Migrate Lovable Cloud Auth Users to Supabase — No Password Resets

The Biggest Fear in Lovable Cloud Migration: Your Users

When founders consider migrating from Lovable Cloud to Supabase, one question stops them cold: will my users need to reset their passwords? A forced password reset email sent to your entire user base is a support nightmare and a trust-damaging event. The good news: it's completely avoidable.

How Lovable Cloud Stores Passwords

Like most modern platforms, Lovable Cloud stores passwords as bcrypt hashes — not plain text. Bcrypt is a one-way hashing algorithm, meaning the original password can never be recovered. But the hash itself can be transferred and used on any platform that also supports bcrypt verification, including Supabase.

Step-by-Step: Migrating Auth Users to Supabase

Step 1: Export User Records from Lovable Cloud

Using Lovable's admin API, extract all user records including: user ID, email address, bcrypt password hash, email verification status, account creation date, and any custom metadata fields. Store this in an encrypted JSON file locally.

Step 2: Map OAuth Providers

For users who signed up via Google, GitHub, or other OAuth providers, you don't need to migrate password hashes — they authenticate via OAuth callback. What you do need to migrate: the OAuth provider identifier (subject ID), the linked email address, and any scopes or permissions stored on the user record. Update your OAuth app's callback URLs in Google Console / GitHub Apps to point to your new Supabase project's auth callback endpoint.

Step 3: Import Users into Supabase Auth

Supabase provides an admin.createUser() API that accepts raw password hashes. This is the critical function that makes zero-password-reset migration possible. Pass the exported bcrypt hash directly — Supabase GoTrue will accept it as-is and use it for future login verification. Never re-hash the password before importing; double-hashing breaks login permanently.

Step 4: Validate Auth Migration

Before going live: create a test account on Lovable Cloud, note the credentials, export it, import it to Supabase, and verify login works. Repeat with both email/password and OAuth accounts. Check that email verification status is preserved — verified users should not receive re-verification emails.

Step 5: Update Session Handling

Existing Lovable Cloud sessions (JWT tokens) will become invalid after migration — this is unavoidable. However, users are not 'logged out' permanently. They simply need to log in once more. This is a one-time session expiry, not a password reset. Communicate it proactively: 'We've upgraded our infrastructure. Please log in again.' Most users accept this without friction.

Common Auth Migration Mistakes to Avoid

• Re-hashing passwords before import: Pass the original hash directly to Supabase's createUser API. Re-hashing creates a double-hash that will never match the user's actual password.
• Forgetting OAuth callback URL updates: Google, GitHub, and other OAuth providers will reject login attempts that redirect to your old Lovable Cloud callback URL.
• Ignoring magic link users: Users who authenticate exclusively via magic link have no password hash to migrate. Supabase supports magic links natively — these users will request a new magic link on their first post-migration login.
• Missing custom user metadata: Lovable Cloud allows custom fields on user records (e.g., subscription tier, team ID). Export and import these as user_metadata in Supabase.

Want This Done For You?

Our Lovable Cloud to Supabase migration tool handles auth user migration as a standard step in every plan. We've migrated thousands of user accounts across 50+ apps with zero password resets. Get a free migration audit to understand exactly what your auth migration involves.