is it bad pattern to create two supabase clients on serverside ?

[psm-solution-group]

Hello,

I make some network calls to my serverside and I use the supabase client on serverside. Now I have seen I can create admin account and saw this tutorial snippet:

const supabase = createClient(supabase_url, service_role_key, {
  auth: {
    autoRefreshToken: false,
    persistSession: false
  }
})

So when a user makes a network call and the token is expired do I got an error ? Should I create two supabase client ? supabaseUserClient and supabaseAdminClient

const supabaseUserClient = createClient(supabase_url, service_role_key);

const supabaseAdminClient = createClient(supabase_url, service_role_key, {
  auth: {
    autoRefreshToken: false,
    persistSession: false
  }
})

[GaryAustin1]

Not really clear what you are seeking to do. It is normal to have a client on the server for user calls (normally using something like ssr/auth-helpers). You can also have a client for service_role like your first image. If you want your user client and not using ssr/auth-helpers then you would have a client with anon key and have to set the authorization header in create client with a user jwt.

If the token expires for a user jwt then you will get an error.

[psm-solution-group]

If I login my user via serverside with this creditentials:

  auth: {
    autoRefreshToken: false,
    persistSession: false
  }

Then when the jwt expires the token not valid until he logs in again or do I missunderstand something ?

My users are logged in via app. And above I set this creditentials what happend when the jwt expires ? But I need above the credientials because my admin on my dashboard via web have to login and they should not logged in when they close the browser and opens again

[GaryAustin1]

Seems like you want to look at ssr/auth-helpers. https://supabase.com/docs/guides/auth/server-side/overview

If you have browser/app and server code then it is complicated to keep all clients in sync as far as expiring jwt's and logging in.
You can't pass a session to server side code and refresh it there if you don't then pass the session back to the client. Two clients cannot refresh the same jwt.

[psm-solution-group]

Okey thanks I will keep a look.

Can you explain me what the difference between these two ?

supabase.auth.admin.createUser
supabase.auth.signUp

Both are stored in auth.users and they dont have any different flags when I create with both functions above. I think the only different is I can set app_metadata with admin.createUser

[GaryAustin1]

admin.createUser is only run on serverside and you can add app metadata.
signUp is for a user to run on any client to create a new account. It runs on the browser or server.

[psm-solution-group]

Ok nice.

Is it not recommend and safe to use this flags for my admins ?

  auth: {
    autoRefreshToken: true,
    persistSession: false
  }

When I use autoRefreshtoken true and persist false. Can I use it and it is also safe ?

[GaryAustin1]

The refresh only applies to a client with a user session in it. If you are using just a service role client then it does nothing useful as the service_role never expires and the refresh flag only applies to keeping a user session refreshed.