[wenbo]

Supabase dev here!

I believe this is you: https://github.com/supabase/supabase/discussions/5911#discus.... I just want to let you know that I saw your comment!

Thank you so much for the kind words!

> 2) Recently added built-in database-driven GraphQL module is ingenious, but would benefit greatly from Realtime capability

A member of the team is currently investigating this so please stay tuned.

I'll pass on the rest of your feedback internally. Thanks again!

[dinvlad]

Thanks for your reply! I have since found partial solution to (1) in the docs (https://supabase.com/docs/learn/auth-deep-dive/auth-deep-div...) - i.e. it's possible do to a local verification of the token, because Supabase makes `jwt_secret` available via Dashboard :-)

Also, for systems like Firebase, it's possible to mint a custom token based on the (locally verified) uid and additional JWT claims. This still requires implementing a (small) endpoint to do that, though. But that's a bit orthogonal to the signature algorithm choice.

The third part that remains unsolved is OIDC federation - so for example, I could exchange a JWK-signed Supabase token for a Google IAM token, based on its public JWKS endpoint.

Another unsolved concern I haven't mentioned is obviously from standpoint of security, sharing a symmetric key is "dangerous" because it could leak (and requires a sensitive context for verification).