization MiddlewareChecks permissions before allowing access

Authentication Flows

Standard Login (Admin UI)

1

Enter Credentials

User enters email and password in the login form
2

Supabase Validates

Frontend calls Supabase Auth API which validates credentials and returns a JWT
3

Switchyard Session

Frontend calls Switchyard auth endpoint with the Supabase token, which creates a session
4

Authenticated Requests

Subsequent requests include the session cookie automatically

Bearer Token (API/Mobile)

For programmatic access: 
# Include JWT in Authorization header
curl 'https://api.switchyard.run/admin/products' \
  -H "Authorization: Bearer YOUR_SUPABASE_JWT"

Service Account (Robots/Scripts)

For automated systems: 
curl -X POST 'https://api.switchyard.run/auth/user/supabase' \
  -H "Content-Type: application/json" \
  -d '{"api_key": "sk_robot_..."}'

Environment Variables

VariableDescriptionRequired
SUPABASE_URLYour Supabase project URLYes
SUPABASE_ANON_KEYPublic anon key for client-side authYes
SUPABASE_SERVICE_ROLE_KEYService role key for admin operationsYes
SUPABASE_JWT_SECRETJWT secret for token verificationOptional

Actor Types

The system supports multiple actor types:
Actor TypeDescriptionAuth MethodsTypical Use
userAdmin userssupabase, emailpassAdmin dashboard
customerStore customersemailpassStorefront (future)
api-keyAPI key authapi-keyExternal integrations

Next Steps

RBAC System

Learn about roles and permissions

Service Accounts

Set up automated system access