03 / Scorecard / Auth & Identity

Supabase Auth

Name: Supabase Auth Agent Readiness Scorecard
Item: Supabase Auth
Rating: 74
Author: Headless Index pipeline (auto)

Headless Index

74/100

JAIRF

66.6/100

AI-Aware

Verified

MAY 21, 2026

Methodology v1 · JAIRF v1.0.0

Editorial verdict

Supabase Auth is solidly built for programmatic consumption. The Headless Index thesis-fit score of 74/100 lands it in the upper-middle of the index, and JAIRF v1.0.0 puts it at 66.6/100 (Level 2, AI-Aware). In practice, vendors at this tier ship most of the primitives agents need, with one or two surfaces still leaning on documentation rather than discovery, and the rest of this verdict explains where Supabase Auth lands inside that pattern. On the API surface, the question is whether the API is the product or a layer beneath the dashboard. Supabase Auth (powered by GoTrue under the hood) is consumed through the Supabase JS, Python, and Dart SDKs primarily, with the REST API behind. Social providers, magic link, email-OTP, phone-OTP, SAML, and MFA are all primitives. The API surface is small and consistent, which is part of Supabase's broader API-first positioning.^[1] Schema observability is the related test: can an agent introspect the contract from cold, or does it have to read prose documentation to do so? The PostgREST-backed API surface is itself introspectable via OpenAPI generated from the database schema. Auth-specific endpoints follow the GoTrue contract documented in the supabase/auth repository. Schema discoverability is solid.^[2] An agent can drive this product across most practical workflows, with a handful of edges where documentation reading still beats schema discovery. On headless operability: User CRUD, identity provider configuration, MFA management, and session control are programmable. RLS policies in the database extend the auth surface into row-level access control. The Supabase CLI plus the supabase-js client cover the operational surface.^[3] On the MCP and agent-integration axis, which is the fastest-moving criterion in the index: Supabase has invested in MCP elsewhere (the supabase-community MCP server for the broader platform). A specifically auth-focused MCP server has not been authored, but the broader Supabase MCP integration covers identity operations.^[4] Event posture closes the loop: an agent that cannot react to state changes is reduced to polling. Database webhooks (powered by pg_net) plus Auth Hooks for identity lifecycle events deliver events to external HTTPS endpoints. Signing is configurable per webhook. The catalog is appropriate for the database-plus-auth integration use case. Net assessment: Supabase Auth can be operated by agents for the majority of practical workflows. The closest thing to a gap is MCP posture^[5], which integrators should sanity-check against their own use case before committing. Strong fit for agent-driven use cases.

Verdict by Headless Index pipeline (auto)

// AI-drafted from the evidence layer. Editorial review pending.

Scores

Scorecard detail

Headless Index · 5 sub-criteria

API-first design intent18/20

scored

Supabase Auth (powered by GoTrue under the hood) is consumed through the Supabase JS, Python, and Dart SDKs primarily, with the REST API behind. Social providers, magic link, email-OTP, phone-OTP, SAML, and MFA are all primitives. The API surface is small and consistent, which is part of Supabase's broader API-first positioning.

signals (5)

+AI review appliedReviewer: Editorial review on 2026-05-20
+OpenAPI specPublished, 0 operations
−GraphQL endpointNot discovered (5 probes; project-scoped endpoints require a real project ID)
·SDKs maintained2 (rust, swift); top by stars: supabase/supabase-swift (1234 stars)
+SDK recency2 of 2 SDK repos pushed within 30 days (most recent SDK commit: 2026-05-18)

cite (1)

github.sdks@2026-05-19

Headless operation16/20

scored

User CRUD, identity provider configuration, MFA management, and session control are programmable. RLS policies in the database extend the auth surface into row-level access control. The Supabase CLI plus the supabase-js client cover the operational surface.

signals (9)

+AI review appliedReviewer: Editorial review on 2026-05-20
−API operations exposedOpenAPI present but operations could not be counted
·Docs pages crawled0 pages (crawler: none)
·Auth schemes documentedAuth documentation page not reached by crawler
·Setup / quickstart docsNot reached by crawler
·Billing docsNot reached by crawler
·Teams / org docsNot reached by crawler
·CLI docsNot reached by crawler
·Schema / data model docsNot reached by crawler

cite (1)

github.sdks@2026-05-19

MCP & agent posture12/20

scored

Supabase has invested in MCP elsewhere (the supabase-community MCP server for the broader platform). A specifically auth-focused MCP server has not been authored, but the broader Supabase MCP integration covers identity operations.

signals (4)

+AI review appliedReviewer: Editorial review on 2026-05-20
−Official MCP serverNone found in vendor's GitHub org or the official MCP registry
−Community MCP serversNone found
−Agent-friendly SDKsNo TypeScript/JavaScript SDK published (agents commonly run in TS/JS)

cite (1)

github.sdks@2026-05-19

Schema observability14/20

scored

The PostgREST-backed API surface is itself introspectable via OpenAPI generated from the database schema. Auth-specific endpoints follow the GoTrue contract documented in the supabase/auth repository. Schema discoverability is solid.

signals (3)

+AI review appliedReviewer: Editorial review on 2026-05-20
+OpenAPIPublished at https://raw.githubusercontent.com/supabase/auth/master/openapi.yaml (OpenAPI undefined, 0 operations)
−GraphQL introspectionNo GraphQL endpoint discovered (5 probes; some vendors use project-scoped endpoints that require a real project handle)

cite (1)

github.sdks@2026-05-19

Webhooks & events14/20

scored

Database webhooks (powered by pg_net) plus Auth Hooks for identity lifecycle events deliver events to external HTTPS endpoints. Signing is configurable per webhook. The catalog is appropriate for the database-plus-auth integration use case.

signals (2)

+AI review appliedReviewer: Editorial review on 2026-05-20
·Webhook docs pageNot reached by crawler within budget (0 pages crawled). Cannot confirm whether vendor offers webhooks.

cite (1)

github.sdks@2026-05-19

JAIRF · 6 dimensions

FCFoundational Compliance

70/100

Structural validity, standards conformance, and parsability of the OpenAPI specification.

DXJDeveloper Experience & Tooling Compatibility

60.5/100

Documentation clarity, example coverage, response completeness, and ingestion health.

ARAXAI-Readiness & Agent Experience

70.9/100

Semantic clarity, intent expression, datatype specificity, and error standardization.

AUAgent Usability

48.2/100

Operational composability, complexity comfort, navigation affordances, and safety patterns.

SECSecurity

78/100

Authentication strength, transport security, secret hygiene, and OWASP risk posture.

AIDAI Discoverability

80/100

Descriptive richness, intent phrasing, workflow context, and registry signals.

Band rationale:B band: JAIRF=66.6 HeadlessIndex=74

04 / Embed

Show Supabase Auth's score on your site.

Drop a live badge into your README, footer, or marketing page. It updates automatically when we re-score, and every embed is a dofollow link back here.

Get embed code

Calibration

How THI compares to external scorers

Source	Score	Measures	Last checked
Fern Agent Score	75 · C	Documentation completeness and SDK shape (~22 checks)	April 11, 2026
CLIRank Agent Friendliness	100 · Excellent	CLI readiness, docs quality, and overall agent affordances	—
Cloudflare Is It Agent Ready?	blocked	Cloudflare's manual agent-readiness heuristic per vendor URL	—
Jentic Scorecard	n a	JAIRF-based scorecard requiring a public OpenAPI specification	—

THI 74 vs external median 88, delta -14

THI display 74 vs external median 88 (delta -14). Within calibration band.

Peers in Auth & Identity

ZITADELC

Headless Index 72/100

OryB

Headless Index 72/100

OktaB

Headless Index 72/100

See full Auth & Identity ranking →