SecureStartKit
SecurityFeaturesPricingDocsBlogChangelog
Sign inBuy Now
Home/Glossary/AAL
Authentication

AAL(Authenticator Assurance Level)

Also known as: Authenticator Assurance Level, aal1, aal2

Definition

AAL (Authenticator Assurance Level) is a JWT claim that reflects how strongly the user authenticated. AAL1 means one factor (password, OAuth, magic link). AAL2 means a second factor verified for this session (TOTP code). RLS policies read `auth.jwt() ->> 'aal'` to gate sensitive operations.

What does AAL stand for?

AAL stands for Authenticator Assurance Level, a NIST term for how strongly a user has proven their identity in the current session. Supabase stamps the level into the JWT as the aal claim, where aal1 is one factor and aal2 is one factor plus a verified MFA challenge.

How do you enforce AAL2 in Postgres?

Write a restrictive RLS policy on sensitive tables: using ((select auth.jwt() ->> 'aal') = 'aal2'). Restrictive policies AND with permissive ones, so existing user-scoping rules still apply but layered on top is the MFA requirement. UI-only gating is decoration; database-layer enforcement is architecture.

What is AAL2 step-up authentication?

A user authenticates at AAL1 (password) and is then prompted to complete a second factor before accessing a sensitive route. Call supabase.auth.mfa.getAuthenticatorAssuranceLevel() to read currentLevel and nextLevel. If current is aal1 and next is aal2, the user has MFA enrolled but has not stepped up this session.

Learn more

  • Supabase OAuth, Magic Links, MFA in Next.js
  • Supabase JWT + Session Management

Related terms

  • MFAMFA (Multi-Factor Authentication) requires a user to prove identity with a second factor beyond their password or OAuth login. In Supabase, MFA is implemented via TOTP (authenticator app) or phone (SMS). Successful verification promotes the session to AAL2, which RLS policies can gate on.
  • TOTPTOTP (Time-based One-Time Password) is a six-digit code generated every 30 seconds from a shared secret. The user scans a QR code at enrollment, their authenticator app derives the secret, and Supabase verifies the code by computing the same derivation. TOTP is the recommended MFA factor over SMS.
  • JWTA JWT is a signed, base64url-encoded token carrying claims about a user. Supabase issues JWTs after authentication, signs them with ES256 asymmetric keys (default for new projects since October 2025), and Next.js apps validate them server-side via getClaims without a network round trip to the auth server.
  • Row Level SecurityRow Level Security is a Postgres feature that filters which rows of a table each user can see or modify. In Supabase apps, RLS policies are written in SQL and evaluated on every query against the authenticated user's JWT claims, making the database itself the authorization boundary.
← Back to full glossary