Docs
Auth
What SupaClone can and cannot copy from Supabase Auth, including settings, providers, hooks, SMTP, users, and sessions.
Last updated 2026-07-09
Auth users are not cloned
SupaClone does not clone Auth users, identities, sessions, refresh tokens, passwords, or MFA enrollments.
That exclusion is intentional. Auth records are security-sensitive, environment-specific, and often tied to production users. A clone target should not silently receive real user sessions or credentials.
Auth settings
SupaClone can copy allowlisted non-secret Auth configuration fields when the Supabase Management API exposes them and the connected account has the required scopes.
Examples include selected settings for:
- Site URL and redirect allow list.
- Signup behavior.
- Mailer templates and notification settings.
- Some provider enablement and client ID fields.
- Some MFA and hook configuration fields.
Unknown fields are not copied automatically. SupaClone records them as notices when they differ.
Provider secrets
Provider secrets are manual.
If a source provider is enabled, SupaClone tells you which target secret must be recreated, such as an external provider secret or hook secret. It does not copy the secret value.
Custom SMTP
Custom SMTP passwords are write-only and cannot be safely read from Supabase. If the source uses custom SMTP, set the SMTP password manually in the target and review SMTP-coupled settings afterward.
Auth triggers
Application-owned triggers on managed Auth tables, such as auth.users, may be recreated when safe and supported. Supabase-internal Auth objects are not cloned.
If a trigger cannot be created because of permissions or platform restrictions, SupaClone reports a manual SQL step.
Ready to run a verified clone?
Start with a fresh target project, choose exactly what to copy, and review the clone report after the run completes.
Clone your first project free