Migrate from Supabase Auth
Step-by-step guide to migrating users and social providers from Supabase Auth to Wocha
This guide covers migrating from Supabase Auth (auth.users) to Wocha, including password hash handling and social provider mapping.
Prerequisites
| Requirement | Details |
|---|---|
| Supabase export | JSON or CSV from auth.users, or service role key for Management API |
| Service role key | Required for live API import (SUPABASE_SERVICE_ROLE_KEY) |
| Wocha tenant | npx @wocha/cli init --cloud |
| Management API key | WOCHA_MANAGEMENT_API_KEY with users:write, connections:write |
Concept mapping
| Supabase Auth | Wocha |
|---|---|
auth.users row | User |
raw_user_meta_data | traits / metadata_public |
app_metadata | metadata_admin |
auth.identities provider | Social connection |
encrypted_password (bcrypt) | Not directly importable — see passwords section |
Data mapping
| Supabase field | Wocha field |
|---|---|
id | metadata_admin.supabase_id |
email | traits.email |
raw_user_meta_data.full_name | traits.name |
raw_user_meta_data | metadata_admin.user_metadata |
app_metadata | metadata_admin.app_metadata |
email_confirmed_at | Used to set verified status |
identities[].provider | Social connection (google, github, etc.) |
encrypted_password | Bcrypt hash — requires re-registration |
Step 1 — Export users
Option A: Database export (recommended)
Export from the Supabase SQL editor or psql:
Or use the Supabase CLI:
Option B: Management API
The CLI can fetch users directly when you provide the project ref and service role key.
Step 2 — Dry run
Review the migration plan for:
- User count and social providers detected
- Bcrypt password warnings (passwords cannot be imported directly)
- Duplicate emails
Step 3 — Import users
Step 4 — Configure social connections
Supabase providers map to Wocha social connections:
| Supabase provider | Wocha connection |
|---|---|
google | |
github | GitHub |
gitlab | GitLab |
azure | Microsoft |
apple | Apple |
| Other | Configure manually in Console |
Configure OAuth credentials in Connections → Social before users attempt social login.
Handling passwords
Supabase stores bcrypt hashes in encrypted_password. Wocha cannot import bcrypt hashes directly from Supabase exports.
Options:
- Magic link re-registration (recommended):
- Password reset campaign — email users before cutover
- SSO/social only — if users authenticate via OAuth providers, configure social connections first
- Parallel auth — keep Supabase Auth active during transition
Step 5 — Validate migration
Checks that all exported users exist in Wocha and social providers are configured.
Post-migration checklist
- All users imported
- Social connections configured with OAuth credentials
- Recovery emails sent to password-based users
- Supabase RLS policies replaced with Wocha permissions / SpiceDB
- Application updated from
@supabase/supabase-jsauth to Wocha SDK - Environment variables updated (
SUPABASE_*→WOCHA_*)
Rollback considerations
- Supabase Auth remains independent — deleting Wocha users does not affect Supabase
- Re-import skips existing emails (409 conflict)
- OAuth redirect URIs must be updated in provider consoles when switching to Wocha
- Plan a cutover window for JWT validation changes in your backend