Auth

Every Wok ships with authentication wired into the database from the first request. Users, sessions, and row-level security exist before you write any app code.

Providers (shipped)

Email + password — full GoTrue-backed sign-up, sign-in, and session management.

Row-level security

Tables are protected by RLS policies, so the auto REST API is safe to call from the client — a user only ever sees their own rows. Wang writes sensible default policies as it builds the schema; you can refine them in SQL.

policy.sql

-- Each user sees only their own orders
create policy "own_orders" on orders
  for select using (auth.uid() = user_id);

Sessions & tokens

Sign-in returns a JWT scoped to the user; @supabase/supabase-js attaches it automatically. Server-side code verifies it against the Wok's signing key. Anon and service-role keys are issued per Wok and rotate on demand.

auth.ts

const { data, error } = await tw.auth.signInWithPassword({
  email: "ops@acme.com", password,
});
// subsequent tw.from(...) calls run as this user, under RLS

OAuth providers (shipped)

GoTrue ships in every Wok with all the standard third-party providers built-in. Turn one on by setting the corresponding env vars on the Wok — click Env on any Wok card in the dashboard, paste your provider config from a .env file via the bulk endpoint, or PUT one var at a time from your CLI / agent.

enable-google-bulk.sh

# One shot — POST the whole provider block as dotenv. Atomic; either every
# var lands or none (validated before any write).
curl -X POST https://tellwang.com/v1/woks/$WOK/env \
  -H "Authorization: Bearer $TELLWANG_KEY" \
  -H "Content-Type: application/json" \
  -d '{"dotenv":"GOTRUE_EXTERNAL_GOOGLE_ENABLED=true\nGOTRUE_EXTERNAL_GOOGLE_CLIENT_ID=...\nGOTRUE_EXTERNAL_GOOGLE_SECRET=...\nGOTRUE_EXTERNAL_GOOGLE_REDIRECT_URI=https://<wok-id>.tellwang.com/auth/v1/callback"}'

# Bulk doesn't auto-restart (per-var PUT does); follow with restart for
# immediate effect.
curl -X POST https://tellwang.com/v1/woks/$WOK/restart \
  -H "Authorization: Bearer $TELLWANG_KEY"

Same recipe works for GITHUB, APPLE, AZURE, BITBUCKET, DISCORD, FACEBOOK, LINKEDIN, NOTION, SLACK, SPOTIFY, TWITCH, TWITTER, ZOOM. Values are AES-256-GCM encrypted at rest under the cp's KEK — GET /env never returns them back. See api-reference → wok-env for the per-var PUT path and the full body-shape spec.

Roadmap

Magic links — gated on the per-Wok email subsystem.
Enterprise SSO (SAML / OIDC, SCIM provisioning) — Phase-7, after shared-tenancy parity ships.