supabase · 7ttp · Dec 11, 2025
@@ -3394,7 +3394,40 @@ export default class GoTrueClient {
   /**
    * {@see GoTrueMFAApi#getAuthenticatorAssuranceLevel}
    */
-  private async _getAuthenticatorAssuranceLevel(): Promise<AuthMFAGetAuthenticatorAssuranceLevelResponse> {
+  private async _getAuthenticatorAssuranceLevel(
+    jwt?: string
+  ): Promise<AuthMFAGetAuthenticatorAssuranceLevelResponse> {
+    if (jwt) {
+      const { payload } = decodeJWT(jwt)
+
+      let currentLevel: AuthenticatorAssuranceLevels | null = null
+      if (payload.aal) {
+        currentLevel = payload.aal
+      }
+
+      let nextLevel: AuthenticatorAssuranceLevels | null = currentLevel
+
+      const {
+        data: { user },
+        error: userError,
+      } = await this.getUser(jwt)
+
+      if (userError) {
+        return this._returnResult({ data: null, error: userError })
+      }
+
+      const verifiedFactors =
+        user?.factors?.filter((factor: Factor) => factor.status === 'verified') ?? []
+
+      if (verifiedFactors.length > 0) {
+        nextLevel = 'aal2'
+      }
+
+      const currentAuthenticationMethods = payload.amr || []
+
+      return { data: { currentLevel, nextLevel, currentAuthenticationMethods }, error: null }
+    }
+
     const {
       data: { session },
       error: sessionError,

@@ -1234,8 +1234,11 @@ export interface GoTrueMFAApi {
    * and rarely uses the network. You can use this to check whether the current
    * user needs to be shown a screen to verify their MFA factors.
    *
+   * @param jwt Takes in an optional access token JWT. If no JWT is provided, the JWT from the current session is used.
    */
-  getAuthenticatorAssuranceLevel(): Promise<AuthMFAGetAuthenticatorAssuranceLevelResponse>
+  getAuthenticatorAssuranceLevel(
+    jwt?: string
+  ): Promise<AuthMFAGetAuthenticatorAssuranceLevelResponse>
 
   // namespace for the webauthn methods
   webauthn: WebAuthnApi