From 4b8d5f550298c3c6d4b496c97a2c7f890cd8085c Mon Sep 17 00:00:00 2001
From: Stojan Dimitrovski <sdimitrovski@gmail.com>
Date: Wed, 25 Jun 2025 17:15:51 +0200
Subject: [PATCH 1/3] docs: add workos tpa docs (#36662)

* docs: add workos to 3rd party auth docs

* Commit @charislam's suggestions

Co-authored-by: Charis <26616127+charislam@users.noreply.github.com>

* more explanation of the user_role claim

* drop CLI instructions for now

* add WorkOS to nav menu

* fix typo

* use issuer not client id

* fix prettier

---------

Co-authored-by: Cameron Matheson <cameron@workos.com>
Co-authored-by: Cameron Matheson <cameron.matheson@gmail.com>
Co-authored-by: Charis <26616127+charislam@users.noreply.github.com>
---
 .../NavigationMenu.constants.ts               |  1 +
 .../guides/auth/third-party/overview.mdx      |  1 +
 .../guides/auth/third-party/workos.mdx        | 57 +++++++++++++++++++
 3 files changed, 59 insertions(+)
 create mode 100644 apps/docs/content/guides/auth/third-party/workos.mdx

diff --git a/apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts b/apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts
index 709b3c495dbcc..7ede31efb625a 100644
--- a/apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts
+++ b/apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts
@@ -663,6 +663,7 @@ export const auth = {
         { name: 'Firebase Auth', url: '/guides/auth/third-party/firebase-auth' },
         { name: 'Auth0', url: '/guides/auth/third-party/auth0' },
         { name: 'AWS Cognito (Amplify)', url: '/guides/auth/third-party/aws-cognito' },
+        { name: 'WorkOS', url: '/guides/auth/third-party/workos' },
       ],
     },
     {
diff --git a/apps/docs/content/guides/auth/third-party/overview.mdx b/apps/docs/content/guides/auth/third-party/overview.mdx
index 447f9f79f783a..9698ececa01c6 100644
--- a/apps/docs/content/guides/auth/third-party/overview.mdx
+++ b/apps/docs/content/guides/auth/third-party/overview.mdx
@@ -10,6 +10,7 @@ Supabase has first-class support for these third-party authentication providers:
 - [Firebase Auth](/docs/guides/auth/third-party/firebase-auth)
 - [Auth0](/docs/guides/auth/third-party/auth0)
 - [AWS Cognito (with or without AWS Amplify)](/docs/guides/auth/third-party/aws-cognito)
+- [WorkOS](/docs/guides/auth/third-party/workos)
 
 You can use these providers alongside Supabase Auth, or on their own, to access the [Data API (REST and GraphQL)](/docs/guides/database), [Storage](/docs/guides/storage), [Realtime](/docs/guides/storage) and [Functions](/docs/guides/functions) from your existing apps.
 
diff --git a/apps/docs/content/guides/auth/third-party/workos.mdx b/apps/docs/content/guides/auth/third-party/workos.mdx
new file mode 100644
index 0000000000000..341a4b75f485c
--- /dev/null
+++ b/apps/docs/content/guides/auth/third-party/workos.mdx
@@ -0,0 +1,57 @@
+---
+id: 'auth-third-party-workos'
+title: 'WorkOS'
+subtitle: 'Use WorkOS with your Supabase project'
+---
+
+WorkOS can be used as a third-party authentication provider alongside Supabase Auth, or standalone, with your Supabase project.
+
+## Getting started
+
+1. First you need to add an integration to connect your Supabase project with your WorkOS tenant. You will need your WorkOS issuer. The issuer is `https://api.workos.com/user_management/<your-client-id>`. Substitute your [custom auth domain](https://workos.com/docs/custom-domains/auth-api) for "api.workos.com" if configured.
+2. Add a new Third-party Auth integration in your project's [Authentication settings](/dashboard/project/_/settings/auth).
+3. Set up a JWT template to assign the `role: 'authenticated'` claim to your access token.
+
+## Setup the Supabase client library
+
+<Tabs type="underlined" queryGroup="language">
+
+<TabPanel id="ts" label="TypeScript">
+
+```typescript
+import { createClient } from '@supabase/supabase-js'
+import { createClient as createAuthKitClient } from '@workos-inc/authkit-js'
+
+const authkit = await createAuthKitClient('WORKOS_CLIENT_ID', {
+  apiHostname: '<WORKOS_AUTH_DOMAIN>',
+})
+
+const supabase = createClient('https://<supabase-project>.supabase.co', 'SUPABASE_ANON_KEY', {
+  accessToken: async () => {
+    return authkit.getAccessToken()
+  },
+})
+```
+
+</TabPanel>
+
+</Tabs>
+
+## Add a new Third-Party Auth integration to your project
+
+In the dashboard navigate to your project's [Authentication settings](/dashboard/project/_/settings/auth) and find the Third-Party Auth section to add a new integration.
+
+## Set up a JWT template to add the authenticated role.
+
+Your Supabase project inspects the `role` claim present in all JWTs sent to it, to assign the correct Postgres role when using the Data API, Storage or Realtime authorization.
+
+WorkOS JWTs already contain a `role` claim that corresponds to the user's role in their organization. It is necessary to adjust the `role` claim to be `"authenticated"` like Supabase expects. This can be done using JWT templates (navigate to Authentication -> Sessions -> JWT Template in the WorkOS Dashboard).
+
+This template overrides the `role` claim to meet Supabase's expectations, and adds the WorkOS role in a new `user_role` claim:
+
+```json
+{
+  "role": "authenticated",
+  "user_role": {{organization_membership.role}}
+}
+```

From 90739af4aa8a24f0a9b9f32d4bbf8544b1c00e42 Mon Sep 17 00:00:00 2001
From: vanzan01 <35181591+vanzan01@users.noreply.github.com>
Date: Wed, 25 Jun 2025 16:59:25 +0100
Subject: [PATCH 2/3] docs: fix Claude Code MCP installation command syntax
 (#36570)

Add missing -- separator in claude mcp add command. Without this separator,
the CLI incorrectly interprets 'npx' as an environment variable instead of
the command to execute, causing installation to fail.

Fixes the command:
claude mcp add supabase -s local -e SUPABASE_ACCESS_TOKEN=token npx -y @supabase/mcp-server-supabase@latest

To work correctly as:
claude mcp add supabase -s local -e SUPABASE_ACCESS_TOKEN=token -- npx -y @supabase/mcp-server-supabase@latest
---
 apps/docs/content/guides/getting-started/mcp.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/docs/content/guides/getting-started/mcp.mdx b/apps/docs/content/guides/getting-started/mcp.mdx
index a0baa71716b76..bb7cc28228a5f 100644
--- a/apps/docs/content/guides/getting-started/mcp.mdx
+++ b/apps/docs/content/guides/getting-started/mcp.mdx
@@ -117,7 +117,7 @@ You can also add the Supabase MCP server as a locally-scoped server, which will
 1. Run the following command in your terminal:
 
    ```bash
-   claude mcp add supabase -s local -e SUPABASE_ACCESS_TOKEN=your_token_here npx -y @supabase/mcp-server-supabase@latest
+   claude mcp add supabase -s local -e SUPABASE_ACCESS_TOKEN=your_token_here -- npx -y @supabase/mcp-server-supabase@latest
    ```
 
 Locally-scoped servers take precedence over project-scoped servers with the same name and are stored in your project-specific user settings.

From 79a73e07bed4878a05bd000be74bb463af7e7876 Mon Sep 17 00:00:00 2001
From: Dan O'Brien <dobrien.nj@gmail.com>
Date: Wed, 25 Jun 2025 12:07:11 -0400
Subject: [PATCH 3/3] add instructions for MCP server in Qodo Gen (#36056)

Co-authored-by: Dan OBrien <dobrien.nj+git@gmail.com>
---
 apps/docs/content/guides/getting-started/mcp.mdx | 12 ++++++++++++
 supa-mdx-lint/Rule001HeadingCase.toml            |  1 +
 supa-mdx-lint/Rule003Spelling.toml               |  1 +
 3 files changed, 14 insertions(+)

diff --git a/apps/docs/content/guides/getting-started/mcp.mdx b/apps/docs/content/guides/getting-started/mcp.mdx
index bb7cc28228a5f..22f72bb04f729 100644
--- a/apps/docs/content/guides/getting-started/mcp.mdx
+++ b/apps/docs/content/guides/getting-started/mcp.mdx
@@ -14,6 +14,7 @@ The [Model Context Protocol](https://modelcontextprotocol.io/introduction) (MCP)
 - [Cline](#cline) (VS Code extension)
 - [Claude desktop](#claude-desktop)
 - [Claude code](#claude-code)
+- [Qodo Gen](#qodo-gen)
 
 Once connected, your AI assistants can interact with and query your Supabase projects on your behalf.
 
@@ -122,6 +123,17 @@ You can also add the Supabase MCP server as a locally-scoped server, which will
 
 Locally-scoped servers take precedence over project-scoped servers with the same name and are stored in your project-specific user settings.
 
+### Qodo Gen
+
+1. Open [Qodo Gen](https://docs.qodo.ai/qodo-documentation/qodo-gen) chat panel in VSCode or IntelliJ.
+1. Click `Connect more tools`.
+1. Click `+ Add new MCP`.
+1. Add the following configuration:
+
+   <$Partial path="mcp_supabase_config.mdx" variables={{ "app": "Qodo Gen" }} />
+
+1. Click `Save`.
+
 ### Next steps
 
 Your AI tool is now connected to Supabase using MCP. Try asking your AI assistant to create a new project, create a table, or fetch project config.
diff --git a/supa-mdx-lint/Rule001HeadingCase.toml b/supa-mdx-lint/Rule001HeadingCase.toml
index 872b473a5b66a..c8818c4e0d026 100644
--- a/supa-mdx-lint/Rule001HeadingCase.toml
+++ b/supa-mdx-lint/Rule001HeadingCase.toml
@@ -149,6 +149,7 @@ may_uppercase = [
     "Prisma",
     "Prometheus",
     "Python",
+	"Qodo Gen",
     "Queues?",
     "Quotas",
     "Query Performance",
diff --git a/supa-mdx-lint/Rule003Spelling.toml b/supa-mdx-lint/Rule003Spelling.toml
index b2babe01e78f8..3392a9e73e26f 100644
--- a/supa-mdx-lint/Rule003Spelling.toml
+++ b/supa-mdx-lint/Rule003Spelling.toml
@@ -237,6 +237,7 @@ allow_list = [
     "ProGuard",
     "PubSub",
     "Prisma",
+	"Qodo",
     "README",
     "Redis",
     "RedwoodJS",