How to Add Login to a Lovable App
Lovable uses Supabase Auth for authentication. You can add email/password, magic link, or social login by prompting Lovable to set up authentication. It generates the full auth flow including sign-up, sign-in, password reset, and protected routes — all backed by Supabase.
Why this matters
Without login, every visitor sees the same content and can access everything. Adding authentication lets you personalize the experience, protect user data, and control who can access specific features — all critical for apps handling any private information.
What's at stake
Launching without authentication when your app handles user data means anyone can access any user's information. Even a simple "share with friends" app needs login to separate one user's data from another.
Step by step.
Connect your Lovable project to Supabase
If not already connected, link your Lovable project to a Supabase instance. This is required for authentication — Supabase provides the auth backend.
Prompt Lovable to add authentication
Tell Lovable what you need: "Add email and password authentication with a login page, signup page, and password reset. Protect the dashboard route so only logged-in users can access it." Be specific about which routes should be protected.
Configure auth settings in Supabase
In the Supabase dashboard, go to Authentication > Settings. Enable email confirmation to prevent fake signups. Enable the Password HIBP Check (leaked password detection) for extra security. Add your app URL to the redirect allowlist.
Add social login providers (optional)
To add Google or GitHub login, configure the OAuth providers in Supabase Auth settings with your client ID and secret. Then prompt Lovable: "Add Google sign-in button to the login page." Lovable generates the OAuth flow.
Test the complete auth flow
Sign up with a test account. Verify email confirmation works. Test login, logout, and password reset. Try accessing protected routes while logged out to confirm they redirect to the login page.
Verify your Lovable app authentication is properly configured
- Automated check for common auth misconfigurations
- Verification that protected routes actually require login
- Auth flow testing to catch broken sign-up or login paths
Frequently asked questions.
Yes. Lovable apps use Supabase Auth, which supports Google, GitHub, Apple, Facebook, Twitter, and many other OAuth providers. Configure the provider in your Supabase dashboard, then prompt Lovable to add the social login buttons.
Yes. Supabase Auth supports magic links natively. Prompt Lovable to "add magic link authentication" and it will generate a login flow that sends a sign-in link to the user's email instead of requiring a password.
Ask Lovable to add route protection: "Make the /dashboard, /settings, and /profile routes require authentication. Redirect unauthenticated users to the login page." Lovable creates an auth guard component that wraps protected routes.
Supabase Auth is free for up to 50,000 monthly active users on the free tier. For most new apps, this is more than enough. Paid plans start at $0.00325 per MAU beyond the free limit.