VibeFast
Core Concepts

Authentication

How authentication is wired from your backend to the Expo + Next.js clients.

VibeFast ships with a complete authentication system so you can gate screens, trigger password resets, and run social login flows without wiring everything yourself.

Both backends support: Email/Password, Google, Apple, GitHub, and Guest sessions.

Convex Auth

Backend Configuration

Auth providers are configured in packages/backend/convex/auth.ts, with OAuth secrets in auth.config.ts. The package includes helpers:

  • authPasswordReset — password reset flows
  • authOtp — OTP verification
  • authPasswordResetActions — reset actions

Convex Auth supports email/password, Google, Apple, GitHub, and the Anonymous provider (guest sessions that upgrade during onboarding).

Frontend Implementation

The native UI sits under apps/native/src/features/authentication. The layout file uses useConvexAuth plus AuthWatcher to sync navigation with the session.

import { useConvexAuth } from 'convex/react';

const { isAuthenticated, isLoading } = useConvexAuth();

Protecting Routes

Wrap layouts with the hook and redirect logic:

apps/native/src/app/(tabs)/_layout.tsx
const { isAuthenticated, isLoading } = useConvexAuth();

if (isLoading) return <SplashScreen />;
if (!isAuthenticated) return <Redirect href="/login" />;

Adding Providers

Edit auth.ts/auth.config.ts, then run pnpm dev:server so Convex reloads.

Supabase Auth

Backend Configuration

Auth is configured in the Supabase Dashboard under Authentication > Providers. Enable the providers you need (Email, Google, Apple, GitHub).

OAuth redirect URLs:

  • Web: https://your-domain.com/auth/callback
  • Native: your-app-scheme://auth/callback

Frontend Implementation

The native UI sits under apps/native/src/features/authentication. Sessions are stored in expo-secure-store.

import { supabase } from '@/lib/supabase';

// Check session
const { data: { session } } = await supabase.auth.getSession();

// Sign in
const { data, error } = await supabase.auth.signInWithPassword({
  email: 'user@example.com',
  password: 'password',
});

Protecting Routes

Use a session hook to guard layouts:

apps/native/src/app/(tabs)/_layout.tsx
const { session, isLoading } = useSession();

if (isLoading) return <SplashScreen />;
if (!session) return <Redirect href="/login" />;

Adding Providers

  1. Enable the provider in Supabase Dashboard
  2. Add OAuth credentials (Client ID, Secret)
  3. Configure redirect URLs

For native social auth, VibeFast follows Supabase's Expo social auth guide.

Shared Frontend Components

Both backends share the same UI screens in apps/native/src/features/authentication:

  • Login screen
  • Sign up screen
  • Password reset flow
  • OTP verification
  • Social login buttons

The components detect which backend is configured and use the appropriate auth methods.

Found an issue or bug in the docs?

Help me improve! If you spot any errors, typos, or have suggestions, please let me know.

Reach out on X/Twitter @zafarbuildzz

On this page

Convex AuthBackend ConfigurationFrontend ImplementationProtecting RoutesAdding ProvidersSupabase AuthBackend ConfigurationFrontend ImplementationProtecting RoutesAdding ProvidersShared Frontend Components