At a glance
The percentage of sign-in attempts through Supabase Auth (GoTrue) that fail server-side over the trailing hour. This card is Supabase-distinctive: Supabase Auth is the gatekeeper to the storefront. When sign-in fails, users cannot log in, cannot reach their account, and in many storefront designs cannot check out. A rising auth error rate is not a back-office metric; it is customers being locked out at the door. The alert fires above 5%, because a sustained sign-in failure rate at that level means a meaningful slice of returning users are being turned away.
| Data source | Supabase Auth (GoTrue) service logs and the project metrics endpoint. The card counts failed sign-in / token-grant attempts against total sign-in attempts on the Auth endpoints (/auth/v1/token, /auth/v1/verify, and related sign-in routes). |
| Metric basis | Sign-in error rate = failed sign-in attempts divided by total sign-in attempts, as a percentage, over the window. Server-side and provider-side failures, distinguished from expected user-side rejections where possible. |
| Aggregation window | 1h rolling. The rate is evaluated over the trailing hour, which smooths the natural minute-to-minute variance in login volume. |
| Alert threshold | > 5%. Below 5% is treated as the normal background of mistyped passwords and expired links; above 5% sustained signals a systemic fault. |
| Why it matters | Auth failures lock users out of the storefront. A misconfigured OAuth provider, an expired SMTP credential blocking magic links, a rate limit being hit, or a GoTrue fault all present here, and all of them stop returning customers from logging in and converting. |
| What counts | Failed sign-in and token-grant attempts: invalid-grant responses, provider callback failures, magic-link / OTP delivery or verification failures, and server errors from the Auth service. |
| What does NOT count | Sign-up attempts (a separate flow), session refreshes that succeed, and sign-outs. Pure user error such as a single mistyped password is part of the baseline, not an alert condition on its own. |
| Time window | 1h (rolling 1-hour window) |
| Alert trigger | > 5% |
| Roles | owner, platform, sre |
Calculation
The card divides failed sign-in attempts by total sign-in attempts on the Supabase Auth endpoints over the trailing hour:invalid_grant (wrong credentials), a failed OAuth provider callback, a magic-link or OTP that could not be delivered or verified, a rate-limit rejection, or a server error from the Auth service itself.
The window is one hour rather than five minutes because login volume is naturally bursty and uneven: a quiet midnight minute might see two attempts, one of which is a typo, which is a meaningless 50% rate. Averaging over the hour gives a stable denominator so the rate reflects a genuine pattern rather than small-sample noise. The 5% threshold is set above the normal background rate of mistyped passwords and lapsed magic links, so the alert fires on systemic faults (a broken provider, expired SMTP credentials, a rate-limit ceiling) rather than on everyday user error.
Worked example
A platform team runs a storefront where returning customers sign in with Google OAuth and email magic links. Snapshot taken on 18 Apr 26 at 10:00 BST, an hour after a routine credential rotation.| Window (BST) | Sign-in attempts | Failed | Error rate |
|---|---|---|---|
| 08:00 to 09:00 | 4,210 | 88 | 2.1% |
| 09:00 to 10:00 | 3,980 | 740 | 18.6% |
- Nearly one in five returning customers cannot log in. At 18.6%, a large slice of the storefront’s returning audience is being turned away at the door. For a storefront that gates checkout behind login, that is a direct, ongoing conversion loss for the duration of the fault.
- The credential rotation is the prime suspect. The spike began within the hour after a rotation. The two classic post-rotation auth failures are: an OAuth client secret that was rotated on the provider side but not updated in the Supabase Auth provider config (every Google sign-in callback then fails), or an SMTP credential that was rotated so magic-link emails can no longer be sent (every magic-link sign-in then fails to deliver). Splitting the failures by method tells you which.
- The fix is configuration, not capacity. Unlike a connection or query fault, an auth spike of this shape is almost never solved by scaling. It is solved by restoring the correct credential: update the OAuth client secret in the Auth provider settings, or fix the SMTP credentials for magic-link delivery. The moment the right secret is in place, the rate falls back to baseline.
Sibling cards merchants should reference together
| Card | Why pair it with Auth Sign-In Error Rate | What the combination tells you |
|---|---|---|
| Auth Active Users (24h) | The volume of users successfully signed in. | A rising error rate while active users fall confirms real lost logins, not noise. |
| PostgREST 5xx Error Rate % | The data-API surface alongside the Auth surface. | Both spiking equals a project-wide outage; Auth alone equals an Auth-specific fault. |
| Edge Function Error Rate % | Custom auth hooks often run as Edge Functions. | An Edge Function error spike can be the root cause of auth-hook failures showing here. |
| Realtime Connected Clients | Realtime auth depends on valid sessions. | Auth failures can drag down connected clients as sessions fail to establish. |
| Realtime Disconnect Rate (per min) | Expired or rejected tokens force Realtime disconnects. | An auth spike with a disconnect spike points at token validity problems. |
| Database Query Error Rate % | Auth writes user and session rows to the database. | A database error spike can cascade into auth failures if session writes fail. |
| Supabase Health Score | The composite this signal feeds. | A sustained auth error rate pulls the composite down, flagging a user-access problem. |
Reconciling against the source
Where to look in Supabase’s own tooling:Logs → Auth (GoTrue) in the managed-service console for the per-request sign-in log stream; the error bodies distinguishConfirm successful session creation with native SQL (theinvalid_grant, provider callback failures, and delivery failures. Authentication → Providers to confirm OAuth client IDs and secrets are current, the most common cause of a provider-driven spike. Authentication → Email / SMTP settings to confirm magic-link and OTP delivery credentials are valid. Authentication → Rate limits to check whether a rate-limit ceiling is being hit during traffic peaks. Project metrics endpoint (/customer/v1/privileged/metrics, Prometheus format) for the auth request and error series Vortex IQ reads.
auth schema):
| Reason | Direction | Why |
|---|---|---|
| User-error inclusion | Variable | A single mistyped password is a real failed attempt and counts; a console filter that shows only server errors will read lower. |
| Window alignment | Variable | The card uses a rolling 1-hour window; a console graph on calendar buckets can split a spike across two bars. |
| Flow scope | Card narrower | This card is sign-in only; a combined “Auth errors” console view may fold in sign-ups, recoveries, and token refreshes. |
| Sampling cadence | Brief lag | The metrics endpoint is scraped on an interval; a value at the exact moment of a spike may lag the live console graph by one scrape. |
| Card | Expected relationship | What causes divergence |
|---|---|---|
| Auth Active Users (24h) | A sustained error spike should depress active users. | Active users holding steady while errors spike suggests the failures are retried successfully. |
| PostgREST 5xx Error Rate % | Independent service surfaces. | Auth spiking with PostgREST clean isolates the fault to the Auth service or its provider config. |