Custom authentication

I have a new Next.js application that is using for authentication. I’d like to use thin-backend for my database, but am having trouble determining how to swap out thin-backend’s authentication with my own custom authentication. Are there any guides for how to use your own JWT’s for authenticating user’s?

I think I’ve figured out how to handle this from examples in: thin-backend/thin-backend-react at master · digitallyinduced/thin-backend · GitHub

Now I’m needing better understanding of how to handle creating new user policies though. I want the policy to allow anyone to create a user record upon login through, and then for them to only be able to read their own record after that.

Thanks for sharing :slight_smile: There’s no docs on this case yet. I’ll write the missing docs by tomorrow and update you right away once done.

Here’s a rough sketch how this should work:

  1. set up the JWT login for as described in How to use JWTs with Magic | Magic This needs to be implemented inside your next.js app.

  2. The example uses JWT’s using a single secret key (using HMAC). Thin uses JWT with RSA, which means that we have a private + public key pair. You can find the private key used for the Thin JWT’s inside the Thin project settingsAuthJWTRSA Private Key:

    Use that private key as your secret in the next.js project and follow the docs on to configure the jsonwebtoken package to use RSA instead of the default HMAC:

        let token = jwt.sign(
            exp: Math.floor( / 1000) + 60 * 60 * 24 * process.env.SESSION_LENGTH_IN_DAYS,
          { algorithm: 'RS256' }
  3. Now you should have a process that allows the user to log in with, and exchange the token for an JWT, that’s signed with the private key of your project. Now you just need to tell the Thin client about that JWT. You can do it like this:

    import { didCompleteAuthentication } from 'thin-backend/auth'
    async function loginProcess() {
        // Get the JWT:
        const didToken = await doMagicLinkLogin();
        const [jwt, userId] = await getJWTFromDid(didToken); // Our jwt response should also give us the userId, as Thin needs that userId
        // Tell thin about the JWT:
        didCompleteAuthentication(userId, jwt);

    After didCompleteAuthentication is called, Thin will use the JWT for all API calls.

1 Like

I’m giving up until someone helps. I can’t even create a policy that let’s anyone and every create and update every record ever without running into row level security issues.

Love the thought of this service, but the documentation is inadequate for what may be my stupidity, but it seems like the service simply does not work as expected based upon simply policies like:

Thank you, this makes sense to me haven’t tried it yet though.

I can’t even create a policy that let’s anyone and every create and update every record ever without running into row level security issues.

Can you share what you tried? Did you also run the migration after creating the policies?

Here’s a step by step on how to add a policy that allows anyone to create and update every record in a table:

Thin Create Public Policy