Loading user profile...

koratkeval12

1thread

1reply

Threads created

Auth Without Accounts: CloudKit User ID + Supabase for Leaderboards

The user is developing an iOS app and seeks feedback on an authentication approach for a leaderboard feature. They use CloudKit User ID for identity, sending it with a username and country code to a Supabase Edge Function, which creates a profile and returns a JWT. The user is concerned about verifying the authenticity of the CloudKit ID without complicating the flow, especially given the low security stakes of the leaderboard.

Auth

Edge Functions

Recent replies

Reply to: Auth Without Accounts: CloudKit User ID + Supabase for Leaderboards

That is a good question. This is a risk I am not sure how to solve without making the flow complex because apple provides Device Attestation i.e. proving that a request came from a real, untampered app on a real, untampered iOS device. But I am wondering if its worth it because security is not very important because at the end it's just exercise points and its anonymous i.e. based on username so nothing for bad actors to gain other than getting on top of leaderboard or creating new fake accounts I guess. Device Attestation seems quite complex to implement at this stage where i only have 50 daily users of my app. Would love to know if there's a simple way to at least not let people abuse the api if they find out?

5/1/2026, 3:36:23 PMView on Reddit

Loading user profile...