SecureStartKit
SecurityFeaturesPricingDocsBlogChangelog
Sign inBuy Now
Home/Glossary/@supabase/ssr
Authentication

@supabase/ssr

Also known as: supabase-ssr, Supabase SSR package

Definition

@supabase/ssr is the official Supabase package for server-side authentication in Next.js, SvelteKit, and other SSR frameworks. It manages JWT storage in httpOnly cookies, handles the OAuth and magic-link callback cookie writes, and exposes createServerClient and createBrowserClient helpers for each context.

What is @supabase/ssr?

@supabase/ssr is the Supabase JS library's server-side rendering companion. It replaced the older @supabase/auth-helpers-nextjs package in 2024. The library exposes two factory functions: createServerClient for Server Components, Server Actions, and Route Handlers, and createBrowserClient for Client Components.

What problem does @supabase/ssr solve?

Cookie management across the server-client boundary. When a user authenticates, the session JWT must land in an httpOnly cookie that the server can read on the next request. The package handles the cookie write on the server side (where cookies() from next/headers is available) and provides matching read APIs that work in both Server Components and middleware/proxy.

Why is @supabase/ssr the secure default?

httpOnly cookies cannot be read by inline JavaScript, so an XSS bug cannot exfiltrate the session token. The older pattern of storing the JWT in localStorage made every XSS a session-theft incident. The PKCE flow that the library uses by default also prevents authorization-code interception in OAuth and magic-link flows.

Learn more

  • Supabase Auth in Next.js App Router
  • Supabase JWT + Session Management

Related terms

  • JWTA JWT is a signed, base64url-encoded token carrying claims about a user. Supabase issues JWTs after authentication, signs them with ES256 asymmetric keys (default for new projects since October 2025), and Next.js apps validate them server-side via getClaims without a network round trip to the auth server.
  • getClaimsgetClaims is the Supabase Auth method that locally validates a JWT against the cached public key from the project's JWKS endpoint and returns the parsed claims. It replaces getSession for authorization because getSession reads the cookie without re-validating the signature.
  • PKCEPKCE (Proof Key for Code Exchange) is the OAuth 2.1 flow that prevents authorization-code interception by browser-based clients. The client generates a verifier, hashes it into a challenge, sends the challenge with the auth request, and presents the original verifier at the code-exchange step. An attacker who steals the code alone cannot complete the exchange.
  • OAuthOAuth is an open standard for delegated authorization, used in Supabase apps as federated sign-in via providers like Google, GitHub, and Apple. The user authenticates with the provider, the provider returns an authorization code to a callback route, and the server exchanges the code for a Supabase session via PKCE.
← Back to full glossary