Authentication
Sign up, sign in, password reset, magic links, social login. Done.
Auth is the first thing people build and the last thing they get right
Getting authentication wrong is expensive. Session management bugs, insecure cookie handling, OAuth redirect loops, forgotten password flows that do not actually send emails. We have seen it all.
So we built it once, correctly, and included it in every kit.
What is ready for you
Users can sign up with email and password, sign in with a magic link (no password needed), or use Google and GitHub. Adding more OAuth providers takes a couple clicks in the Supabase dashboard.
Sessions are validated server-side on every request. Protected routes redirect unauthenticated users automatically. Your API procedures know who is calling them without you writing any auth logic.
There is also a first-time onboarding flow. New users do not just land on a blank dashboard. They are guided through setting up their profile so the experience feels complete from the start.
How it works in practice
You do not touch any of this during the build. The auth system is part of the framework, and the AI agents know how to work with it. When an agent builds a new feature that needs to know who the current user is, it already has access to that information through the existing auth layer.
When a step requires a protected page or a user-specific API call, the agent uses the auth system that is already in place. No extra configuration, no wiring, no "figure out the auth middleware" detours.
Your users get a polished sign-up experience. You get to skip the part where you spend a week debugging OAuth callbacks.