---
# nuzlocke-tracker-b311
title: Backend auth middleware and JWT verification
status: todo
type: task
priority: normal
created_at: 2026-03-20T15:28:13Z
updated_at: 2026-03-20T15:28:33Z
parent: nuzlocke-tracker-d98o
blocked_by:
    - nuzlocke-tracker-2561
---

Add Supabase JWT verification to the FastAPI backend. Create a reusable dependency that extracts and validates the Bearer token, resolves the current user, and provides it to endpoints. Protect all write endpoints (POST/PUT/DELETE) while leaving read endpoints open.

## Checklist
- [ ] Add python-jose[cryptography] or PyJWT dependency
- [ ] Create auth dependency that extracts Bearer token from Authorization header
- [ ] Verify JWT against Supabase JWT secret
- [ ] Create `get_current_user` dependency (returns User or None)
- [ ] Create `require_auth` dependency (raises 401 if not authenticated)
- [ ] Apply `require_auth` to all write endpoints (POST, PUT, DELETE)
- [ ] Add tests for auth middleware (valid token, expired token, missing token)