Authentication

The SDK uses Supabase Auth. There is no separate API-key header per request: the active session’s JWT is sent automatically.

How it works

Client: Built with the project URL and anon key. The anon key is public by design; RLS and RPC checks enforce what each user can do.
Session: Users sign in with client.supabase.auth (password, OAuth, magic link, etc.). All client.tenants, client.workOrders, and other resources share that same client and session.

Use your URL and anon key from Project Settings → API:

Email and password

import { createDbClient } from '@workorder-systems/sdk'

const client = createDbClient(
  process.env.SUPABASE_URL!,
  process.env.SUPABASE_ANON_KEY!
)

const { data, error } = await client.supabase.auth.signInWithPassword({
  email: 'user@example.com',
  password: 'your-password',
})

After sign-in, Supabase stores the session (default: browser storage, or whatever you configured). Later calls to client.workOrders.list() and the rest use that session automatically.

Using the SDK

You do not attach a bearer token manually. Once client.supabase.auth has a session, resource methods run as that user.

For tenant-scoped data, also call client.setTenant(tenantId) and refresh the session so the JWT carries tenant_id. See Tenant context.

Authentication

How it works

Sign in

Email and password

Using the SDK

Next steps