Auth Admin — API Reference
The supabase-auth-admin module is a thin, typed wrapper over the GoTrue
admin REST API. It lets a trusted backend manage your project’s auth state:
list and mutate users, run their MFA factors, register OAuth clients, configure
custom OIDC/OAuth2 and SAML SSO providers, inspect passkeys and audit logs, and
force-sign-out a session. Every call returns a SupabaseResult<T>, so failures
are values you handle rather than exceptions you catch.
- Maven artifact:
io.github.androidpoet:supabase-auth-admin - Entry point:
createAuthAdminClient(client, serviceRoleKey) - Package:
io.github.androidpoet.supabase.auth.admin(models in…admin.models)
This module uses the service-role key. Never ship it in a client app.
The service-role key bypasses Row Level Security and can read, modify, or delete any user and any row in your project. It must only ever run in a trusted, server-side environment (a backend service or edge function) — never in a mobile, desktop, or browser app where it can be extracted. The key is a required argument with no default by design, so an admin client can never be created by accident with the public anon key. Source it from a secret store, not from committed code.
Setup
createAuthAdminClient builds an AuthAdminClient from an
existing SupabaseClient and your service-role key.
fun createAuthAdminClient(
supabaseClient: SupabaseClient,
serviceRoleKey: String,
): AuthAdminClientsupabaseClient— the configuredSupabaseClientwhose project URL the admin calls target.serviceRoleKey— the project’s service-role key. Required, no default. Bypasses RLS.
Returns an AuthAdminClient instance. This call does no I/O and does not fail.
val admin = createAuthAdminClient(
supabaseClient = client,
serviceRoleKey = System.getenv("SUPABASE_SERVICE_ROLE_KEY"),
)AuthAdminClient
The interface exposing every admin operation. All methods are suspend and
return SupabaseResult<T>: a Success carrying the value, or a Failure
carrying the error. The sections below group the methods by area.
User management
createUser
Creates a user directly, skipping the normal sign-up flow. Set emailConfirm /
phoneConfirm to mark contacts pre-verified.
suspend fun createUser(attributes: AdminUserAttributes): SupabaseResult<User>attributes— the fields to set on the new user (seeAdminUserAttributes).
Returns SupabaseResult<User> — Success with the created user, Failure on error.
val result = admin.createUser(
AdminUserAttributes(
email = "jane@example.com",
password = "s3cret-pass",
emailConfirm = true,
),
)listUsers
Lists users one page at a time. GoTrue’s admin list is page-based and 1-indexed.
suspend fun listUsers(
page: Int? = null,
perPage: Int? = null,
): SupabaseResult<ListUsersResponse>page— 1-indexed page number. Defaultnull(server default, the first page).perPage— users per page. Defaultnull(server default).
Returns SupabaseResult<ListUsersResponse> — Success with the page of users, Failure on error.
val page = admin.listUsers(page = 1, perPage = 50)For ergonomic paging see listUsersOrThrow and
usersPaginator below.
getUserById
Fetches a single user by id.
suspend fun getUserById(userId: String): SupabaseResult<User>userId— the user’s UUID.
Returns SupabaseResult<User> — Success with the user, Failure if not found or on error.
val user = admin.getUserById("8f3a…")updateUserById
Updates an existing user. Only the non-null fields on attributes are changed.
suspend fun updateUserById(
userId: String,
attributes: AdminUserAttributes,
): SupabaseResult<User>userId— the user’s UUID.attributes— fields to change (seeAdminUserAttributes). UsebanDurationto ban (e.g."24h") or"none"to unban.
Returns SupabaseResult<User> — Success with the updated user, Failure on error.
val updated = admin.updateUserById(
userId = "8f3a…",
attributes = AdminUserAttributes(banDuration = "24h"),
)deleteUser
Deletes a user.
suspend fun deleteUser(
userId: String,
shouldSoftDelete: Boolean = false,
): SupabaseResult<Unit>userId— the user’s UUID.shouldSoftDelete— iftrue, soft-deletes (retains the row, marks it deleted); iffalse, hard-deletes. Defaultfalse.
Returns SupabaseResult<Unit> — Success on deletion, Failure on error.
admin.deleteUser("8f3a…", shouldSoftDelete = true)inviteUserByEmail
Sends an invite email and creates a pending user.
suspend fun inviteUserByEmail(
email: String,
data: JsonObject? = null,
redirectTo: String? = null,
): SupabaseResult<User>email— the invitee’s email address.data— optional metadata stored on the user (becomesuser_metadata). Defaultnull.redirectTo— optional URL to redirect to after the invite is accepted. Defaultnull.
Returns SupabaseResult<User> — Success with the invited user, Failure on error.
admin.inviteUserByEmail("new@example.com")generateLink
Generates an action link (signup, magic link, recovery, invite, or email change) without sending the email yourself.
suspend fun generateLink(request: GenerateLinkRequest): SupabaseResult<GenerateLinkResponse>request— the link parameters (seeGenerateLinkRequest).
Returns SupabaseResult<GenerateLinkResponse> — Success with the generated link properties and (where applicable) the user, Failure on error.
val link = admin.generateLink(
GenerateLinkRequest(
type = GenerateLinkType.MAGIC_LINK,
email = "jane@example.com",
),
)signOut
Revokes a user’s session(s) given their access token.
suspend fun signOut(
accessToken: String,
scope: SignOutScope = SignOutScope.LOCAL,
): SupabaseResult<Unit>accessToken— the user’s JWT access token to sign out.scope— which sessions to revoke (SignOutScope.LOCAL,GLOBAL, orOTHERS). DefaultSignOutScope.LOCAL.
Returns SupabaseResult<Unit> — Success on sign-out, Failure on error.
admin.signOut(accessToken = userJwt, scope = SignOutScope.GLOBAL)Multi-factor authentication
listFactors
Lists a user’s enrolled MFA factors.
suspend fun listFactors(userId: String): SupabaseResult<MfaAdminListFactorsResponse>userId— the user’s UUID.
Returns SupabaseResult<MfaAdminListFactorsResponse> — Success with the factor list, Failure on error.
val factors = admin.listFactors("8f3a…")updateFactor
Updates a user’s MFA factor — currently its friendly name. PUTs to
/admin/users/{userId}/factors/{factorId} and returns the full updated factor.
suspend fun updateFactor(
userId: String,
factorId: String,
friendlyName: String? = null,
): SupabaseResult<MfaFactor>userId— the user’s UUID.factorId— the factor’s id.friendlyName— the new display name for the factor. Defaultnull.
Returns SupabaseResult<MfaFactor> — Success with the updated factor, Failure on error.
admin.updateFactor("8f3a…", "factor-id", friendlyName = "My phone")deleteFactor
Removes a user’s MFA factor.
suspend fun deleteFactor(
userId: String,
factorId: String,
): SupabaseResult<MfaAdminDeleteFactorResponse>userId— the user’s UUID.factorId— the factor’s id.
Returns SupabaseResult<MfaAdminDeleteFactorResponse> — Success with the deleted factor’s id, Failure on error.
admin.deleteFactor("8f3a…", "factor-id")OAuth clients
listOAuthClients
Lists registered OAuth clients, page by page.
suspend fun listOAuthClients(
page: Int? = null,
perPage: Int? = null,
): SupabaseResult<OAuthClientListResponse>page— 1-indexed page number. Defaultnull.perPage— clients per page. Defaultnull.
Returns SupabaseResult<OAuthClientListResponse> — Success with the page of clients, Failure on error.
val clients = admin.listOAuthClients(page = 1, perPage = 20)createOAuthClient
Registers a new OAuth client.
suspend fun createOAuthClient(request: OAuthClientCreateRequest): SupabaseResult<OAuthClient>request— the new client’s configuration (seeOAuthClientCreateRequest).
Returns SupabaseResult<OAuthClient> — Success with the created client (including its secret), Failure on error.
val client = admin.createOAuthClient(
OAuthClientCreateRequest(
clientName = "My App",
redirectUris = listOf("https://app.example.com/callback"),
),
)getOAuthClient
Fetches a single OAuth client by id.
suspend fun getOAuthClient(clientId: String): SupabaseResult<OAuthClient>clientId— the client’s id.
Returns SupabaseResult<OAuthClient> — Success with the client, Failure on error.
val client = admin.getOAuthClient("client-id")updateOAuthClient
Updates an existing OAuth client. Only non-null fields on request are changed.
suspend fun updateOAuthClient(
clientId: String,
request: OAuthClientUpdateRequest,
): SupabaseResult<OAuthClient>clientId— the client’s id.request— fields to change (seeOAuthClientUpdateRequest).
Returns SupabaseResult<OAuthClient> — Success with the updated client, Failure on error.
admin.updateOAuthClient(
clientId = "client-id",
request = OAuthClientUpdateRequest(clientName = "Renamed App"),
)deleteOAuthClient
Deletes an OAuth client.
suspend fun deleteOAuthClient(clientId: String): SupabaseResult<Unit>clientId— the client’s id.
Returns SupabaseResult<Unit> — Success on deletion, Failure on error.
admin.deleteOAuthClient("client-id")regenerateOAuthClientSecret
Issues a fresh secret for an OAuth client, invalidating the old one.
suspend fun regenerateOAuthClientSecret(clientId: String): SupabaseResult<OAuthClient>clientId— the client’s id.
Returns SupabaseResult<OAuthClient> — Success with the client carrying the new secret, Failure on error.
val rotated = admin.regenerateOAuthClientSecret("client-id")Custom OIDC / OAuth2 providers
listCustomProviders
Lists custom identity providers, optionally filtered by type.
suspend fun listCustomProviders(type: CustomProviderType? = null): SupabaseResult<CustomProviderListResponse>type— restrict to a provider type (OAUTH2orOIDC). Defaultnull(all types).
Returns SupabaseResult<CustomProviderListResponse> — Success with the provider list, Failure on error.
val providers = admin.listCustomProviders(type = CustomProviderType.OIDC)createCustomProvider
Registers a new custom OIDC/OAuth2 provider.
suspend fun createCustomProvider(request: CustomProviderCreateRequest): SupabaseResult<CustomProvider>request— the provider configuration (seeCustomProviderCreateRequest).
Returns SupabaseResult<CustomProvider> — Success with the created provider, Failure on error.
val provider = admin.createCustomProvider(
CustomProviderCreateRequest(
providerType = CustomProviderType.OIDC,
identifier = "acme",
name = "Acme SSO",
clientId = "client-id",
clientSecret = "client-secret",
discoveryUrl = "https://acme.example.com/.well-known/openid-configuration",
),
)getCustomProvider
Fetches a single custom provider by its identifier.
suspend fun getCustomProvider(identifier: String): SupabaseResult<CustomProvider>identifier— the provider’s identifier.
Returns SupabaseResult<CustomProvider> — Success with the provider, Failure on error.
val provider = admin.getCustomProvider("acme")updateCustomProvider
Updates an existing custom provider. Only non-null fields on request are changed.
suspend fun updateCustomProvider(
identifier: String,
request: CustomProviderUpdateRequest,
): SupabaseResult<CustomProvider>identifier— the provider’s identifier.request— fields to change (seeCustomProviderUpdateRequest).
Returns SupabaseResult<CustomProvider> — Success with the updated provider, Failure on error.
admin.updateCustomProvider(
identifier = "acme",
request = CustomProviderUpdateRequest(enabled = false),
)deleteCustomProvider
Deletes a custom provider.
suspend fun deleteCustomProvider(identifier: String): SupabaseResult<Unit>identifier— the provider’s identifier.
Returns SupabaseResult<Unit> — Success on deletion, Failure on error.
admin.deleteCustomProvider("acme")SAML SSO providers
createSsoProvider
Registers a new SAML SSO identity provider. Provide either metadataUrl or
metadataXml on the request.
suspend fun createSsoProvider(request: SsoProviderCreateRequest): SupabaseResult<SsoProvider>request— the provider configuration (seeSsoProviderCreateRequest).
Returns SupabaseResult<SsoProvider> — Success with the created provider, Failure on error.
val provider = admin.createSsoProvider(
SsoProviderCreateRequest(
metadataUrl = "https://idp.example.com/metadata.xml",
domains = listOf("example.com"),
),
)listSsoProviders
Lists all registered SAML SSO providers. The API’s { "items": [...] } wrapper is
unwrapped to a plain list.
suspend fun listSsoProviders(): SupabaseResult<List<SsoProvider>>Returns SupabaseResult<List<SsoProvider>> — Success with the providers, Failure on error.
val providers = admin.listSsoProviders()getSsoProvider
Fetches a single SAML SSO provider by id.
suspend fun getSsoProvider(id: String): SupabaseResult<SsoProvider>id— the provider’s id.
Returns SupabaseResult<SsoProvider> — Success with the provider, Failure on error.
val provider = admin.getSsoProvider("provider-id")updateSsoProvider
Updates an existing SAML SSO provider. Omitted domains / attribute_mapping
keep their existing values.
suspend fun updateSsoProvider(
id: String,
request: SsoProviderUpdateRequest,
): SupabaseResult<SsoProvider>id— the provider’s id.request— fields to change (seeSsoProviderUpdateRequest).
Returns SupabaseResult<SsoProvider> — Success with the updated provider, Failure on error.
admin.updateSsoProvider(
id = "provider-id",
request = SsoProviderUpdateRequest(disabled = true),
)deleteSsoProvider
Removes a SAML SSO provider and returns the provider that was deleted.
suspend fun deleteSsoProvider(id: String): SupabaseResult<SsoProvider>id— the provider’s id.
Returns SupabaseResult<SsoProvider> — Success with the deleted provider, Failure on error.
val removed = admin.deleteSsoProvider("provider-id")Passkeys
listPasskeys
Lists a user’s registered passkeys.
suspend fun listPasskeys(userId: String): SupabaseResult<List<Passkey>>userId— the user’s UUID.
Returns SupabaseResult<List<Passkey>> — Success with the passkeys, Failure on error.
val passkeys = admin.listPasskeys("8f3a…")deletePasskey
Removes a passkey from a user.
suspend fun deletePasskey(
userId: String,
passkeyId: String,
): SupabaseResult<Unit>userId— the user’s UUID.passkeyId— the passkey’s id.
Returns SupabaseResult<Unit> — Success on deletion, Failure on error.
admin.deletePasskey("8f3a…", "passkey-id")Audit logs
listAuditLogEvents
Fetches audit-log events. The endpoint returns a bare JSON array of entries.
page and perPage are sent as page / per_page query params only when
non-null.
suspend fun listAuditLogEvents(
page: Int? = null,
perPage: Int? = null,
): SupabaseResult<List<AuditLogEvent>>page— 1-indexed page number. Defaultnull(omitted).perPage— entries per page. Defaultnull(omitted).
Returns SupabaseResult<List<AuditLogEvent>> — Success with the entries, Failure on error.
val events = admin.listAuditLogEvents(page = 1, perPage = 100)Extension functions
listUsersOrThrow
The plain (no-SupabaseResult) form of listUsers: returns the List<User>
directly and throws on failure. Service-role only.
suspend fun AuthAdminClient.listUsersOrThrow(
page: Int? = null,
perPage: Int? = null,
): List<User>page— 1-indexed page number. Defaultnull.perPage— users per page. Defaultnull.
Returns List<User> on success; throws the underlying error on failure.
val users = admin.listUsersOrThrow(page = 1, perPage = 50)usersPaginator
Builds a demand-driven Paginator over all users, fetching one page per
loadNext. GoTrue’s admin list is page-based and 1-indexed; this adapter
converts the offset the paginator tracks into the right page number, so callers
just observe Paginator.items and call loadNext near the list end. A failure
surfaces via Paginator.error. Service-role only.
fun AuthAdminClient.usersPaginator(perPage: Int = 50): Paginator<User>perPage— users per page; must be greater than 0. Default50.
Returns a Paginator<User> you drive with loadNext().
val paginator = admin.usersPaginator(perPage = 50)
paginator.loadNext() // fetches page 1; observe paginator.items / paginator.errorModels
AdminUserAttributes
The mutable user fields used by createUser and updateUserById. All fields are
optional; on update, only non-null fields are changed. toString() masks
password.
data class AdminUserAttributes(
val email: String? = null,
val phone: String? = null,
val password: String? = null,
val userMetadata: JsonObject? = null, // user_metadata
val appMetadata: JsonObject? = null, // app_metadata
val emailConfirm: Boolean? = null, // email_confirm
val phoneConfirm: Boolean? = null, // phone_confirm
val banDuration: String? = null, // ban_duration, e.g. "24h" or "none"
val role: String? = null,
)GenerateLinkType
The kind of action link to generate.
enum class GenerateLinkType {
SIGNUP, // signup
INVITE, // invite
MAGIC_LINK, // magiclink
RECOVERY, // recovery
EMAIL_CHANGE_CURRENT, // email_change_current
EMAIL_CHANGE_NEW, // email_change_new
}GenerateLinkRequest
Input to generateLink.
data class GenerateLinkRequest(
val type: GenerateLinkType,
val email: String,
val password: String? = null,
val newEmail: String? = null, // new_email (for email-change links)
val data: JsonObject? = null,
val redirectTo: String? = null, // redirect_to
)GenerateLinkResponse
Result of generateLink.
data class GenerateLinkResponse(
val properties: GenerateLinkProperties,
val user: User? = null,
)GenerateLinkProperties
The generated link and its associated tokens.
data class GenerateLinkProperties(
val actionLink: String, // action_link
val emailOtp: String? = null, // email_otp
val hashedToken: String? = null, // hashed_token
val redirectTo: String? = null, // redirect_to
val verificationType: String? = null, // verification_type
)ListUsersResponse
A page of users from listUsers.
data class ListUsersResponse(
val users: List<User> = emptyList(),
val aud: String? = null,
)MfaAdminListFactorsResponse
A user’s MFA factors from listFactors.
data class MfaAdminListFactorsResponse(
val factors: List<MfaFactor> = emptyList(),
)MfaAdminDeleteFactorResponse
Result of deleteFactor — the deleted factor’s id.
data class MfaAdminDeleteFactorResponse(
val id: String,
)OAuthClientType
The OAuth client type. UNKNOWN is returned for any type this version does not
recognise. Each entry exposes its wire value.
enum class OAuthClientType(val value: String) {
PUBLIC("public"),
CONFIDENTIAL("confidential"),
UNKNOWN("unknown"),
}OAuthClientRegistrationType
How an OAuth client was registered. UNKNOWN covers unrecognised values.
enum class OAuthClientRegistrationType(val value: String) {
DYNAMIC("dynamic"),
MANUAL("manual"),
UNKNOWN("unknown"),
}OAuthClientTokenEndpointAuthMethod
The token-endpoint authentication method an OAuth client uses. UNKNOWN covers
unrecognised values.
enum class OAuthClientTokenEndpointAuthMethod(val value: String) {
NONE("none"),
CLIENT_SECRET_BASIC("client_secret_basic"),
CLIENT_SECRET_POST("client_secret_post"),
UNKNOWN("unknown"),
}OAuthClient
A registered OAuth client. Optional fields that GoTrue omits when empty decode to
null / empty defaults. toString() masks clientSecret.
data class OAuthClient(
val clientId: String, // client_id
val clientName: String? = null, // client_name
val clientSecret: String? = null, // client_secret
val clientType: OAuthClientType = OAuthClientType.UNKNOWN, // client_type
val tokenEndpointAuthMethod: OAuthClientTokenEndpointAuthMethod =
OAuthClientTokenEndpointAuthMethod.UNKNOWN, // token_endpoint_auth_method
val registrationType: OAuthClientRegistrationType =
OAuthClientRegistrationType.UNKNOWN, // registration_type
val clientUri: String? = null, // client_uri
val logoUri: String? = null, // logo_uri
val redirectUris: List<String> = emptyList(), // redirect_uris
val grantTypes: List<String> = emptyList(), // grant_types
val responseTypes: List<String> = emptyList(), // response_types
val scope: String? = null,
val createdAt: String? = null, // created_at
val updatedAt: String? = null, // updated_at
)OAuthClientCreateRequest
Input to createOAuthClient.
data class OAuthClientCreateRequest(
val clientName: String, // client_name
val redirectUris: List<String>, // redirect_uris
val clientUri: String? = null, // client_uri
val grantTypes: List<String>? = null, // grant_types
val responseTypes: List<String>? = null, // response_types
val scope: String? = null,
val tokenEndpointAuthMethod: OAuthClientTokenEndpointAuthMethod? = null, // token_endpoint_auth_method
)OAuthClientUpdateRequest
Input to updateOAuthClient. Only non-null fields are changed.
data class OAuthClientUpdateRequest(
val clientName: String? = null, // client_name
val clientUri: String? = null, // client_uri
val logoUri: String? = null, // logo_uri
val redirectUris: List<String>? = null, // redirect_uris
val grantTypes: List<String>? = null, // grant_types
val tokenEndpointAuthMethod: OAuthClientTokenEndpointAuthMethod? = null, // token_endpoint_auth_method
)OAuthClientListResponse
A page of OAuth clients from listOAuthClients.
data class OAuthClientListResponse(
val clients: List<OAuthClient> = emptyList(),
val aud: String? = null,
)CustomProviderType
The custom-provider type. UNKNOWN covers unrecognised values.
enum class CustomProviderType(val value: String) {
OAUTH2("oauth2"),
OIDC("oidc"),
UNKNOWN("unknown"),
}OidcDiscoveryDocument
The resolved OIDC discovery document attached to a custom provider.
data class OidcDiscoveryDocument(
val issuer: String,
val authorizationEndpoint: String, // authorization_endpoint
val tokenEndpoint: String, // token_endpoint
val jwksUrl: String, // jwks_uri
val userinfoEndpoint: String? = null, // userinfo_endpoint
val revocationEndpoint: String? = null, // revocation_endpoint
val supportedScopes: List<String>? = null, // supported_scopes
val supportedResponseTypes: List<String>? = null, // supported_response_types
val supportedSubjectTypes: List<String>? = null, // supported_subject_types
val supportedIdTokenSigningAlgs: List<String>? = null, // supported_id_token_signing_algs
)CustomProvider
A configured custom OIDC/OAuth2 provider.
data class CustomProvider(
val id: String,
val providerType: CustomProviderType = CustomProviderType.UNKNOWN, // provider_type
val identifier: String,
val name: String,
val clientId: String, // client_id
val acceptableClientIds: List<String>? = null, // acceptable_client_ids
val scopes: List<String>? = null,
val pkceEnabled: Boolean? = null, // pkce_enabled
val attributeMapping: JsonObject? = null, // attribute_mapping
val authorizationParams: Map<String, String>? = null, // authorization_params
val enabled: Boolean? = null,
val emailOptional: Boolean? = null, // email_optional
val issuer: String? = null,
val discoveryUrl: String? = null, // discovery_url
val skipNonceCheck: Boolean? = null, // skip_nonce_check
val authorizationUrl: String? = null, // authorization_url
val tokenUrl: String? = null, // token_url
val userInfoUrl: String? = null, // userinfo_url
val jwksUrl: String? = null, // jwks_uri
val discoveryDocument: OidcDiscoveryDocument? = null, // discovery_document
val createdAt: String? = null, // created_at
val updatedAt: String? = null, // updated_at
)CustomProviderCreateRequest
Input to createCustomProvider. toString() masks clientSecret.
data class CustomProviderCreateRequest(
val providerType: CustomProviderType, // provider_type
val identifier: String,
val name: String,
val clientId: String, // client_id
val clientSecret: String, // client_secret
val acceptableClientIds: List<String>? = null, // acceptable_client_ids
val scopes: List<String>? = null,
val pkceEnabled: Boolean? = null, // pkce_enabled
val attributeMapping: JsonObject? = null, // attribute_mapping
val authorizationParams: Map<String, String>? = null, // authorization_params
val enabled: Boolean? = null,
val emailOptional: Boolean? = null, // email_optional
val issuer: String? = null,
val discoveryUrl: String? = null, // discovery_url
val skipNonceCheck: Boolean? = null, // skip_nonce_check
val authorizationUrl: String? = null, // authorization_url
val tokenUrl: String? = null, // token_url
val userInfoUrl: String? = null, // userinfo_url
val jwksUrl: String? = null, // jwks_uri
)CustomProviderUpdateRequest
Input to updateCustomProvider. Only non-null fields are changed. toString()
masks clientSecret.
data class CustomProviderUpdateRequest(
val name: String? = null,
val clientId: String? = null, // client_id
val clientSecret: String? = null, // client_secret
val acceptableClientIds: List<String>? = null, // acceptable_client_ids
val scopes: List<String>? = null,
val pkceEnabled: Boolean? = null, // pkce_enabled
val attributeMapping: JsonObject? = null, // attribute_mapping
val authorizationParams: Map<String, String>? = null, // authorization_params
val enabled: Boolean? = null,
val emailOptional: Boolean? = null, // email_optional
val issuer: String? = null,
val discoveryUrl: String? = null, // discovery_url
val skipNonceCheck: Boolean? = null, // skip_nonce_check
val authorizationUrl: String? = null, // authorization_url
val tokenUrl: String? = null, // token_url
val userInfoUrl: String? = null, // userinfo_url
val jwksUrl: String? = null, // jwks_uri
)CustomProviderListResponse
The result of listCustomProviders.
data class CustomProviderListResponse(
val providers: List<CustomProvider> = emptyList(),
)SsoProviderSaml
The SAML configuration block of an SSO provider.
data class SsoProviderSaml(
val entityId: String? = null, // entity_id
val metadataUrl: String? = null, // metadata_url
val metadataXml: String? = null, // metadata_xml
val attributeMapping: JsonObject? = null, // attribute_mapping
val nameIdFormat: String? = null, // name_id_format
)SsoDomain
A domain bound to a SAML SSO provider.
data class SsoDomain(
val id: String? = null,
val domain: String? = null,
val createdAt: String? = null, // created_at
val updatedAt: String? = null, // updated_at
)SsoProvider
A registered SAML SSO identity provider.
data class SsoProvider(
val id: String,
val type: String? = null,
val resourceId: String? = null, // resource_id
val disabled: Boolean? = null,
val saml: SsoProviderSaml? = null,
val domains: List<SsoDomain> = emptyList(),
val createdAt: String? = null, // created_at
val updatedAt: String? = null, // updated_at
)SsoProviderCreateRequest
Input to createSsoProvider. Provide either metadataUrl or metadataXml. The
type field is always serialised even though it defaults to "saml".
data class SsoProviderCreateRequest(
val type: String = "saml", // always encoded
val metadataUrl: String? = null, // metadata_url
val metadataXml: String? = null, // metadata_xml
val domains: List<String>? = null,
val attributeMapping: JsonObject? = null, // attribute_mapping
val nameIdFormat: String? = null, // name_id_format
val resourceId: String? = null, // resource_id
val disabled: Boolean? = null,
)SsoProviderUpdateRequest
Input to updateSsoProvider. Omitted domains / attributeMapping keep their
existing values. The type field is always serialised.
data class SsoProviderUpdateRequest(
val type: String = "saml", // always encoded
val metadataUrl: String? = null, // metadata_url
val metadataXml: String? = null, // metadata_xml
val domains: List<String>? = null,
val attributeMapping: JsonObject? = null, // attribute_mapping
val nameIdFormat: String? = null, // name_id_format
val resourceId: String? = null, // resource_id
val disabled: Boolean? = null,
)SsoProviderListResponse
The raw { "items": [...] } wrapper returned by the SSO list endpoint.
listSsoProviders unwraps this for you, but the type is public for direct use.
data class SsoProviderListResponse(
val items: List<SsoProvider> = emptyList(),
)Passkey
A passkey registered to a user.
data class Passkey(
val id: String,
val friendlyName: String? = null, // friendly_name
val createdAt: String, // created_at
val lastUsedAt: String? = null, // last_used_at
)AuditLogEvent
A single audit-log entry from listAuditLogEvents. The payload shape depends on
the recorded action, so it is kept as a raw JsonObject rather than a typed model.
data class AuditLogEvent(
val id: String,
val payload: JsonObject? = null,
val createdAt: String? = null, // created_at
val ipAddress: String? = null, // ip_address
)Related types
These types come from other modules and appear in admin signatures:
SupabaseResult<T>— the result wrapper every method returns (supabase-core).User,MfaFactor,SignOutScope— shared auth models (supabase-auth).Paginator<T>— the demand-driven pager returned byusersPaginator(supabase-core).SupabaseClient— the base client passed tocreateAuthAdminClient.