Custom Access Token Hook
Customize the access token issued by Supabase Auth
The custom access token hook runs before a token is issued and allows you to add additional claims based on the authentication method used.
Claims returned must conform to our specification. Supabase Auth will check for these claims after the hook is run and return an error if they are not present.
These are the fields currently available on an access token:
Required Claims: iss, aud, exp, iat, sub, role, aal, session_id
Optional Claims: jti, nbf, app_metadata, user_metadata, amr, email, phone
Inputs
| Field | Type | Description |
|---|---|---|
user_id | string | Unique identifier for the user attempting to sign in. |
claims | object | Claims which are included in the access token. |
authentication_method | string | The authentication method used to request the access token. Possible values include: oauth, password, otp, totp, recovery, invite, sso/saml, magiclink, email/signup, email_change, token_refresh, anonymous. |
Outputs
Return these only if your hook processed the input without errors.
| Field | Type | Description |
|---|---|---|
claims | object | The updated claims after the hook has been run. |
Sometimes the size of the JWT can be a problem especially if you're using a Server-Side Rendering framework. Common situations where the JWT can get too large include:
- The user has a particularly large name, email address or phone number
- The default JWT has too many claims coming from OAuth providers
- A large avatar URL is included
To lower the size of the JWT you can define a Custom Access Token hook like the one below which will instruct the Auth server to issue a JWT with only the listed claims. Check the documentation above on what JWT claims must be present and cannot be removed.
Refer to the Postgres JSON functions on how to manipulate jsonb objects.