Summary

Add client-side support for the sb identifier that Supabase Auth server adds to OAuth redirect URLs (supabase/auth#2299).

Problem

auth-js intercepts all URL fragments containing access_token, including those from non-Supabase OAuth providers (e.g., Facebook Login). This causes unintended authentication issues when apps use multiple OAuth providers.

Solution

• Updated _isImplicitGrantCallback() to check for the sb parameter first
• Falls back to legacy detection (access_token / error_description) for backwards compatibility with older Auth server versions
• Updated JSDoc documentation with a comprehensive example

Example

  // New default behavior (automatic):
  // 1. Check for 'sb' parameter (new Auth servers)
  // 2. Fall back to access_token/error_description (legacy)

  // Custom predicate for advanced use cases:
  detectSessionInUrl: (url, params) => {
    if ('sb' in params) return true
    if (url.pathname === '/facebook/redirect') return false
    return Boolean(params.access_token || params.error_description)
  }

Related

• Issue: GoTrueClient intercepts non-Supabase initiated OAuth preventing manual login flows #1697

Blocked by:

• feat(auth): allow custom predicate for detectSessionInUrl option #1958
• feat: add Supabase Auth identifier to OAuth redirect URLs auth#2299

TODO as breaking change

On v3, as breaking change, remove the legacy fallback