docs(auth): surface global-scope warning on signOut JSDoc#2269
Merged
mandarini merged 2 commits intosupabase:developfrom Apr 28, 2026
Merged
docs(auth): surface global-scope warning on signOut JSDoc#2269mandarini merged 2 commits intosupabase:developfrom
mandarini merged 2 commits intosupabase:developfrom
Conversation
Issue supabase#1608 flagged that supabase.auth.signOut() defaults to scope: 'global', which signs the user out of every device they're signed in on — unlike most auth libraries. The existing JSDoc did mention the default in passing, but it was easy to miss and users have spent days debugging why sessions keep disappearing on other devices after a routine sign-out (linked in supabase#1608). Rework the JSDoc so the default scope is impossible to miss: - Add a warning callout directly under the one-liner description, noting that 'global' signs out every device and pointing at { scope: 'local' } as the common choice. - Strengthen the @remarks bullet with the same guidance (shared / public devices are the canonical pain point). - Rename the @example headings so the default case is labelled 'Sign out of every device (global – default)' with a⚠️ comment, 'local' is tagged '(recommended for most apps)', and 'others' reads as 'keep the current one'. Docs-only. Behavior and types unchanged, no breaking changes. Addresses the first of the three asks in supabase#1608 (prominent warning). The error- message rename and potential behavior change in a major release are left for a separate discussion.
@supabase/auth-js
@supabase/functions-js
@supabase/postgrest-js
@supabase/realtime-js
@supabase/storage-js
@supabase/supabase-js
commit: |
mandarini
requested changes
Apr 27, 2026
Contributor
mandarini
left a comment
mandarini
left a comment
There was a problem hiding this comment.
Hi @MukundaKatta, thank you so much for contributing to Supabase! 💚 This is a really useful change.
Two small things before I can merge:
- Could we tweak the "shared or public devices" framing? On first read it sounds like the opposite advice (one might assume aggressive global logout is for kiosks). The intent is "don't accidentally terminate the user's session on their phone when they sign out of a kiosk", but the sentence makes the reader work for it. Something like:
> Pass `{ scope: 'local' }` to only sign out the current session. This is usually what apps want on a "Sign out" button, especially when users sign in from multiple devices and do not expect signing out of one to terminate the others.
- Could we drop the warning emojis from the JSDoc? We try to keep the public API docs emoji-free across the SDK, so a plain
**Warning:**(or**Note:**) prefix would fit our style better. The bold + clear wording will still make the warning stand out in IDE tooltips.
Everything else looks great. The follow-up on the hosted docs page would be very welcome too, separately.
Contributor
Author
|
Thanks @mandarini, both addressed in 5b99a05.
Will follow up separately on the hosted-docs page. |
mandarini
approved these changes
Apr 28, 2026
mandarini
added
patchback-master
mandarini
added a commit
that referenced
this pull request
Apr 28, 2026
…#2269) (#2301) Co-authored-by: Mukunda Rao Katta <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔍 Description
What changed?
Reworked the JSDoc on
GoTrueClient.signOutso the defaultscope: 'global'is impossible to miss:{ scope: 'local' }as the common choice.@remarksbullet with the same guidance (shared/public devices are the canonical pain point).@exampleheadings so the default is labelled "Sign out of every device (global – default)" with alocalis tagged "(recommended for most apps)", andothersreads as "keep the current one".No runtime, type, or API changes — just the JSDoc block above
signOut()inpackages/core/auth-js/src/GoTrueClient.ts.Why was this change needed?
Issue #1608 flagged that
supabase.auth.signOut()defaults toscope: 'global'— unlike most auth libraries — which signs the user out of every device they're signed in on, including phones/other tabs. The existing JSDoc mentioned the default in passing, but it was easy to miss. Users have spent days debugging why sessions randomly disappear on unrelated devices after a routine sign-out (linked from #1608).Addresses the first of the three asks in #1608 ("Add a big fat red warning about this"). The error-message rename ("refresh token not found" → "refresh token has been revoked") and the potential behavior change for a major release are out of scope for this docs-only PR and left for separate discussion.
Refs #1608
📸 Screenshots/Examples
Before (existing JSDoc, paraphrased):
After — the warning is hoisted above⚠️ , and the
@remarks, flagged with@exampleblock labels each scope with its real-world use:🔄 Breaking changes
📋 Checklist
docs(auth): surface global-scope warning on signOut JSDocprettier --checkon the changed file (clean)📝 Additional notes
Scoped intentionally narrow: the same warning probably belongs on the hosted guide at https://supabase.com/docs/guides/auth/signout and on
gotrue-jsequivalents. Happy to open follow-ups in those repos if this direction looks right.