How to fix anonymous_provider_disabled: Anonymous sign-ins are disabled in Supabase

SupabaseINTERMEDIATEMEDIUM

The "anonymous_provider_disabled: Anonymous sign-ins are disabled" error occurs when Supabase Auth attempts anonymous authentication but anonymous sign-ins are not enabled in the project settings. This prevents users from creating temporary anonymous accounts until anonymous authentication is properly configured and enabled.

What this error means

The "anonymous_provider_disabled" error is a Supabase Auth error that indicates anonymous authentication is currently disabled for your project. When Supabase receives a request for anonymous sign-in, it checks whether the anonymous authentication provider is enabled in the project configuration. Anonymous authentication allows users to create temporary accounts without providing email, phone, or social credentials. These accounts are useful for features like guest access, shopping carts before registration, or trial experiences. The accounts can later be upgraded to permanent accounts by linking email or social providers. This error typically appears in development environments where anonymous authentication hasn't been set up yet, or in production when anonymous sign-ins were intentionally disabled for security, compliance, or maintenance reasons. Without enabling the anonymous provider, any attempts to use anonymous authentication will fail with this specific error code. The error serves as a configuration check to ensure that anonymous authentication is explicitly enabled before allowing anonymous sign-ins, preventing accidental exposure of authentication endpoints that aren't ready for use.

How to fix "anonymous_provider_disabled: Anonymous sign-ins are disabled"

1Enable anonymous authentication in Supabase Dashboard

First, enable anonymous authentication in your Supabase project settings:

1. Navigate to Supabase Dashboard:
- Go to your project → Authentication → Providers
- Scroll to the "Anonymous" section (may be under "Email" or separate)

2. Enable anonymous sign-in:
- Toggle "Enable anonymous sign-in" to ON (green)
- If you don't see this option, ensure you have Supabase version 1.0 or later

3. Configure anonymous user settings (if available):
- Set session duration for anonymous users (default: 30 days)
- Configure automatic cleanup of inactive anonymous accounts
- Set permissions for anonymous users

bash

# After enabling in dashboard, test with:
curl -X POST 'https://YOUR_PROJECT.supabase.co/auth/v1/signup'   -H 'apikey: YOUR_ANON_KEY'   -H 'Content-Type: application/json'   -d '{"provider": "anonymous"}'

2Verify anonymous provider is properly configured

Check that all required anonymous authentication settings are correctly configured:

javascript

// Check current auth configuration
const { data: settings, error } = await supabase.auth.getSettings();

if (!error && settings) {
  console.log('Anonymous auth enabled:', settings.anonymous_sign_in_enabled === true);
  console.log('External providers:', settings.external);

  // Anonymous should be enabled in settings
  const anonymousEnabled = settings.anonymous_sign_in_enabled === true;
  console.log('Anonymous provider enabled:', anonymousEnabled);
}

Manual verification steps:
1. In Supabase Dashboard → Authentication → URL Configuration
2. Check "Site URL" is set (required for redirects)
3. Verify "Enable anonymous sign-ins" is checked in Providers
4. Ensure no rate limiting is blocking anonymous authentication
5. Check project has necessary permissions for anonymous user creation

3Implement anonymous authentication in your application

Once enabled, implement anonymous authentication in your code:

javascript

// Basic anonymous sign-in
async function signInAnonymously() {
  const { data, error } = await supabase.auth.signInAnonymously();

  if (error) {
    if (error.code === 'anonymous_provider_disabled') {
      console.error('Anonymous auth disabled. Enable in Supabase dashboard.');
      // Show user-friendly message or fallback
      return;
    }
    console.error('Anonymous auth error:', error.message);
    return;
  }

  console.log('Anonymous user created:', data.user.id);
  console.log('Session:', data.session);
  // User is now authenticated anonymously
}

// Anonymous user with custom data
async function createAnonymousUserWithData() {
  const { data, error } = await supabase.auth.signInAnonymously({
    options: {
      data: {
        display_name: 'Guest User',
        guest_type: 'trial',
        created_via: 'web_app'
      }
    }
  });

  if (error) {
    console.error('Error:', error);
    return;
  }

  // User created with additional metadata
  console.log('User metadata:', data.user.user_metadata);
}

// Upgrade anonymous user to permanent account
async function upgradeAnonymousUser(email, password) {
  const { data: { user } } = await supabase.auth.getUser();

  if (!user) {
    console.error('No user logged in');
    return;
  }

  // Check if user is anonymous
  if (user.is_anonymous) {
    const { data, error } = await supabase.auth.linkIdentity({
      identity: {
        provider: 'email',
        email: email
      }
    });

    if (error) {
      console.error('Upgrade failed:', error);
      return;
    }

    // Now set password to make account permanent
    const { error: updateError } = await supabase.auth.updateUser({
      password: password,
      email: email
    });

    if (updateError) {
      console.error('Password set failed:', updateError);
      return;
    }

    console.log('Anonymous user upgraded to email account');
  }
}

4Configure Row Level Security (RLS) for anonymous users

Set up appropriate database permissions for anonymous users:

sql

-- Example: Allow anonymous users to read public data
CREATE POLICY "Anonymous users can read public data"
ON public.products
FOR SELECT
TO anon, authenticated
USING (is_public = true);

-- Example: Allow anonymous users to create cart items
CREATE POLICY "Anonymous users can create their own cart items"
ON public.cart_items
FOR INSERT
TO anon, authenticated
WITH CHECK (auth.uid() = user_id);

-- Example: Allow anonymous users to update their own data
CREATE POLICY "Anonymous users can update their own profiles"
ON public.user_profiles
FOR UPDATE
TO anon, authenticated
USING (auth.uid() = user_id);

-- Check current RLS policies
SELECT schemaname, tablename, policyname, permissive, roles, cmd, qual, with_check
FROM pg_policies
WHERE schemaname = 'public'
ORDER BY tablename, policyname;

Best practices for anonymous user RLS:
1. Limit anonymous user permissions to necessary operations only
2. Use auth.uid() to ensure users only access their own data
3. Consider time-based restrictions for anonymous accounts
4. Implement cleanup policies for abandoned anonymous data
5. Audit anonymous user activity regularly

5Set up anonymous user lifecycle management

Manage anonymous user accounts effectively:

javascript

// Automatic cleanup of old anonymous users
async function cleanupOldAnonymousUsers(daysOld = 30) {
  const cutoff = new Date();
  cutoff.setDate(cutoff.getDate() - daysOld);

  // Query for old anonymous users
  const { data: oldUsers, error } = await supabase
    .from('auth.users')
    .select('id, created_at, email, raw_user_meta_data')
    .eq('is_anonymous', true)
    .lt('created_at', cutoff.toISOString())
    .limit(100);

  if (error) {
    console.error('Error fetching old anonymous users:', error);
    return;
  }

  // Delete or mark as inactive
  for (const user of oldUsers) {
    // Option 1: Delete user (permanent)
    // await supabase.auth.admin.deleteUser(user.id);

    // Option 2: Mark as inactive
    await supabase
      .from('user_profiles')
      .update({ status: 'inactive' })
      .eq('user_id', user.id);

    console.log('Processed anonymous user: ' + user.id);
  }
}

// Monitor anonymous user activity
async function getAnonymousUserStats() {
  const { data: stats, error } = await supabase
    .from('auth.users')
    .select('count', { count: 'exact', head: true })
    .eq('is_anonymous', true);

  if (error) {
    console.error('Error getting stats:', error);
    return;
  }

  console.log('Total anonymous users: ' + stats.count);

  // Get recent activity
  const { data: recentActivity } = await supabase
    .from('user_sessions')
    .select('user_id, created_at, action')
    .eq('is_anonymous', true)
    .order('created_at', { ascending: false })
    .limit(10);

  return { total: stats.count, recentActivity };
}

// Anonymous user upgrade tracking
async function trackAnonymousUpgrades() {
  const { data: upgrades, error } = await supabase
    .from('user_upgrades')
    .select('anonymous_user_id, upgraded_to, upgraded_at, method')
    .order('upgraded_at', { ascending: false })
    .limit(50);

  if (error) {
    console.error('Error tracking upgrades:', error);
    return;
  }

  console.log('Recent upgrades: ' + upgrades.length);
  return upgrades;
}

6Implement graceful fallbacks and user messaging

When anonymous authentication is disabled or fails, provide clear user feedback:

javascript

// Client-side error handling for anonymous auth
async function handleAnonymousAuth() {
  try {
    const { error } = await supabase.auth.signInAnonymously();

    if (error) {
      if (error.code === 'anonymous_provider_disabled') {
        // Show user-friendly message
        showErrorMessage(
          'Guest access is currently unavailable. ' +
          'Please create an account or use an existing one.'
        );

        // Offer alternatives
        showAlternativeOptions(['email_signup', 'social_login', 'skip_for_now']);
        return;
      }
      throw error;
    }

    // Success - proceed with guest experience
    startGuestExperience();
  } catch (err) {
    console.error('Auth error:', err);
    showGenericError();
  }
}

// Alternative flows when anonymous auth is disabled
function showAlternativeOptions(options) {
  const availableFlows = {
    email_signup: () => supabase.auth.signUp({ email, password }),
    social_login: (provider) => supabase.auth.signInWithOAuth({ provider }),
    skip_for_now: () => {
      // Use localStorage for temporary data instead of authenticated user
      localStorage.setItem('guest_session', generateGuestId());
      proceedWithoutAuth();
    }
  };

  // Show buttons for available options
  options.forEach(option => {
    if (availableFlows[option]) {
      createOptionButton(option, availableFlows[option]);
    }
  });
}

// Feature detection for anonymous auth
async function checkAnonymousAuthAvailable() {
  try {
    // Try a test sign-in (will fail fast if disabled)
    const { error } = await supabase.auth.signInAnonymously();

    if (error && error.code === 'anonymous_provider_disabled') {
      return false;
    }

    // If we got here without that error, it's available
    // Cancel the test sign-in if it succeeded
    await supabase.auth.signOut();
    return true;
  } catch (err) {
    console.error('Check failed:', err);
    return false;
  }
}

// Use feature detection to adjust UI
async function initializeApp() {
  const anonymousAvailable = await checkAnonymousAuthAvailable();

  if (anonymousAvailable) {
    showGuestOption();
  } else {
    hideGuestOption();
    showMessage('Guest access unavailable - please sign up or log in');
  }
}

User communication best practices:
- Clearly state when guest/anonymous access is unavailable
- Provide immediate alternatives (sign up, social login, skip)
- Explain benefits of creating an account vs. staying anonymous
- Maintain user data if they switch from anonymous to registered

Advanced notes

## Anonymous Authentication Architecture in Supabase

### How Anonymous Auth Works
1. User initiates anonymous auth → Client calls signInAnonymously()
2. Supabase validates request → Checks if anonymous provider is enabled
3. If disabled → Returns anonymous_provider_disabled error immediately
4. If enabled → Creates user record with is_anonymous = true flag
5. Session created → Returns auth session like regular user
6. User data stored → Anonymous user can have metadata but no credentials

### Anonymous User Characteristics
- No credentials: Cannot log in with email/password
- Temporary: Can be automatically cleaned up after inactivity
- Upgradable: Can be linked to email, phone, or social providers
- Limited permissions: Should have restricted RLS policies
- Trackable: Have unique IDs for session management

### Security Considerations

When to disable anonymous auth:
- Applications requiring strong user verification
- Compliance requirements (GDPR, HIPAA, etc.)
- High-risk applications (financial, healthcare)
- During security incidents or audits
- When anonymous user abuse is detected

Risks of anonymous auth:
- Spam accounts: Easy to create many anonymous users
- Data accumulation: Anonymous user data may not be properly cleaned
- Session hijacking: If session tokens are compromised
- Resource consumption: Anonymous users consume database resources

### Performance and Scaling

Database impact:
- Each anonymous user creates a row in auth.users
- Session storage required for each active anonymous user
- RLS policies must be optimized for anonymous access patterns
- Consider cleanup jobs for inactive anonymous users

Scaling strategies:
1. Automatic cleanup: Remove anonymous users after X days of inactivity
2. Rate limiting: Limit anonymous user creation per IP/device
3. Quotas: Limit features available to anonymous users
4. Progressive profiling: Gradually collect info before requiring sign-up

### Migration and Backup Considerations

Project migrations:
- Anonymous auth settings don't automatically migrate between projects
- Anonymous users in auth.users table need special handling
- RLS policies for anonymous users must be recreated
- Test anonymous auth thoroughly after migration

Backup strategies:
- Consider excluding anonymous users from critical backups
- Document anonymous user retention policy
- Implement differential backup for anonymous vs. registered users

### Compliance and Legal Aspects

GDPR considerations:
- Anonymous users may still be considered "data subjects"
- Right to erasure applies if user can be identified
- Document data retention policies for anonymous users
- Consider privacy implications of anonymous user tracking

Industry-specific regulations:
- Healthcare: Anonymous users may not be appropriate for PHI
- Finance: May require strong user identification
- Education: May need to track user progress across sessions

### Alternative Patterns When Anonymous Auth is Disabled

1. Local storage only: Store data in browser without user accounts
2. Temporary email accounts: Generate disposable email addresses
3. Social login only: Require social providers for quick sign-up
4. Deferred registration: Collect data first, require sign-up later
5. Session-based guests: Use server sessions instead of user accounts

### Monitoring and Analytics

Key metrics to track:
- Anonymous user creation rate
- Anonymous to registered conversion rate
- Anonymous user session duration
- Feature usage by anonymous vs. registered users
- Error rates for anonymous auth attempts
- Cleanup statistics (users removed, data purged)

Alerting setup:
- Monitor anonymous_provider_disabled error spikes
- Alert on abnormal anonymous user creation patterns
- Track anonymous user resource consumption
- Monitor upgrade/conversion funnel metrics

How to fix anonymous_provider_disabled: Anonymous sign-ins are disabled in Supabase

What this error means

Typical symptoms

Common causes

How to fix "anonymous_provider_disabled: Anonymous sign-ins are disabled"

Advanced notes

Related errors

Official resources & further reading