Also known as: supabase.auth.getClaims, getClaims()
Definition
getClaims is the Supabase Auth method that locally validates a JWT against the cached public key from the project's JWKS endpoint and returns the parsed claims. It replaces getSession for authorization because getSession reads the cookie without re-validating the signature.
getClaims() extracts the access token from the session cookie, fetches the project's public key from the JWKS endpoint (cached after first call), verifies the JWT signature locally with the Web Crypto API, and returns the parsed claims as a typed object. Validation happens in microseconds and produces the same cryptographic guarantee as a network call to Supabase Auth.
For server-side authorization in Server Actions, Route Handlers, and middleware, use getClaims(). It is faster than getUser() (no network round trip) with the same security guarantee. Use getUser() only when you need user data that is not in the JWT claims, such as a fresh email_verified flag.
getSession() reads the cookie and returns whatever is there without verifying the signature. If the JWT signing key has been rotated, or if an attacker forged a JWT, getSession cannot tell. The Supabase docs explicitly discourage getSession for authorization since the asymmetric-keys release in October 2025.