Redirect Flow

Use the redirect flow when your app can navigate the browser away to log in and back again. The user is sent to auth.abair.ie, signs in, and returns to your page with their Supabase session carried in the URL.

Integration contract

1. Send the user to the auth service, passing your return URL as the ref parameter:

https://auth.abair.ie/?ref=https://your-app.abair.ie/home

2. The user signs in on the shared login page — or, if they already have a session, is sent straight back.

3. They return to your ref URL with the session appended as query parameters:

https://your-app.abair.ie/home?access_token=…&refresh_token=…

4. Activate the session in your app, then clean the URL:

const params = new URLSearchParams(window.location.search);
await supabase.auth.setSession({
  access_token: params.get("access_token"),
  refresh_token: params.get("refresh_token"),
});
window.history.replaceState({}, document.title, window.location.pathname);

After setSession, your Supabase client is authenticated and row-level security applies to the signed-in user.

Sequence

Security

warning

The service appends the session tokens to whatever URL you pass as ref — it does not validate it. Only link to auth.abair.ie from pages you control, and strip the tokens from the URL after reading them, otherwise they remain in browser history and any server logs of the destination.

The Fotheidil frontend additionally forwards these tokens to its backend API so the server can act as the user for database writes.

Integration contract​

Sequence​

Security​

Integration contract

Sequence

Security