Consumo uses Supabase Auth for sessions. Protected routes and API handlers rely on the signed-in user to scope data with Row Level Security.
The app uses the Supabase SSR client with cookies. Middleware refreshes the session on navigations outside the public marketing routes.
Users authenticate via /auth/login (OAuth or email, depending on your Supabase configuration). After login, the dashboard and authenticated API routes receive the user context.
Call app API routes with credentials: "include" so session cookies are sent (e.g. usage ingest from the same origin).
For server-to-server usage, extend the product with a service token or forward the user JWT — not included in the default template.
The dashboard layout reads optional profile fields from a profiles table when present.
auth.uid() to access matching rows.