This is pretty much my first crack at this. I'm sure things could be improved or done differently.
JWTs are at the heart of Supabase authorization, but sometimes we wanna build an app that also gives users access via API keys; or perhaps only exclusively via API keys. As you may know, using JWTs as API keys makes them difficult to revoke and therefore a security issue.
We also want to ensure this doesn't significantly add to RLS polices, if at all.
Finally, we'd love to have this handled by Supabase and do as little as possible in our framework. This simplifies our code and reduces third-party libraries.