WZRD Studio does not use traditional username and password authentication. Instead, it authenticates users through a Thirdweb in-app wallet and then exchanges that wallet token for a Supabase session via a dedicated edge function. This design gives every project a verifiable on-chain identity while keeping the sign-in experience as simple as social login.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/gratitude5dee/wzrd-studio-desktopfinal/llms.txt
Use this file to discover all available pages before exploring further.
How the Auth Flow Works
The complete authentication sequence has three steps:- Wallet connect — The user selects an auth method (Google, Apple, Discord, email, passkey, or phone) in the Thirdweb
ConnectEmbedUI. Thirdweb handles the OAuth or credential flow and returns a connected in-app wallet with a signed token. - Token exchange — The app calls
POST /functions/v1/wallet-auth(the Supabasewallet-authedge function), passing the wallet address, a signed message, and its signature. The edge function verifies the signature and returns a Supabaseaccess_tokenandrefresh_token. - Session bootstrap — The app calls
supabase.auth.setSession({ access_token, refresh_token }), which establishes a full Supabase session. From this point on, all Supabase queries are authenticated as the wallet-owning user.
Desktop vs. Web Auth
The authentication behavior differs between the desktop (Electron) and web builds. The key difference is how Thirdweb redirects the user back to the app after the OAuth provider completes.Desktop Auth
On desktop, Thirdweb’s in-app wallet is configured to open social OAuth flows in a separate browser window and redirect back to the app via thewzrd:// custom URL scheme.
createThirdwebWallets({ isDesktop: true }) returns exactly two wallet options:
mode: 'window' and a redirectUrl pointing at the wzrd:// deep-link handler:
createThirdwebWallets is called with desktopAuthReturnUrl:
mode: 'window' with that return URL.
Deep-link callback
After the OAuth provider redirects towzrd://auth/thirdweb, Electron’s main process intercepts the URL and forwards it to the renderer via resolveDeepLinkToAppUrl. The deep-link handler in electron/deep-links.js validates and sanitizes the callback parameters (allowing authResult, authCookie, walletId, authProvider, and an optional next path) before routing to the /login page with those parameters attached.
Auth-sensitive parameters (Check this file if auth redirects are silently failing.
authResult, authCookie, walletId, authProvider) are redacted in log output. Diagnostic logs are written to:Web Auth
On the web build,createThirdwebWallets({ isDesktop: false }) returns the full wallet list including browser extension wallets:
mode: 'window' and no wzrd:// redirect URL are set. The OAuth callback is handled entirely within the browser.
The wallet-auth Edge Function
The wallet-auth Supabase edge function is the bridge between Thirdweb and Supabase. It lives at:
Required Environment Variables
| Variable | Where to find it | Purpose |
|---|---|---|
VITE_THIRDWEB_CLIENT_ID | thirdweb.com/dashboard → Project → Client ID | Initializes the Thirdweb client and wallet UI |
VITE_SUPABASE_URL | Supabase → Project Settings → API → Project URL | Points the app at your Supabase project |
VITE_SUPABASE_ANON_KEY | Supabase → Project Settings → API → anon/public key | Authenticates the frontend Supabase client |
Gatekeeper and Auth Redirects
Because WZRD Studio is currently unsigned, macOS may block thewzrd:// URL scheme from being registered on first launch. If the OAuth flow completes in the browser but the app does not receive the callback:
- Quit WZRD Studio.
- Right-click WZRD Studio.app in Applications → Open → confirm in the dialog.
- Retry the sign-in flow from inside the app.
wzrd:// redirects are handled automatically.
Auto-Authentication
Once a Thirdweb wallet is connected,AuthProvider automatically attempts to exchange it for a Supabase session without requiring the user to click a second “sign in” button. If the wallet-auth call fails (e.g. due to a rejected signature), the provider records the wallet address as failed and does not retry — the user must manually retry from the login screen to avoid an infinite loop.