bitcain docs

Auth & Users

Auth & Users

User authentication, profiles, roles, sessions, and device management.

29 tables in this group.

users

ColumnTypeNullableDefault
iduuidNouuid_generate_v4()
emailtextNo
display_nametextYes
avatar_urltextYes
timezonetextYes'UTC'::text
localetextYes'en'::text
subscription_tiertextYes'free'::text
api_quota_remainingint4Yes1000
created_attimestamptzYesnow()
updated_attimestamptzYesnow()
last_login_attimestamptzYes
preferencesjsonbYes'{}'::jsonb
is_activeboolYestrue

RLS Policies:

  • Admins or users can delete profiles — DELETE for {public}
  • Admins or users can update profiles — UPDATE for {public}
  • Admins or users can view profiles — SELECT for {public}

Indexes:

  • users_email_key
  • users_pkey

user

Better Auth user accounts - main user table for authentication

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
emailtextNo
email_verifiedboolYesfalse
nametextYes
imagetextYes
usernametextYes
phonetextYes
phone_verifiedboolYesfalse
created_attimestamptzYesnow()
updated_attimestamptzYesnow()
bannedboolYesfalse
ban_reasontextYes
ban_expires_attimestamptzYes
subscription_tiertextYes'free'::text
subscription_statustextYes'inactive'::text
stripe_customer_idtextYes
stripe_subscription_idtextYes
subscription_expires_attimestamptzYes
trial_ends_attimestamptzYes
api_calls_todayint4Yes0
trades_todayint4Yes0
last_usage_resettimestamptzYesnow()

RLS Policies:

  • Users can update their own profile — UPDATE for {public}
  • Users can view their own profile — SELECT for {public}

Indexes:

  • idx_user_stripe_customer
  • idx_user_stripe_subscription
  • idx_user_subscription_expires
  • idx_user_subscription_status
  • idx_user_subscription_tier
  • user_email_key
  • user_pkey
  • user_username_key

account

OAuth and social provider linked accounts

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
user_iduuidNo
providertextNo
provider_account_idtextNo
provider_user_idtextYes
access_tokentextYes
refresh_tokentextYes
id_tokentextYes
expires_attimestamptzYes
token_typetextYes
scopetextYes
account_linkedboolYestrue
created_attimestamptzYesnow()
updated_attimestamptzYesnow()

RLS Policies:

  • Users can delete their own linked accounts — DELETE for {public}
  • Users can view their own linked accounts — SELECT for {public}

Indexes:

  • account_pkey
  • account_provider_provider_account_id_key

session

Active user sessions with expiration management

ColumnTypeNullableDefault
idtextNo
user_iduuidNo
expires_attimestamptzNo
ip_addresstextYes
user_agenttextYes
tokentextNo
active_tokentextYes
freshboolYestrue
created_attimestamptzYesnow()
updated_attimestamptzYesnow()

RLS Policies:

  • Users can delete their own sessions — DELETE for {public}
  • Users can view their own sessions — SELECT for {public}

Indexes:

  • idx_session_active
  • session_pkey
  • session_token_key

passkey

WebAuthn/Passkey credentials for passwordless authentication

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
user_iduuidNo
credential_idtextNo
public_keytextNo
counterint4Yes0
device_typetextYes
nametextYes
transports_textYes
authenticator_aaguidtextYes
created_attimestamptzYesnow()
updated_attimestamptzYesnow()
last_used_attimestamptzYes

RLS Policies:

  • Users can manage their own passkeys — ALL for {public}

Indexes:

  • passkey_credential_id_key
  • passkey_pkey

Magic link tokens for passwordless email authentication

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
emailtextNo
tokentextNo
expires_attimestamptzNo
usedboolYesfalse
used_attimestamptzYes
user_iduuidYes
request_iptextYes
request_user_agenttextYes
created_attimestamptzYesnow()

RLS Policies:

  • Users can view own magic links — SELECT for {public}

Indexes:

  • idx_magic_link_user_id
  • magic_link_pkey
  • magic_link_token_key

verification

Email verification and password reset tokens

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
identifiertextNo
valuetextNo
expires_attimestamptzNo
typetextNo
user_iduuidYes
usedboolYesfalse
used_attimestamptzYes
created_attimestamptzYesnow()
updated_attimestamptzYesnow()

RLS Policies:

  • Users can view their own verification tokens — SELECT for {public}

Indexes:

  • verification_pkey

two_factor

Two-factor authentication settings and backup codes

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
user_iduuidNo
secrettextNo
backup_codes_textYes
enabledboolYesfalse
recovery_emailtextYes
created_attimestamptzYesnow()
updated_attimestamptzYesnow()

RLS Policies:

  • Users can update their own 2FA settings — UPDATE for {public}
  • Users can view their own 2FA settings — SELECT for {public}

Indexes:

  • two_factor_pkey
  • two_factor_user_id_key

profiles

User profiles with RLS enabled. Users can only access their own profile unless they are admin/superadmin.

ColumnTypeNullableDefault
iduuidNo
full_nametextYes
usernametextYes
avatar_urltextYes
websitetextYes
updated_attimestamptzYes
created_attimestamptzYesnow()
two_factor_enabledboolYesfalse
two_factor_secrettextYes
last_logintimestamptzYes
login_countint4Yes0
is_verifiedboolYesfalse
verification_tokentextYes
kyc_tierint4Yes0
countrytextYes
kyc_tier_updated_attimestamptzYes
biotextYes
locationtextYes
address_linetextYes
citytextYes
statetextYes
zipcodetextYes
phonetextYes
phone_country_codetextYes'+1'::text
roletextNo'user'::text
notification_preferencesjsonbYes'{"news": false, "push": false, "email": true, "price_ale...
emailtextYes
onboarding_completedboolYesfalse
onboarding_completed_attimestamptzYes
onboarding_steptextYes'welcome'::text
email_verifiedboolYesfalse
email_verified_attimestamptzYes

RLS Policies:

  • profiles_delete_own — DELETE for {authenticated}
  • profiles_insert_own — INSERT for {authenticated}
  • profiles_select_own — SELECT for {authenticated}
  • profiles_service_role_all — ALL for {service_role}
  • profiles_update_own — UPDATE for {authenticated}

Indexes:

  • idx_profiles_email
  • idx_profiles_id_lookup
  • idx_profiles_role
  • profiles_pkey
  • profiles_username_key

user_roles

User role assignments and trading limits for RBAC

ColumnTypeNullableDefault
idint8No
user_iduuidNo
roleapp_roleNo'user'::app_role
kyc_statuskyc_statusNo'pending'::kyc_status
kyc_verified_attimestamptzYes
kyc_expires_attimestamptzYes
trade_limit_dailynumericNo1000.00
trade_limit_weeklynumericNo5000.00
trade_limit_monthlynumericNo20000.00
withdrawal_limit_dailynumericNo500.00
withdrawal_limit_weeklynumericNo2000.00
withdrawal_limit_monthlynumericNo8000.00
account_tieraccount_tierNo'free'::account_tier
tier_expires_attimestamptzYes
is_activeboolNotrue
notestextYes
last_kyc_checktimestamptzYes
created_attimestamptzNonow()
updated_attimestamptzNonow()
created_byuuidYes
updated_byuuidYes

RLS Policies:

  • Admins can update user roles — UPDATE for {public}
  • Users can view their own role — SELECT for {public}

Indexes:

  • user_roles_pkey
  • user_roles_user_id_key

role_permissions

Permission mappings for each role

ColumnTypeNullableDefault
idint8No
roleapp_roleNo
permissionapp_permissionNo
descriptiontextYes
created_attimestamptzNonow()

RLS Policies:

  • Everyone can view role permissions — SELECT for {public}

Indexes:

  • role_permissions_pkey
  • role_permissions_role_permission_key

admin_roles

Tracks admin users and their permissions

ColumnTypeNullableDefault
iduuidNouuid_generate_v4()
user_iduuidNo
role_typetextNo
permissionsjsonbNo'[]'::jsonb
granted_byuuidYes
granted_attimestamptzNonow()
expires_attimestamptzYes
is_activeboolNotrue
created_attimestamptzNonow()
updated_attimestamptzNonow()

RLS Policies:

  • Admins can view all admin roles — SELECT for {authenticated}
  • Super admins can delete admin roles — DELETE for {authenticated}
  • Super admins can grant admin roles — INSERT for {authenticated}
  • Super admins can update admin roles — UPDATE for {authenticated}

Indexes:

  • admin_roles_pkey
  • admin_roles_user_id_role_type_key

admin_allowlist

Allowlist of email addresses authorized for admin access

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
emailtextNo
added_bytextYes
notestextYes
created_attimestamptzYesnow()
updated_attimestamptzYesnow()

RLS Policies:

  • Admin allowlist viewable by admins — SELECT for {public}
  • Only super admin can delete allowlist — DELETE for {public}
  • Only super admin can insert allowlist — INSERT for {public}
  • Only super admin can update allowlist — UPDATE for {public}

Indexes:

  • admin_allowlist_email_key
  • admin_allowlist_pkey

user_sessions

ColumnTypeNullableDefault
session_iduuidNouuid_generate_v4()
user_iduuidNo
vault_unlockedboolNofalse
vault_unlocked_attimestamptzYes
statusvarchar(20)No'active'::character varying
ip_addressinetNo
user_agenttextYes
device_fingerprinttextYes
geo_countryvarchar(2)Yes
geo_cityvarchar(100)Yes
created_attimestamptzNonow()
last_activity_attimestamptzNonow()
expires_attimestamptzNo
idle_timeout_minutesint4No60
vault_unlock_attemptsint4Yes0
failed_auth_attemptsint4Yes0
termination_reasontextYes

RLS Policies:

  • rls_user_sessions_delete — DELETE for {public}
  • rls_user_sessions_insert — INSERT for {public}
  • rls_user_sessions_select — SELECT for {public}
  • rls_user_sessions_update — UPDATE for {public}

Indexes:

  • idx_user_sessions_user_id
  • idx_user_sessions_user_status
  • user_sessions_pkey

supabase_sessions

ColumnTypeNullableDefault
iduuidNo
user_iduuidNo
access_tokentextNo
refresh_tokentextYes
token_typevarchar(20)Yes
expires_inint4Yes
expires_attimestampYes
provider_tokentextYes
provider_refresh_tokentextYes
user_agentvarchar(500)Yes
ip_addressvarchar(45)Yes
created_attimestampNo
updated_attimestampYes
last_accessed_attimestampYes
revoked_attimestampYes

RLS Policies:

  • supabase_sessions_delete_own — DELETE for {public}
  • supabase_sessions_insert_own — INSERT for {public}
  • supabase_sessions_select_own — SELECT for {public}
  • supabase_sessions_update_own — UPDATE for {public}

Indexes:

  • ix_supabase_sessions_user_id
  • supabase_sessions_pkey

supabase_users

ColumnTypeNullableDefault
iduuidNo
audvarchar(255)No
rolevarchar(255)No
emailvarchar(255)No
email_confirmed_attimestampYes
phonevarchar(15)Yes
phone_confirmed_attimestampYes
last_sign_in_attimestampYes
confirmation_tokenvarchar(255)Yes
confirmation_sent_attimestampYes
recovery_tokenvarchar(255)Yes
recovery_sent_attimestampYes
email_change_token_newvarchar(255)Yes
email_changevarchar(255)Yes
email_change_sent_attimestampYes
providervarchar(50)Yes
provider_idvarchar(255)Yes
encrypted_passwordvarchar(255)Yes
is_sso_userboolYes
is_anonymousboolYes
banned_untiltimestampYes
deleted_attimestampYes
app_metadatajsonYes
user_metadatajsonYes
raw_app_meta_datajsonYes
raw_user_meta_datajsonYes
created_attimestampNo
updated_attimestampYes

RLS Policies:

  • supabase_users_delete_own — DELETE for {public}
  • supabase_users_insert_own — INSERT for {public}
  • supabase_users_select_own — SELECT for {public}
  • supabase_users_update_own — UPDATE for {public}

Indexes:

  • ix_supabase_users_email
  • supabase_users_pkey

trusted_devices

Stores trusted device information for "remember this device" MFA functionality. Devices are trusted for 30 days.

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
user_iduuidNo
device_fingerprinttextNo
device_nametextYes
trusted_attimestamptzNonow()
expires_attimestamptzNo
last_used_attimestamptzYesnow()
user_agenttextYes
ip_addressinetYes
revokedboolYesfalse
created_attimestamptzNonow()
updated_attimestamptzNonow()

RLS Policies:

  • Users can create their own trusted devices — INSERT for {public}
  • Users can delete their own trusted devices — DELETE for {public}
  • Users can update their own trusted devices — UPDATE for {public}
  • Users can view their own trusted devices — SELECT for {public}

Indexes:

  • idx_trusted_devices_expiry
  • idx_trusted_devices_expiry_cleanup
  • idx_trusted_devices_lookup
  • idx_trusted_devices_user_fingerprint
  • trusted_devices_pkey
  • trusted_devices_user_id_device_fingerprint_key

signup_attempts

Log of all signup attempts for rate limiting and fraud detection

ColumnTypeNullableDefault
idint8No
emailtextNo
ip_addresstextNo
user_agenttextYes
successboolNofalse
failure_reasontextYes
blocked_by_hookboolYesfalse
attempted_attimestamptzNonow()
metadatajsonbYes

RLS Policies:

  • Admins can view signup attempts — SELECT for {public}
  • Auth admin can insert signup attempts — INSERT for {supabase_auth_admin}

Indexes:

  • signup_attempts_pkey

password_history

Password history for rotation policy enforcement

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
user_iduuidNo
password_hashtextNo
created_attimestamptzYesnow()

RLS Policies:

  • Users can view own password history — SELECT for {public}

Indexes:

  • password_history_pkey

password_failed_verification_attempts

Track failed password attempts for rate limiting and account protection

ColumnTypeNullableDefault
idint8No
user_iduuidYes
emailtextNo
ip_addresstextNo
user_agenttextYes
failure_reasontextNo
attempted_attimestamptzNonow()
metadatajsonbYes'{}'::jsonb
triggered_account_lockboolNofalse

RLS Policies:

  • Admins or users can view password failures — SELECT for {public}
  • Auth admin can insert password failures — INSERT for {supabase_auth_admin}

Indexes:

  • idx_password_failed_verification_attempts_user_id
  • password_failed_verification_attempts_pkey

user_preferences

ColumnTypeNullableDefault
user_iduuidNo
themetextYes'dark'::text
languagetextYes'en'::text
currencytextYes'USD'::text
timezonetextYes'UTC'::text
notificationsjsonbYes'{"sms": false, "push": true, "email": true}'::jsonb
risk_tolerancetextYes'medium'::text
trading_preferencesjsonbYes'{}'::jsonb
ui_preferencesjsonbYes'{}'::jsonb
created_attimestamptzYesnow()
updated_attimestamptzYesnow()

RLS Policies:

  • Users can manage their own preferences — ALL for {public}

Indexes:

  • user_preferences_pkey

user_permissions

User-specific permission overrides

ColumnTypeNullableDefault
idint8No
user_iduuidNo
permissionapp_permissionNo
grantedboolNotrue
granted_byuuidYes
granted_attimestamptzNonow()
expires_attimestamptzYes
reasontextYes

RLS Policies:

  • Admins can delete user permissions — DELETE for {public}
  • Admins can insert user permissions — INSERT for {public}
  • Admins can update user permissions — UPDATE for {public}
  • Admins or users can view permissions — SELECT for {public}

Indexes:

  • idx_user_permissions_granted_by
  • idx_user_permissions_user_id
  • user_permissions_pkey
  • user_permissions_user_id_permission_key

user_views

Stores user-specific view configurations and preferences

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
user_iduuidNo
view_nametextNo
view_datajsonbYes'{}'::jsonb
created_attimestamptzNonow()
updated_attimestamptzNonow()

RLS Policies:

  • Users can create their own views — INSERT for {public}
  • Users can delete their own views — DELETE for {public}
  • Users can update their own views — UPDATE for {public}
  • Users can view their own views — SELECT for {public}

Indexes:

  • user_views_pkey
  • user_views_user_id_view_name_key

user_notifications

In-app notifications shown in the notification center

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
user_iduuidNo
typenotification_typeNo'info'::notification_type
titletextNo
messagetextNo
metadatajsonbYes'{}'::jsonb
linktextYes
read_attimestamptzYes
created_attimestamptzNonow()

RLS Policies:

  • Service role can create notifications — INSERT for {service_role}
  • Users can update their own notifications — UPDATE for {public}
  • Users can view their own notifications — SELECT for {public}

Indexes:

  • idx_user_notifications_created_at
  • idx_user_notifications_read_at
  • idx_user_notifications_type
  • idx_user_notifications_user_id
  • idx_user_notifications_user_unread
  • user_notifications_pkey

push_subscriptions

Web Push notification subscriptions for browser notifications

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
user_iduuidNo
endpointtextNo
p256dh_keytextNo
auth_keytextNo
user_agenttextYes
device_nametextYes
subscription_metadatajsonbYes'{}'::jsonb
created_attimestamptzNonow()
updated_attimestamptzNonow()
last_used_attimestamptzYes

RLS Policies:

  • Service role can manage push subscriptions — ALL for {service_role}
  • Users can create their own push subscriptions — INSERT for {public}
  • Users can delete their own push subscriptions — DELETE for {public}
  • Users can update their own push subscriptions — UPDATE for {public}
  • Users can view their own push subscriptions — SELECT for {public}

Indexes:

  • idx_push_subscriptions_created_at
  • idx_push_subscriptions_endpoint
  • idx_push_subscriptions_user_id
  • push_subscriptions_endpoint_key
  • push_subscriptions_pkey

user_devices

Tracks user devices for security, device trust, and suspicious activity detection

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
user_iduuidNo
device_fingerprinttextNo
device_nametextYes
device_typetextYes
user_agenttextNo
browser_nametextYes
browser_versiontextYes
os_nametextYes
os_versiontextYes
last_ip_addressinetYes
last_country_codetextYes
last_citytextYes
last_latitudenumericYes
last_longitudenumericYes
is_trustedboolYesfalse
trust_levelint4Yes0
first_seen_attimestamptzNonow()
last_seen_attimestamptzNonow()
last_authenticated_attimestamptzYes
failed_login_attemptsint4Yes0
suspicious_activity_countint4Yes0
is_blockedboolYesfalse
blocked_attimestamptzYes
blocked_reasontextYes
total_loginsint4Yes1
created_attimestamptzNonow()
updated_attimestamptzNonow()

RLS Policies:

  • Admins can manage all devices — ALL for {public}
  • Service role can insert devices — INSERT for {public}
  • Users can update own devices — UPDATE for {public}
  • Users can view own devices — SELECT for {public}

Indexes:

  • idx_user_devices_fingerprint
  • idx_user_devices_is_trusted
  • idx_user_devices_last_seen
  • idx_user_devices_suspicious
  • idx_user_devices_user_id
  • unique_user_device
  • user_devices_pkey

device_login_audit

Comprehensive audit log of all authentication attempts with device and location tracking

ColumnTypeNullableDefault
iduuidNogen_random_uuid()
user_iduuidNo
device_iduuidYes
login_statustextNo
login_methodtextYes
device_fingerprinttextYes
user_agenttextYes
ip_addressinetYes
country_codetextYes
citytextYes
latitudenumericYes
longitudenumericYes
is_new_deviceboolYesfalse
is_new_locationboolYesfalse
is_suspiciousboolYesfalse
risk_scoreint4Yes0
anomaly_reasons_textYes
geolocation_distance_kmnumericYes
time_since_last_login_secondsint4Yes
session_iduuidYes
access_token_jtitextYes
alert_sentboolYesfalse
alert_sent_attimestamptzYes
alert_methodtextYes
created_attimestamptzNonow()

RLS Policies:

  • Admins can view all audit logs — SELECT for {public}
  • Service role can insert device audit logs — INSERT for {public}
  • Users can view own audit logs — SELECT for {public}

Indexes:

  • device_login_audit_pkey
  • idx_device_login_audit_device_id
  • idx_device_login_audit_ip
  • idx_device_login_audit_new_device
  • idx_device_login_audit_session
  • idx_device_login_audit_status
  • idx_device_login_audit_suspicious
  • idx_device_login_audit_user_id

role_change_log

Audit log for role changes

ColumnTypeNullableDefault
idint8No
user_iduuidNo
old_roleapp_roleYes
new_roleapp_roleNo
changed_byuuidNo
reasontextYes
created_attimestamptzNonow()

RLS Policies:

  • Admins or users can view role changes — SELECT for {public}

Indexes:

  • idx_role_change_log_changed_by
  • role_change_log_pkey

allowed_email_domains

Whitelist of allowed email domains (optional - if empty, all non-blocked domains allowed)

ColumnTypeNullableDefault
idint8No
domaintextNo
descriptiontextYes
added_byuuidYes
is_activeboolNotrue
added_attimestamptzNonow()

RLS Policies:

  • Admins can manage allowed email domains — ALL for {public}

Indexes:

  • allowed_email_domains_domain_key
  • allowed_email_domains_pkey
  • idx_allowed_email_domains_added_by

On this page