Skip to main content
Boilerlykit - Home
Browse Templates

Feature deep-dive · SaaSForge Starter

Supabase Auth boilerplate for Next.js (magic link + Google OAuth)

Supabase Auth boilerplate for Next.js (magic link + Google OAuth)

Auth is the boilerplate decision that ripples the longest. Pick wrong on day one and you spend month six wiring around it. Supabase Auth is the choice across BoilerlyKit because it gives you a Postgres-native identity layer that pairs naturally with Row Level Security, supports the providers buyers actually ask for, and stays out of the way of Next.js Server Components.

What ships in SaaSForge Starter (the minimal version)

SaaSForge Starter is the smallest version: magic-link email sign-in, Google OAuth, a `/dashboard` route gated by session, and a sign-out flow. No workspaces, no roles, no billing, just identity. The intent is that you bring your own database schema and product surface; the auth layer does not assume what you are building.

Sessions are read with the Supabase server client inside Server Components, so protected routes do not need a client-side useEffect to discover the user. This matters for first paint and for code review: the session is a server-side fact, not a client-side guess.

What SaaSForge AI, Core, and Agency add on top

SaaSForge AI keeps the same Supabase Auth wiring and adds per-user data ownership for chat threads, uploads, and credit balances. SaaSForge Core extends it with workspaces, four-role RBAC, invitations via Resend, 2FA, and SAML SSO hooks for enterprise procurement. SaaSForge Agency uses Supabase for the contact-form persistence layer alongside the Directus-driven marketing site.

The common substrate matters for upgrade paths: if you start on Starter and graduate to Core, you are not throwing away the auth flow, you are adding workspace membership on top of the same `auth.users` table.

Magic link vs Google OAuth: when each one wins

Magic link is the default because it removes the password surface entirely. No password storage, no reset flow, no breached-credentials risk on your side. The trade-off is that every sign-in is an email round trip; that is fine for most B2B and B2C SaaS, less fine for products where users sign in many times a day.

Google OAuth is the second provider because that is what business buyers actually use. Adding Microsoft, GitHub, or Apple OAuth in Supabase is a config-and-callback exercise, not a code rewrite. The boilerplate's auth UI is structured so adding a third provider button is one component change.

The Server Component pattern, the one bit that matters

Next.js App Router pushes you to read auth state on the server. The Supabase server client wraps cookies/`next/headers` so a Server Component can call `getUser()` and gate render decisions without flashing unauthenticated content to the user.

Client Components that need the session use a thin context provider hydrated from the server. The pattern is documented in each product's setup docs; the goal is that you never have a route where the auth check lives in a `useEffect` waiting for the client to load.

Server-side session check in a protected route
import { createClient } from "@/lib/supabase/server";
import { redirect } from "next/navigation";

export default async function DashboardPage() {
  const supabase = await createClient();
  const { data: { user } } = await supabase.auth.getUser();
  if (!user) redirect("/sign-in");
  return <Dashboard userId={user.id} />;
}

Frequently asked

Is Supabase Auth required, or can I swap it out?
It is the default but not the only path. The auth layer is wrapped in a small set of helpers (`createClient`, `getUser`, sign-in/out flows) so swapping to Clerk, Auth.js, or WorkOS is a contained edit rather than a project-wide refactor. SaaSForge Starter is the easiest to swap because it has no Supabase RLS coupling; Core leans on Supabase Auth and RLS together.
How does it handle email verification?
Magic links double as verification, the user has to click an email to sign in, which proves ownership of the address. For Google OAuth, Supabase trusts Google's verified email claim. If you add a password provider later, you would also enable Supabase's email confirmation flow.
What about 2FA and SSO?
SaaSForge Core ships TOTP 2FA via Supabase Auth and patterns for SAML SSO (Okta, Azure AD, Google Workspace). SaaSForge Starter and AI do not surface these by default, add them when the buyer profile demands it. The underlying Supabase plan you are on determines which SSO features are available.
Does this work for purely client-side apps?
Yes, but the boilerplates lean on Server Component reads to avoid auth-state flashing. The Supabase JS client can run client-side for actions like sign-in or sign-out; the recommended pattern is server-read for protected pages, client-call for explicit auth actions.

Related reading

Ships in SaaSForge Starter

See SaaSForge Starter. Skip the deliberation.

Full source code. Lifetime updates. Polar Merchant-of-Record checkout. Private GitHub repo on purchase.