Why Your Lovable App Login Stopped Working (And It's Probably Supabase)

Login was working yesterday. You didn't change anything — at least you don't think you did. Now when users try to log in, one of these things happens:

• The login page just spins forever
• They log in but get kicked back to the login page immediately
• They log in and can see other people's data
• They get a cryptic error about "JWTs" or "tokens"

Almost every time, the problem is how your app talks to Supabase — the database service that Lovable uses by default. The AI set it up in a way that works... until it doesn't.

How login actually works (the 30-second version)

When someone logs into your app, three things happen:

1. They prove who they are. They type their email and password. Supabase checks if they match.
2. They get a pass. If the email and password are right, Supabase gives them a "token" — think of it like a wristband at an event. It proves they were checked in.
3. They use the pass to access stuff. Every time they load a page or save data, the app shows the wristband to Supabase, and Supabase decides what they're allowed to see.

When login "breaks," one of these three steps is failing. Let's go through each one.

Problem: The login page spins forever

This usually means your app can't reach Supabase at all. The most common reasons:

• Your Supabase URL or key is wrong. Maybe the AI changed it while fixing something else. Maybe you accidentally deleted it. Check your environment variables — you should have a SUPABASE_URL and a SUPABASE_ANON_KEY.
• Your Supabase project is paused. Supabase pauses free-tier projects after a week of inactivity. Go to your Supabase dashboard and check if your project is running.
• CORS is blocking the connection. This is a security feature of web browsers. If your published app is at a different address than Supabase expects, the browser blocks the connection. You won't see an error in the app — it just hangs.

What to try: Open your browser, press F12, click "Console," and look for red errors. If you see "Failed to fetch" or anything about CORS, that's your clue.

Problem: They log in but get kicked back

This means step 1 (proving identity) works, but step 2 (getting the pass) fails or step 3 (using the pass) is broken.

The most common cause: the app isn't saving the token correctly. The AI might have set up the login to work in one browser tab but not across page refreshes. So the user logs in, gets the wristband, but the app immediately forgets they have it.

Another common cause: your app redirects to the wrong page after login. The AI set the "after login, go to..." address wrong, and it points somewhere that requires login — creating an infinite loop.

What to try: Ask the AI specifically: "After successful login, where does the app redirect? Is the session being persisted in localStorage or cookies? Show me the auth state management code." You need to use these specific words because the AI needs to look at the right part of the code.

Problem: Everyone can see everyone's data

This is the dangerous one. If users can log in but can see other people's data — other people's profiles, orders, messages, anything — your app has a security problem called "missing Row Level Security."

Here's what happened: the AI told Supabase "let any logged-in user see all data" instead of "let each user see only their own data." This is the difference between checking "are they wearing a wristband?" versus checking "are they wearing the RIGHT wristband?"

This is not a minor issue. A security scan found that 170 out of 1,645 Lovable-built apps had exactly this problem — exposing emails, phone numbers, payment info, and even API keys to any logged-in user.

What to try: Go to your Supabase dashboard, click on your database tables, and check if "Row Level Security" is enabled. If it says "RLS disabled" on any table that has user data — that's your problem. But fixing it correctly requires understanding your data model, which is where most people get stuck.

Why the AI keeps getting this wrong

Authentication is one of the hardest things to get right in software. It involves multiple systems talking to each other (your app, Supabase, the browser), security rules that fail silently, and edge cases that only appear when real users do real things (opening multiple tabs, switching between email apps, using different browsers).

The AI builds auth that works for the "happy path" — one user, one tab, in preview mode. Real-world auth is a different animal, and it's one of the top reasons people need a human engineer.