Migration Guide

Import Supabase Users

Move users from Supabase Auth into OAuth42. Use the database import path when you need to preserve password hashes so users can sign in with their existing passwords.

Choose an import method

Supabase Admin API

Uses your Supabase project URL and service role key. This is the quickest setup, but Supabase does not expose password hashes through the Admin API.

Use this method when users should receive activation or password reset emails.

Supabase Database

Connects to the Supabase Postgres database and reads the auth.users table. This method can import bcrypt password hashes.

Use this method for seamless migrations where users keep their existing passwords.

Use the Session pooler URL

For database imports, use Supabase's Session poolerconnection string, not the direct database hostname. The direct hostname can resolve to IPv6-only addresses in some production container networks, which causes connection failures such as Network is unreachable.

In Supabase, open Project Settings -> Database -> Connection string, choose Session pooler, and copy the URI.

Connection string format

postgresql://postgres.<project-ref>:<database-password>@<region>.pooler.supabase.com:5432/postgres?sslmode=require

Username format matters

The Session pooler username is postgres.<project-ref>, not plain postgres. Keep the same database password you use for the Supabase project.

Example

If your Supabase project ref is abcd1234efgh5678and Supabase shows the pooler region aws-0-us-west-1, the URL should look like this:

postgresql://postgres.abcd1234efgh5678:<database-password>@aws-0-us-west-1.pooler.supabase.com:5432/postgres?sslmode=require

Replace <database-password> with your Supabase database password. Do not paste service role keys or database passwords into tickets, chat, logs, or source control.

Run the import

  1. Open the Supabase import page in the OAuth42 portal.
  2. Select Database as the connection method.
  3. Paste the Session pooler URI and click Test Connection.
  4. Preview the users and review duplicates before continuing.
  5. Keep Update and link to tenant selected for duplicates when existing OAuth42 users should become members of this tenant.
  6. Choose Import password hashes when you want users to keep their existing Supabase passwords.
  7. Run a dry run first, then run the real import during your migration window.

SCIM Provisioning

Automate user lifecycle management after migration.

Security Best Practices

Review token, password, and operational security guidance.