"Sign in with Supabase" doesn't work yet: GET /v1/profile rejects OAuth tokens
We built a "Continue with Supabase" sign-in button for ReviveDB this week and removed it the same day. The blocker is a single Management API restriction that isn't documented anywhere we could find, so here are our notes.
The blocker
A sign-in flow needs to know who authorized it. The Supabase Management API has an endpoint for that. GET /v1/profile returns gotrue_id, primary_email and username, and it sits in the OpenAPI spec like any other endpoint. Call it with an OAuth access token and it returns:
HTTP 401: "GET /v1/profile does not support oauth access yet"
It only accepts personal access tokens, the kind the Supabase CLI uses. So an OAuth integration can list the user's projects, deploy their Edge Functions and read their database config, but it can't find out who they are. The JIT endpoints and /database/jit/list have the same restriction, with the same "does not support oauth access yet" message.
The workaround we didn't ship
GET /v1/organizations/{slug}/members does work with OAuth tokens and includes emails. But it tells you who is in the organization, not which member clicked "Authorize". On a single-member org you can guess right. On a two-member org, guessing wrong signs someone in as their colleague. That is an account takeover with extra steps, so no.
What we do instead
ReviveDB signs you in with Google or a magic link, and Supabase gets connected after that, as a credential on your account. In hindsight the split is fine. Your ReviveDB login and your Supabase account don't have to share an email, so a work Supabase account can hang off a personal login without ceremony.
The OAuth-first sign-in path is still in our codebase behind the capability check. The error says "yet", so presumably Supabase plans to open these endpoints to OAuth tokens at some point. When that happens the button comes back in a small PR.
If you want to see what we actually built on top of this API: complete Supabase backups covering the database, Auth, Storage files, Edge Functions and configuration, restore-tested as one recovery point.