Supabase•9mo ago•

7 replies

Supabase Auth session works, but RLS treats the request as unauthenticated in Flask

What I’m trying to do

I’m building a Flask backend that calls Supabase via the async Python client. The user successfully signs in and auth.get_user() returns the expected profile, but any subsequent SELECT on the users table returns zero rows. RLS seems to think the request is anonymous.

Environment

- OS: MacOS Sequoia 15.5
- Supabase client: supabase>=2.16.0
- Python: 3.13.5
- Flask: 3.1.1

Code snippets

Client setup

options = AsyncClientOptions(
    storage=FlaskSessionStorage(),  # thin wrapper over flask.session
    auto_refresh_token=True,
    persist_session=True,
)
supabase = create_client(SUPABASE_URL, SUPABASE_ANON_KEY, options)

options = AsyncClientOptions(
    storage=FlaskSessionStorage(),  # thin wrapper over flask.session
    auto_refresh_token=True,
    persist_session=True,
)
supabase = create_client(SUPABASE_URL, SUPABASE_ANON_KEY, options)

Sign-in

# works, saves session

await supabase.auth.sign_in_with_password(
    {"email": email, "password": password}
)

# works, saves session

await supabase.auth.sign_in_with_password(
    {"email": email, "password": password}
)

Read all users

async def read_all(self):
    result = await supabase.table("users").select("*").execute()
    return result.data              # ← always []

async def read_all(self):
    result = await supabase.table("users").select("*").execute()
    return result.data              # ← always []

Read users route

async def get(self) -> tuple[Response, int]:
    all_users = await self.__users.read_all()
    # return 200 and json data

async def get(self) -> tuple[Response, int]:
    all_users = await self.__users.read_all()
    # return 200 and json data

RLS policy

create policy "policy_name"
on public.users
as PERMISSIVE
for SELECT
to authenticated
using (true);

create policy "policy_name"
on public.users
as PERMISSIVE
for SELECT
to authenticated
using (true);

What’s going wrong

Even though the session is live and the JWT is attached, Postgres behaves as if the role is anon instead of authenticated, so the SELECT is filtered out by RLS.

What I’m looking for

1. An explanation of what exactly causes this problem.
2. Any pointers on which extra header / cookie / claim Supabase expects when using the async Python client in Flask.
3. Known gotchas when combining Flask session storage with the supabase library.
4. A minimal working example (with SUPABASE_ANON_KEY) that proves RLS + Supabase Auth with Python works on the server side.

Supabase•9mo ago•

7 replies

UltraGeoPro

Supabase Auth session works, but RLS treats the request as unauthenticated in Flask

What I’m trying to do

Environment

- OS: MacOS Sequoia 15.5
- Supabase client: supabase>=2.16.0
- Python: 3.13.5
- Flask: 3.1.1

Code snippets

Client setup

options = AsyncClientOptions(
    storage=FlaskSessionStorage(),  # thin wrapper over flask.session
    auto_refresh_token=True,
    persist_session=True,
)
supabase = create_client(SUPABASE_URL, SUPABASE_ANON_KEY, options)

options = AsyncClientOptions(
    storage=FlaskSessionStorage(),  # thin wrapper over flask.session
    auto_refresh_token=True,
    persist_session=True,
)
supabase = create_client(SUPABASE_URL, SUPABASE_ANON_KEY, options)

Sign-in

# works, saves session

await supabase.auth.sign_in_with_password(
    {"email": email, "password": password}
)

# works, saves session

await supabase.auth.sign_in_with_password(
    {"email": email, "password": password}
)

Read all users

async def read_all(self):
    result = await supabase.table("users").select("*").execute()
    return result.data              # ← always []

async def read_all(self):
    result = await supabase.table("users").select("*").execute()
    return result.data              # ← always []

Read users route

async def get(self) -> tuple[Response, int]:
    all_users = await self.__users.read_all()
    # return 200 and json data

async def get(self) -> tuple[Response, int]:
    all_users = await self.__users.read_all()
    # return 200 and json data

RLS policy

create policy "policy_name"
on public.users
as PERMISSIVE
for SELECT
to authenticated
using (true);

create policy "policy_name"
on public.users
as PERMISSIVE
for SELECT
to authenticated
using (true);

What’s going wrong

Even though the session is live and the JWT is attached, Postgres behaves as if the role is anon instead of authenticated, so the SELECT is filtered out by RLS.

Supabase Auth session works, but RLS treats the request as unauthenticated in Flask

What I’m trying to do

Environment

Code snippets

Client setup

Sign-in

Read all users

Read users route

RLS policy

What’s going wrong

What I’m looking for

Supabase Auth session works, but RLS treats the request as unauthenticated in Flask

What I’m trying to do

Environment

Code snippets

Client setup

Sign-in

Read all users

Read users route

RLS policy

What’s going wrong

What I’m looking for

Similar Threads

Similar Threads

Similar Threads