Configure Supabase Auth, account cookies, OAuth, and website auth tables.

Auth Setup

The website account system uses Supabase Auth for buyer accounts, license ownership, support tickets, Studio Web projects, and account dashboard sessions. This is the website/auth metadata project, not the Postgres database that stores a customer's game content.

Use this guide when deploying the marketing website, account dashboard, or Studio Web handoff flow.

What Auth Powers

AreaAuth dependency
Account loginSupabase email/password and optional Google OAuth
License ownershipprofiles, mmostudio_license_keys, and license activation tables
Account dashboardCookie-based Supabase sessions refreshed by website middleware
Studio WebAuthenticated project APIs plus /api/studio/auth/verify tier checks
Admin website pagesprofiles.role checked server-side with the Supabase service role

1. Create the Supabase Project

Create a Supabase project dedicated to the ED5 website/account layer. In Supabase Auth settings:

  • Enable the Email provider.
  • Decide whether users must confirm email before logging in.
  • Add any production domains before launch.
  • Keep the service-role key server-side only.
The website expects these environment variables: 
NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key
SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
JWT_SECRET=your-random-jwt-secret-at-least-32-chars

NEXT_PUBLIC_SUPABASE_URL and NEXT_PUBLIC_SUPABASE_ANON_KEY are safe browser values. SUPABASE_SERVICE_ROLE_KEY and JWT_SECRET must only be set in server environments such as Vercel project env vars or local .env.local.

2. Configure Redirect URLs

In Supabase, open Authentication -> URL Configuration.

Set Site URL to your website origin:

https://your-domain.com

Add redirect URLs for every environment that can complete login:

http://localhost:3003/auth/callback
https://your-domain.com/auth/callback
https://mmo.ed5enterprise.com/auth/callback

The website login page sends OAuth users to /auth/callback, where the server exchanges the PKCE code for a Supabase session and returns the user to /account or the requested redirect destination.

3. Run the Website Auth SQL

Open the Supabase SQL editor and run:

apps/website/supabase-setup.sql

This script is idempotent. It extends profiles, creates license tables, adds RLS policies, and installs the handle_new_user trigger so new Supabase Auth users get a profile row automatically.

If Studio Web projects are enabled, also run:

apps/website/supabase-studio-tables.sql

That adds mstudio_projects, subscriptions, snapshots, hosted-auth provider fields, and the RLS policies used by the dashboard and Studio Web project APIs.

4. Configure Google OAuth Optional

For Google sign-in, create OAuth credentials in Google Cloud Console:

  • Application type: Web application
  • Authorized JavaScript origin: your website origin, such as https://your-domain.com
  • Authorized redirect URI: https://your-project.supabase.co/auth/v1/callback
Then paste the Google client ID and secret into Supabase under Authentication -> Providers -> Google. Supabase will redirect back to the website's /auth/callback URL after the provider exchange.

5. Cookie Domain and Subdomains

The website middleware refreshes Supabase sessions on each request and shares cookies across production subdomains. For ED5 production, the default cookie domain is .ed5enterprise.com.

For a custom production domain, set:

AUTH_COOKIE_DOMAIN=.your-domain.com
MMOSTUDIO_ALLOWED_ORIGINS=https://mstudio.your-domain.com,https://your-domain.com

Use AUTH_COOKIE_DOMAIN when the account site and Studio Web run on sibling subdomains. Keep MMOSTUDIO_ALLOWED_ORIGINS in sync with the deployed Studio Web origin so trial heartbeat and Studio APIs pass CORS and CSRF checks.

6. Verify the Flow

  • Visit /account/login.
  • Create an account with email/password.
  • Confirm a row appears in public.profiles for the new user.
  • Sign out and sign back in.
  • If Google OAuth is enabled, test the Google button and confirm it returns through /auth/callback.
  • If Studio Web is enabled, create a project from /account and open it in Studio Web.

Troubleshooting

SymptomCheck
Auth service is not configuredMissing NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_ANON_KEY
Login works but account APIs failMissing or invalid SUPABASE_SERVICE_ROLE_KEY
OAuth returns to login with callback errorMissing /auth/callback redirect URL in Supabase
User exists but dashboard data is missingConfirm supabase-setup.sql ran and handle_new_user exists
Admin page redirects awayCheck profiles.role; accepted admin roles are normalized in apps/website/src/lib/admin-roles.ts
Studio Web heartbeat blockedAdd the Studio Web origin to MMOSTUDIO_ALLOWED_ORIGINS
Production DatabaseStudio Web & Hosted Projects
Auth Setup — ED5 MMO Studio Docs | ED5 MMO Studio