Bug report
Describe the bug
WorkOS Third-Party Auth is configured and enabled, but all authenticated requests to PostgREST fail with:
{"code":"PGRST301","details":null,"hint":null,"message":"JWSError JWSInvalidSignature"}
To Reproduce
- Configure WorkOS as Third-Party Auth provider in Supabase Dashboard
- Set issuer URL:
https://api.workos.com/user_management/<client_id>
- Configure JWT Template in WorkOS with
role: "authenticated"
- Use
@supabase/supabase-js with accessToken option to pass WorkOS JWT
- Make any authenticated query → fails with JWSInvalidSignature
Expected behavior
Supabase should verify the JWT signature using the public key from WorkOS JWKS.
System information
- Supabase: Hosted (not self-hosted)
- OS: N/A (hosted)
- Browser: N/A (server-side)
- supabase-js version: latest
Additional context
Root Cause Analysis
I verified the JWT is valid:
iss matches configured issuerkid matches key in JWKSrole: "authenticated" presentalg: RS256 matches JWKS
The issue: WorkOS serves JWKS at a non-standard path that differs from the issuer URL:
# OIDC Discovery works and returns jwks_uri:
curl https://api.workos.com/user_management/client_XXX/.well-known/openid-configuration
# Returns: { "jwks_uri": "https://api.workos.com/sso/jwks/client_XXX" }
# Correct JWKS path (from jwks_uri):
curl https://api.workos.com/sso/jwks/client_XXX # 200
# Standard .well-known paths (what Supabase appears to try):
curl https://api.workos.com/user_management/client_XXX/.well-known/jwks # 404
curl https://api.workos.com/user_management/client_XXX/.well-known/jwks.json # 404 Supabase is not using the jwks_uri from OIDC discovery. It appears to hardcode a .well-known/jwks path under the issuer, which doesn't exist for WorkOS.
Proposed Fix
When verifying Third-Party Auth JWTs:
- Fetch {issuer}/.well-known/openid-configuration
- Use the jwks_uri from that response
- Fetch JWKS from the discovered URL
Related Issues
Workaround
Currently using service role key, which bypasses RLS entirely. This is not acceptable for production with row-level security requirements.
Request: If there's a workaround or configuration I'm missing, please let me know. I've followed the WorkOS Third-Party Auth docs exactly but still getting this error.
I'd appreciate any guidance on:
- Is there a way to manually specify the JWKS URL in the dashboard?
- Is there a timeline for fixing the JWKS discovery to use
jwks_uri from OIDC?
- Any other workaround besides using service role key (which bypasses RLS)?
Happy to provide more debug info if needed.
Bug report
Describe the bug
WorkOS Third-Party Auth is configured and enabled, but all authenticated requests to PostgREST fail with:
{"code":"PGRST301","details":null,"hint":null,"message":"JWSError JWSInvalidSignature"}
To Reproduce
https://api.workos.com/user_management/<client_id>role: "authenticated"@supabase/supabase-jswithaccessTokenoption to pass WorkOS JWTExpected behavior
Supabase should verify the JWT signature using the public key from WorkOS JWKS.
System information
Additional context
Root Cause Analysis
I verified the JWT is valid:
issmatches configured issuerkidmatches key in JWKSrole: "authenticated"presentalg: RS256matches JWKSThe issue: WorkOS serves JWKS at a non-standard path that differs from the issuer URL:
Supabase is not using the jwks_uri from OIDC discovery. It appears to hardcode a .well-known/jwks path under the issuer, which doesn't exist for WorkOS.
Proposed Fix
When verifying Third-Party Auth JWTs:
Related Issues
Workaround
Currently using service role key, which bypasses RLS entirely. This is not acceptable for production with row-level security requirements.
Request: If there's a workaround or configuration I'm missing, please let me know. I've followed the WorkOS Third-Party Auth docs exactly but still getting this error.
I'd appreciate any guidance on:
jwks_urifrom OIDC?Happy to provide more debug info if needed.