Wocha Docs

Migrate from Supabase Auth

Step-by-step guide to migrating users and social providers from Supabase Auth to Wocha

This guide covers migrating from Supabase Auth (auth.users) to Wocha, including password hash handling and social provider mapping.

Prerequisites

RequirementDetails
Supabase exportJSON or CSV from auth.users, or service role key for Management API
Service role keyRequired for live API import (SUPABASE_SERVICE_ROLE_KEY)
Wocha tenantnpx @wocha/cli init --cloud
Management API keyWOCHA_MANAGEMENT_API_KEY with users:write, connections:write

Concept mapping

Supabase AuthWocha
auth.users rowUser
raw_user_meta_datatraits / metadata_public
app_metadatametadata_admin
auth.identities providerSocial connection
encrypted_password (bcrypt)Not directly importable — see passwords section

Data mapping

Supabase fieldWocha field
idmetadata_admin.supabase_id
emailtraits.email
raw_user_meta_data.full_nametraits.name
raw_user_meta_datametadata_admin.user_metadata
app_metadatametadata_admin.app_metadata
email_confirmed_atUsed to set verified status
identities[].providerSocial connection (google, github, etc.)
encrypted_passwordBcrypt hash — requires re-registration

Step 1 — Export users

Export from the Supabase SQL editor or psql:

COPY (
  SELECT id, email, encrypted_password, email_confirmed_at,
         raw_user_meta_data, app_metadata
  FROM auth.users
) TO STDOUT WITH CSV HEADER;

Or use the Supabase CLI:

supabase db dump --data-only -f auth-users.csv

Option B: Management API

The CLI can fetch users directly when you provide the project ref and service role key.

Step 2 — Dry run

export WOCHA_MANAGEMENT_API_KEY=wocha_mgmt_...
export WOCHA_TENANT=your-tenant
 
wocha migrate supabase --dry-run

Review the migration plan for:

  • User count and social providers detected
  • Bcrypt password warnings (passwords cannot be imported directly)
  • Duplicate emails

Step 3 — Import users

# From export file
wocha migrate supabase
# Select "Export file" and provide the JSON or CSV path
 
# Or via Management API
wocha migrate supabase
# Select "Management API" and enter project ref + service role key

Step 4 — Configure social connections

Supabase providers map to Wocha social connections:

Supabase providerWocha connection
googleGoogle
githubGitHub
gitlabGitLab
azureMicrosoft
appleApple
OtherConfigure manually in Console

Configure OAuth credentials in Connections → Social before users attempt social login.

Handling passwords

Supabase stores bcrypt hashes in encrypted_password. Wocha cannot import bcrypt hashes directly from Supabase exports.

Options:

  1. Magic link re-registration (recommended):
for (const user of importedUsers) {
  await wocha.users.sendRecovery(user.id);
}
  1. Password reset campaign — email users before cutover
  2. SSO/social only — if users authenticate via OAuth providers, configure social connections first
  3. Parallel auth — keep Supabase Auth active during transition

Step 5 — Validate migration

wocha migrate supabase --validate

Checks that all exported users exist in Wocha and social providers are configured.

Post-migration checklist

  • All users imported
  • Social connections configured with OAuth credentials
  • Recovery emails sent to password-based users
  • Supabase RLS policies replaced with Wocha permissions / SpiceDB
  • Application updated from @supabase/supabase-js auth to Wocha SDK
  • Environment variables updated (SUPABASE_*WOCHA_*)

Rollback considerations

  • Supabase Auth remains independent — deleting Wocha users does not affect Supabase
  • Re-import skips existing emails (409 conflict)
  • OAuth redirect URIs must be updated in provider consoles when switching to Wocha
  • Plan a cutover window for JWT validation changes in your backend