This one cost us two days.

The symptom

Supabase auth works perfectly on web and Android. On iOS, users tap "Sign in with Google" and... nothing happens. No error. No callback. The WebView just sits there.

The root cause

iOS WKWebView has strict security policies around cross-origin redirects. The standard OAuth flow redirects to Supabase's callback URL, which then redirects back to the app. iOS blocks the second redirect silently.

The fix: PKCE

PKCE (Proof Key for Code Exchange) changes the flow. Instead of relying on redirects, the client generates a code verifier, sends a code challenge to the auth provider, and exchanges the authorization code directly. No cross-origin redirect chain.

const { data, error } = await supabase.auth.signInWithOAuth({
  provider: "google",
  options: {
    skipBrowserRedirect: true,
    redirectTo: "mymuaythai://auth/callback",
    queryParams: {
      access_type: "offline",
      prompt: "consent",
    },
  },
});

The lesson

Always test auth flows on physical iOS devices, not just simulators. And if you're using Supabase Auth with React Native, enable PKCE from day one — don't wait until you discover the silent failure in production.

Share this article

X LinkedIn

Continue reading

Why Your LLM App Needs a Graph

Stateless chatbots are a dead end. Here is how I am using graph-based architectures to build reliable AI agents that can actually reason.

Why startups hire a senior developer in Bangkok

Timezone overlap with Europe, US mornings, and APAC. Senior rates without SF/London pricing. And someone who ships while you sleep.

Why I'm Ditching Traditional Serverless for the Edge

Cold starts and opaque pricing are killing developer joy. Here is why I am moving new workloads to Cloudflare Workers and keeping the heavy lifting in containers.
← Back to all articles