Cloud//Supabase//Auth//handshake

The one-time exchange where Google and Supabase establish trust for a user. Happens once per user, at login. After this, everything flows.

The one-time exchange where Google and Supabase establish trust for a user. Happens once per user, at login. After this, everything flows.

The chain:

Frontend calls supabase.auth.signInWithOAuth({ provider: 'google' }) → the SDK opens a Google popup

Google sees which web is requesting and shows consent: "This app wants to read your email. Allow?"

User says yes. Google says "okay — but to whom do I send the permission?" It checks the callback URL registered in Google Cloud Console — that URL points to Supabase

Google sends an authorization code to Supabase. Supabase catches it — like a mafia guy, handles everything. Verifies the code using the Client Secret (from credentials), receives access + refresh tokens for Gmail, creates the user in auth.users

Supabase hands the tokens to us once. We store the Gmail tokens in our profiles table (server-side, never in the browser). The session token goes into the browser's cookies

From here: every frontend request carries the session cookie → backend reads it → knows who the user is → uses stored Gmail tokens to call Gmail API → RLS ensures each user only sees their own data

One handshake. One time. Elegant. The reason we configured Client ID + Client Secret in Google Cloud: so Supabase can prove it's our legitimate service during this exchange.