Supabase CLI

CLI configuration

A supabase/config.toml file is generated after running supabase init.

You can edit this file to change the settings for your locally running project. After you make changes, you will need to restart using supabase stop and then supabase start for the changes to take effect.

General Config

project_id

NameDefaultRequired
project_idNonetrue

Description

A string used to distinguish different Supabase projects on the same host. Defaults to the working directory name when running supabase init.

Auth Config

auth.enabled

NameDefaultRequired
auth.enabledtruefalse

Description

Enable the local GoTrue service.

auth.site_url

NameDefaultRequired
auth.site_url"http://localhost:3000"false

Description

The base URL of your website. Used as an allow-list for redirects and for constructing URLs used in emails.

auth.additional_redirect_urls

NameDefaultRequired
auth.additional_redirect_urls["https://localhost:3000"]false

Description

A list of exact URLs that auth providers are permitted to redirect to post authentication.

auth.jwt_expiry

NameDefaultRequired
auth.jwt_expiry3600false

Description

How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 seconds (one week).

auth.enable_refresh_token_rotation

NameDefaultRequired
auth.enable_refresh_token_rotationtruefalse

Description

If disabled, the refresh token will never expire.

auth.refresh_token_reuse_interval

NameDefaultRequired
auth.refresh_token_reuse_interval10false

Description

Allows refresh tokens to be reused after expiry, up to the specified interval in seconds. Requires enable_refresh_token_rotation = true.

auth.enable_signup

NameDefaultRequired
auth.enable_signuptruefalse

Description

Allow/disallow new user signups to your project.

auth.enable_anonymous_sign_ins

NameDefaultRequired
auth.enable_anonymous_sign_insfalsefalse

Description

Allow/disallow anonymous sign-ins to your project.

auth.email.enable_signup

NameDefaultRequired
auth.email.enable_signuptruefalse

Description

Allow/disallow new user signups via email to your project.

auth.email.double_confirm_changes

NameDefaultRequired
auth.email.double_confirm_changestruefalse

Description

If enabled, a user will be required to confirm any email change on both the old, and new email addresses. If disabled, only the new email is required to confirm.

auth.email.enable_confirmations

NameDefaultRequired
auth.email.enable_confirmationsfalsefalse

Description

If enabled, users need to confirm their email address before signing in.

auth.email.template.<type>.subject

NameDefaultRequired
auth.email.template.type.subjectNonefalse

Description

The full list of email template types are:

  • invite
  • confirmation
  • recovery
  • magic_link
  • email_change

auth.email.template.<type>.content_path

NameDefaultRequired
auth.email.template.type.content_pathNonefalse

Description

The full list of email template types are:

  • invite
  • confirmation
  • recovery
  • magic_link
  • email_change

auth.sms.enable_signup

NameDefaultRequired
auth.sms.enable_signuptruefalse

Description

Allow/disallow new user signups via SMS to your project.

auth.sms.enable_confirmations

NameDefaultRequired
auth.sms.enable_confirmationsfalsefalse

Description

If enabled, users need to confirm their phone number before signing in.

auth.sms.test_otp

NameDefaultRequired
auth.sms.test_otpNonefalse

Description

Use pre-defined map of phone number to OTP for testing.

Usage

1[auth.sms.test_otp]
24152127777 = "123456"

auth.sms.<provider>.enabled

NameDefaultRequired
auth.sms.provider.enabledfalsefalse

Description

Use an external SMS provider. The full list of providers are:

  • twilio
  • twilio_verify
  • messagebird
  • textlocal
  • vonage

auth.sms.<twilio|twilio_verify>.account_sid

NameDefaultRequired
auth.sms.twilio.account_sidNonetrue

Description

Twilio Account SID

auth.sms.<twilio|twilio_verify>.message_service_sid

NameDefaultRequired
auth.sms.twilio.message_service_sidNonetrue

Description

Twilio Message Service SID

auth.sms.<twilio|twilio_verify>.auth_token

NameDefaultRequired
auth.sms.twilio.auth_tokenenv(SUPABASE_AUTH_SMS_TWILIO_AUTH_TOKEN)true

Description

Twilio Auth Token

DO NOT commit your Twilio auth token to git. Use environment variable substitution instead.

auth.sms.messagebird.originator

NameDefaultRequired
auth.sms.messagebird.originatorNonetrue

Description

MessageBird Originator

auth.sms.messagebird.access_key

NameDefaultRequired
auth.sms.messagebird.access_keyenv(SUPABASE_AUTH_SMS_MESSAGEBIRD_ACCESS_KEY)true

Description

MessageBird Access Key

DO NOT commit your MessageBird access key to git. Use environment variable substitution instead.

auth.sms.textlocal.sender

NameDefaultRequired
auth.sms.textlocal.senderNonetrue

Description

TextLocal Sender

auth.sms.textlocal.api_key

NameDefaultRequired
auth.sms.textlocal.api_keyenv(SUPABASE_AUTH_SMS_TEXTLOCAL_API_KEY)true

Description

TextLocal API Key

DO NOT commit your TextLocal API key to git. Use environment variable substitution instead.

auth.sms.vonage.from

NameDefaultRequired
auth.sms.vonage.fromNonetrue

Description

Vonage From

auth.sms.vonage.api_key

NameDefaultRequired
auth.sms.vonage.api_keyNonetrue

Description

Vonage API Key

auth.sms.vonage.api_secret

NameDefaultRequired
auth.sms.vonage.api_secretenv(SUPABASE_AUTH_SMS_VONAGE_API_SECRET)true

Description

Vonage API Secret

DO NOT commit your Vonage API secret to git. Use environment variable substitution instead.

auth.external.<provider>.enabled

NameDefaultRequired
auth.external.provider.enabledfalsefalse

Description

Use an external OAuth provider. The full list of providers are:

  • apple
  • azure
  • bitbucket
  • discord
  • facebook
  • github
  • gitlab
  • google
  • kakao
  • keycloak
  • linkedin
  • notion
  • twitch
  • twitter
  • slack
  • spotify
  • workos
  • zoom

auth.external.<provider>.client_id

NameDefaultRequired
auth.external.provider.client_idNonetrue

Description

Client ID for the external OAuth provider.

auth.external.<provider>.secret

NameDefaultRequired
auth.external.provider.secretenv(SUPABASE_AUTH_EXTERNAL_<PROVIDER>_SECRET)true

Description

Client secret for the external OAuth provider.

DO NOT commit your OAuth provider secret to git. Use environment variable substitution instead.

auth.external.<provider>.url

NameDefaultRequired
auth.external.provider.urlNonefalse

Description

The base URL used for constructing the URLs to request authorization and access tokens. Used by gitlab and keycloak. For gitlab it defaults to https://gitlab.com. For keycloak you need to set this to your instance, for example: https://keycloak.example.com/realms/myrealm .

auth.external.<provider>.redirect_uri

NameDefaultRequired
auth.external.provider.redirect_uriNonefalse

Description

The URI a OAuth2 provider will redirect to with the code and state values.

API Config

api.enabled

NameDefaultRequired
api.enabledtruefalse

Description

Enable the local PostgREST service.

api.port

NameDefaultRequired
api.port54321false

Description

Port to use for the API URL.

Usage

1[api]
2port = 54321

api.schemas

NameDefaultRequired
api.schemas["public", "storage", "graphql_public"]false

Description

Schemas to expose in your API. Tables, views and functions in this schema will get API endpoints. public and storage are always included.

api.extra_search_path

NameDefaultRequired
api.extra_search_path["public", "extensions"]false

Description

Extra schemas to add to the search_path of every request. public is always included.

api.max_rows

NameDefaultRequired
api.max_rows1000false

Description

The maximum number of rows returned from a view, table, or stored procedure. Limits payload size for accidental or malicious requests.

Database Config

db.port

NameDefaultRequired
db.port54322false

Description

Port to use for the local database URL.

db.shadow_port

NameDefaultRequired
db.shadow_port54320false

Description

Port to use for the local shadow database.

See also

    db.major_version

    NameDefaultRequired
    db.major_version15false

    Description

    The database major version to use. This has to be the same as your remote database's. Run SHOW server_version; on the remote database to check.

    db.pooler.enabled

    NameDefaultRequired
    db.pooler.enabledfalsefalse

    Description

    Enable the local PgBouncer service.

    db.pooler.port

    NameDefaultRequired
    db.pooler.port54329false

    Description

    Port to use for the local connection pooler.

    db.pooler.pool_mode

    NameDefaultRequired
    db.pooler.pool_mode"transaction"false

    Description

    Specifies when a server connection can be reused by other clients. Configure one of the supported pooler modes: transaction, session.

    db.pooler.default_pool_size

    NameDefaultRequired
    db.pooler.default_pool_size20false

    Description

    How many server connections to allow per user/database pair.

    db.pooler.max_client_conn

    NameDefaultRequired
    db.pooler.max_client_conn100false

    Description

    Maximum number of client connections allowed.

    Dashboard Config

    studio.enabled

    NameDefaultRequired
    studio.enabledtruefalse

    Description

    Enable the local Supabase Studio dashboard.

    See also

      studio.port

      NameDefaultRequired
      studio.port54323false

      Description

      Port to use for Supabase Studio.

      See also

        studio.api_url

        NameDefaultRequired
        studio.api_url"http://localhost"false

        Description

        External URL of the API server that frontend connects to.

        See also

          Realtime Config

          realtime.enabled

          NameDefaultRequired
          realtime.enabledtruefalse

          Description

          Enable the local Realtime service.

          See also

            realtime.ip_version

            NameDefaultRequired
            realtime.ip_version"IPv6"false

            Description

            Bind realtime via either IPv4 or IPv6. (default: IPv6)

            See also

              Storage Config

              storage.enabled

              NameDefaultRequired
              storage.enabledtruefalse

              Description

              Enable the local Storage service.

              storage.file_size_limit

              NameDefaultRequired
              storage.file_size_limit"50MiB"false

              Description

              The maximum file size allowed (e.g. "5MB", "500KB").

              Edge-Functions Config

              functions.<function_name>.verify_jwt

              NameDefaultRequired
              functions.function_name.verify_jwttruefalse

              Description

              By default, when you deploy your Edge Functions or serve them locally, it will reject requests without a valid JWT in the Authorization header. Setting this configuration changes the default behavior.

              Note that the --no-verify-jwt flag overrides this configuration.

              functions.<function_name>.import_map

              NameDefaultRequired
              functions.function_name.import_mapNonefalse

              Description

              Specify the Deno import map file to use for the Function.

              Note that the --import-map flag overrides this configuration.

              Analytics Config

              analytics.enabled

              NameDefaultRequired
              analytics.enabledfalsefalse

              Description

              Enable the local Logflare service.

              analytics.port

              NameDefaultRequired
              analytics.port54327false

              Description

              Port to the local Logflare service.

              See also

                analytics.vector_port

                NameDefaultRequired
                analytics.vector_port54328false

                Description

                Port to the local syslog ingest service.

                See also

                  analytics.backend

                  NameDefaultRequired
                  analytics.backend"postgres"false

                  Description

                  Configure one of the supported backends:

                  • postgres
                  • bigquery

                  Local Development Config

                  inbucket.enabled

                  NameDefaultRequired
                  inbucket.enabledtruefalse

                  Description

                  Enable the local InBucket service.

                  inbucket.port

                  NameDefaultRequired
                  inbucket.porttruefalse

                  Description

                  Port to use for the email testing server web interface.

                  Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.

                  inbucket.smtp_port

                  NameDefaultRequired
                  inbucket.smtp_port54325false

                  Description

                  Port to use for the email testing server SMTP port.

                  Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.

                  If set, you can access the SMTP server from this port.

                  inbucket.pop3_port

                  NameDefaultRequired
                  inbucket.pop3_port54326false

                  Description

                  Port to use for the email testing server POP3 port.

                  Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.

                  If set, you can access the POP3 server from this port.