Add auth_route parameter to SupabaseProvider

[jlowin]

Backport of #2632 to the 2.x release line.

Adds an auth_route parameter to SupabaseProvider for self-hosted Supabase setups using custom authentication routes.

from fastmcp.server.auth.providers.supabase import SupabaseProvider

provider = SupabaseProvider(
    project_url="https://my-project.supabase.co",
    jwt_secret="...",
    auth_route="custom/auth/v1"  # Default: "auth/v1"
)

Closes #2522

Co-authored-by: Eloi Zalczer eloi@entropia.io

[coderabbitai]

Walkthrough

This pull request adds support for self-hosted Supabase Auth deployments by introducing a customizable auth_route parameter to the Supabase provider configuration. Documentation for the Supabase integration has been updated to reflect this capability, including a new environment variable FASTMCP_SERVER_AUTH_SUPABASE_AUTH_ROUTE with a default value of /auth/v1. The implementation updates all OAuth and JWKS endpoint URLs within the provider to be dynamically constructed from project_url combined with auth_route, replacing the previous hard-coded /auth/v1 paths. The SupabaseProvider constructor signature and SupabaseProviderSettings class have been modified to accept and store this parameter.

Possibly related PRs

• Add supabase docs #2030: Initial creation of the Supabase integration documentation page that this PR now extends with self-hosted auth support and auth route customization.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding an auth_route parameter to SupabaseProvider.
Description check	✅ Passed	The description provides clear context, includes a code example, and references the linked issue (#2522). It follows most template requirements.
Linked Issues check	✅ Passed	The PR fully implements the preferred solution from issue #2522: adding an optional auth_route parameter with a default value of /auth/v1.
Out of Scope Changes check	✅ Passed	All changes are directly related to adding the auth_route parameter: code implementation and documentation updates with no unrelated modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch supabase-auth-route-2.x

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

docs/integrations/supabase.mdx (1)

38-42: Improve example clarity and move explanation to prose.

The current example has two issues:

1. The auth_route value "/my/auth/route" is not realistic. Real-world examples would be "auth/v1", "api/auth/v1", or "custom-auth/v1".
2. Important information is conveyed via code comment rather than prose, which contradicts the guideline: "Use prose over code comments for important information."

🔎 Proposed improvements

Option 1: Show basic example first, then self-hosted variant

+<Note>
+The `auth_route` parameter is only needed for self-hosted Supabase Auth instances with custom routes. If you're using Supabase's managed service, you can omit this parameter.
+</Note>
+
 ```python server.py
 from fastmcp import FastMCP
 from fastmcp.server.auth.providers.supabase import SupabaseProvider
 
 # Configure Supabase Auth
 auth = SupabaseProvider(
     project_url="https://abc123.supabase.co",
-    base_url="http://localhost:8000",
-    auth_route="/my/auth/route" # if self-hosting and using custom routes
+    base_url="http://localhost:8000"
 )
+
+# For self-hosted Supabase Auth with custom routes:
+# auth = SupabaseProvider(
+#     project_url="https://your-supabase-instance.com",
+#     base_url="http://localhost:8000",
+#     auth_route="api/auth/v1"  # Custom authentication route
+# )

Option 2: Use Tabs component for different scenarios

+<Tabs>
+<Tab title="Managed Supabase">
 ```python server.py
 from fastmcp import FastMCP
 from fastmcp.server.auth.providers.supabase import SupabaseProvider
 
-# Configure Supabase Auth
 auth = SupabaseProvider(
     project_url="https://abc123.supabase.co",
-    base_url="http://localhost:8000",
-    auth_route="/my/auth/route" # if self-hosting and using custom routes
+    base_url="http://localhost:8000"
+)
+
+mcp = FastMCP("Supabase Protected Server", auth=auth)
+```
+</Tab>
+<Tab title="Self-Hosted">
+```python server.py
+from fastmcp import FastMCP
+from fastmcp.server.auth.providers.supabase import SupabaseProvider
+
+auth = SupabaseProvider(
+    project_url="https://your-supabase-instance.com",
+    base_url="http://localhost:8000",
+    auth_route="api/auth/v1"  # Custom authentication route
 )
 
 mcp = FastMCP("Supabase Protected Server", auth=auth)
+```
+</Tab>
+</Tabs>

As per coding guidelines: "Use Tabs component for platform-specific content or alternative approaches" and "Use prose over code comments for important information."

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4963b51 and 989c2d6.

⛔ Files ignored due to path filters (1)

• tests/server/auth/providers/test_supabase.py is excluded by none and included by none

📒 Files selected for processing (2)

• docs/integrations/supabase.mdx
• src/fastmcp/server/auth/providers/supabase.py

🧰 Additional context used

📓 Path-based instructions (4)

docs/**/*.mdx

📄 CodeRabbit inference engine (docs/.cursor/rules/mintlify.mdc)

docs/**/*.mdx: Use clear, direct language appropriate for technical audiences
Write in second person ('you') for instructions and procedures in MDX documentation
Use active voice over passive voice in MDX technical documentation
Employ present tense for current states and future tense for outcomes in MDX documentation
Maintain consistent terminology throughout all MDX documentation
Keep sentences concise while providing necessary context in MDX documentation
Use parallel structure in lists, headings, and procedures in MDX documentation
Lead with the most important information using inverted pyramid structure in MDX documentation
Use progressive disclosure in MDX documentation: present basic concepts before advanced ones
Break complex procedures into numbered steps in MDX documentation
Include prerequisites and context before instructions in MDX documentation
Provide expected outcomes for each major step in MDX documentation
End sections with next steps or related information in MDX documentation
Use descriptive, keyword-rich headings for navigation and SEO in MDX documentation
Focus on user goals and outcomes rather than system features in MDX documentation
Anticipate common questions and address them proactively in MDX documentation
Include troubleshooting for likely failure points in MDX documentation
Provide multiple pathways (beginner vs advanced) but offer an opinionated path to avoid overwhelming users in MDX documentation
Always include complete, runnable code examples that users can copy and execute in MDX documentation
Show proper error handling and edge case management in MDX code examples
Use realistic data instead of placeholder values in MDX code examples
Include expected outputs and results for verification in MDX code examples
Test all code examples thoroughly before publishing in MDX documentation
Specify language and include filename when relevant in MDX code examples
Add explanatory comments for complex logic in MDX code examples
Document all API...

Files:

• docs/integrations/supabase.mdx

docs/**/*.{md,mdx,json}

📄 CodeRabbit inference engine (AGENTS.md)

Documentation uses Mintlify framework. Files must be in docs.json to be included. Never modify docs/python-sdk/** (auto-generated)

Files:

• docs/integrations/supabase.mdx

docs/**/*.{md,mdx}

📄 CodeRabbit inference engine (AGENTS.md)

docs/**/*.{md,mdx}: Code examples in documentation must explain before showing code and make blocks fully runnable (include imports)
Documentation structure: Headers form navigation guide with logical H2/H3 hierarchy. Content should be user-focused with sections motivating features (why) before mechanics (how). Use prose over code comments for important information
Never use 'This isn't...' or 'not just...' constructions in writing - state what something IS directly. Avoid defensive writing patterns

Files:

• docs/integrations/supabase.mdx

src/fastmcp/**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

src/fastmcp/**/*.py: Python ≥ 3.10 with full type annotations required
Prioritize readable, understandable code - clarity over cleverness. Avoid obfuscated or confusing patterns even if shorter
Follow existing patterns and maintain consistency in code implementation
Be intentional about re-exports - don't blindly re-export everything to parent namespaces. Core types defining a module's purpose should be exported. Specialized features can live in submodules. Only re-export to fastmcp.* for most fundamental types
Never use bare except - be specific with exception types

Files:

• src/fastmcp/server/auth/providers/supabase.py

🧠 Learnings (1)

📚 Learning: 2025-11-26T21:52:08.947Z

Learnt from: CR
Repo: jlowin/fastmcp PR: 0
File: docs/.cursor/rules/mintlify.mdc:0-0
Timestamp: 2025-11-26T21:52:08.947Z
Learning: Applies to docs/**/*.mdx : Provide authentication examples showing proper format in MDX API documentation

Applied to files:

• docs/integrations/supabase.mdx

🧬 Code graph analysis (1)

src/fastmcp/server/auth/providers/supabase.py (1)

src/fastmcp/server/auth/providers/jwt.py (1)

• JWTVerifier (165-498)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Run tests: Python 3.13 on ubuntu-latest
• GitHub Check: Run tests: Python 3.10 on windows-latest
• GitHub Check: Run tests with lowest-direct dependencies
• GitHub Check: Run tests: Python 3.10 on ubuntu-latest

🔇 Additional comments (6)

src/fastmcp/server/auth/providers/supabase.py (4)

37-37: LGTM! Default value aligns with existing Supabase behavior.

The default value of "/auth/v1" maintains backward compatibility with the standard Supabase Auth route.

---

97-97: LGTM! Parameter follows existing patterns.

The auth_route parameter follows the same NotSetT pattern used by other optional parameters in this codebase.

Also applies to: 121-121

---

170-170: LGTM! OAuth metadata endpoint updated correctly.

The metadata forwarding route now uses the configurable auth_route, which enables self-hosted Supabase Auth with custom paths.

---

136-137: The URL construction pattern is robust for typical usage.

The pattern f"{self.project_url}/{self.auth_route}" works correctly with multi-segment paths and internal slashes—strip("/") only removes leading and trailing slashes, preserving internal path segments. For example, "api/auth/v1".strip("/") remains "api/auth/v1", resulting in valid URLs like https://example.com/api/auth/v1/.well-known/jwks.json.

Empty strings are a non-issue in practice since auth_route has a default value of "/auth/v1" (line 37) and would only cause double slashes if explicitly passed, which is unlikely.

docs/integrations/supabase.mdx (2)

20-20: LGTM! Prerequisites updated for self-hosted deployments.

The addition of "or a self-hosted Supabase Auth instance" appropriately expands the prerequisites to cover the use case this PR addresses.

---

121-123: LGTM! Environment variable documentation is clear and accurate.

The documentation correctly specifies the default value "/auth/v1", which matches the code implementation, and provides a clear description with an example.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add validation to prevent empty auth_route after stripping.

If a user passes auth_route="/", the strip("/") operation results in an empty string, which would produce malformed URLs like "https://example.com//.well-known/jwks.json" (double slashes).

🔎 Suggested fix to validate auth_route

 self.auth_route = settings.auth_route.strip("/")
+if not self.auth_route:
+    raise ValueError("auth_route cannot be empty after removing slashes")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	self.auth_route = settings.auth_route.strip("/")
	self.auth_route = settings.auth_route.strip("/")
	if not self.auth_route:
	raise ValueError("auth_route cannot be empty after removing slashes")