Authentication
Esta página aún no está disponible en tu idioma.
Overview
Section titled “Overview”Rebase includes a complete backend authentication system:
- JWT tokens — Access and refresh token flow with configurable expiration
- OAuth providers — Google, LinkedIn, GitHub, Microsoft, Apple, and more
- SMTP email — Password reset and email verification flows
- Auth hooks — Lifecycle hooks for user creation and more
- Custom auth adapters — Plug in Firebase Auth, Auth0, Clerk, or any external provider
- Service key — Static key for server-to-server authentication
- Auto-bootstrapping — First user automatically gets the admin role
Configuration
Section titled “Configuration”The auth block in initializeRebaseBackend controls all backend authentication:
const backend = await initializeRebaseBackend({ // ... auth: { collection: usersCollection, // Your users collection definition jwtSecret: env.JWT_SECRET, // Required — signing secret accessExpiresIn: "1h", // Access token lifetime (default: 1h) refreshExpiresIn: "30d", // Refresh token lifetime (default: 30d) serviceKey: env.REBASE_SERVICE_KEY, // Optional — for server-to-server calls allowRegistration: true, // Allow new signups (default: true) seedDefaultRoles: true, // Seed enum roles on startup
// OAuth providers google: env.GOOGLE_CLIENT_ID ? { clientId: env.GOOGLE_CLIENT_ID } : undefined,
// SMTP email (for password reset, email verification) email: env.SMTP_HOST ? { from: env.SMTP_FROM || `${env.APP_NAME} <noreply@example.com>`, smtp: { host: env.SMTP_HOST, port: env.SMTP_PORT, // 587 for TLS, 465 for SSL secure: env.SMTP_SECURE, // true for port 465 auth: env.SMTP_USER ? { user: env.SMTP_USER, pass: env.SMTP_PASS! } : undefined, name: env.SMTP_NAME, // Optional EHLO/HELO hostname }, appName: env.APP_NAME, resetPasswordUrl: env.FRONTEND_URL, // URL for password reset page } : undefined,
// Lifecycle hooks hooks: { afterUserCreate: async (user) => { console.log(`New user registered: ${user.email}`); } } }});OAuth Providers
Section titled “OAuth Providers”Each OAuth provider is configured with at minimum a clientId. Some providers require a clientSecret:
auth: { google: { clientId: "..." }, linkedin: { clientId: "...", clientSecret: "..." }, github: { clientId: "...", clientSecret: "..." }, microsoft: { clientId: "...", clientSecret: "...", tenantId: "..." }, apple: { clientId: "...", teamId: "...", keyId: "...", privateKey: "..." }, facebook: { clientId: "...", clientSecret: "..." }, twitter: { clientId: "...", clientSecret: "..." }, discord: { clientId: "...", clientSecret: "..." }, gitlab: { clientId: "...", clientSecret: "..." }, bitbucket: { clientId: "...", clientSecret: "..." }, slack: { clientId: "...", clientSecret: "..." }, spotify: { clientId: "...", clientSecret: "..." },}Auth Endpoints
Section titled “Auth Endpoints”All auth endpoints are mounted at /api/auth/:
| Method | Path | Description |
|---|---|---|
POST | /api/auth/register | Create a new account |
POST | /api/auth/login | Login with email/password |
POST | /api/auth/refresh | Refresh the access token |
POST | /api/auth/<provider> | OAuth sign-in (e.g., /api/auth/google, /api/auth/linkedin) |
POST | /api/auth/logout | Revoke refresh token |
POST | /api/auth/forgot-password | Send password reset email |
POST | /api/auth/reset-password | Reset password with token |
All data API endpoints require a valid Authorization: Bearer <token> header when requireAuth: true (the default).
Auto-Created Tables
Section titled “Auto-Created Tables”On first startup, Rebase creates these tables in the rebase schema:
rebase.users— User accounts with email, password hash, and arolestext[] columnrebase.refresh_tokens— JWT refresh token storage
Roles are stored as a text[] array column directly on the users table — there are no separate roles or user_roles tables.
First User Bootstrap
Section titled “First User Bootstrap”When no users exist in the database, the first person to register automatically becomes an admin. After that, registration is controlled by the allowRegistration setting.
This ensures you can always bootstrap a fresh deployment without needing to seed the database manually.
Service Key Authentication
Section titled “Service Key Authentication”For server-to-server communication (e.g., cron jobs, external services), configure a static service key:
auth: { serviceKey: process.env.REBASE_SERVICE_KEY, // ...}Clients authenticate with the Authorization: Bearer <service-key> header. The service key bypasses user authentication and grants full access.
Custom Auth Adapters
Section titled “Custom Auth Adapters”Rebase allows complete replacement of the built-in authentication system via the AuthAdapter interface. Use this to integrate with Firebase Auth, Auth0, Clerk, or any external SSO provider:
import { AuthAdapter } from "@rebasepro/types";
const myAdapter: AuthAdapter = { middleware: async (c, next) => { // Extract and verify token from the request const token = c.req.header("Authorization")?.replace("Bearer ", ""); // Verify with your auth provider... // Set user context for downstream handlers await next(); }};
await initializeRebaseBackend({ auth: myAdapter, // Pass adapter directly instead of config object // ...});Next Steps
Section titled “Next Steps”- Frontend Authentication — Login UI, auth controller, user management
- Security Rules (RLS) — Row-level access control
- Client SDK Authentication — Auth methods in the client SDK
