Supabase CLI 2.7.0 adds support for bundling Edge Functions with static files.

You can access bundled files via Deno's file-system APIs. Here's an example function that serves a PDF file.

Use cases#

• Use custom Wasm modules in your Edge Functions (check this guide for more details on how to write & use wasm modules in Edge Functions)
• Create paywalls for serving digital content like ebooks
• HTML email templates for sending emails using Edge Functions

How to configure#

You will need to add static files to the function's directory to bundle them. Then, in the supabase/config.toml file for the project, add these lines:

You can specify an array of files or use a glob pattern (eg: "./functions/email-templates/*.html")

Check the CLI configuration reference for more details: https://supabase.com/docs/guides/local-development/cli/config#functions.function_name.static_files

Note: This feature is currently not available with branching and will be added with the next stable release of the CLI.

If you're only using Transaction Mode on Connection Pooler port 6543 or already using Session Mode on port 5432 then no action is required.

On February 28, 2025, Supavisor (Supabase's Connection Pooler) is deprecating Session Mode on port 6543. After this date, port 6543 will only support Transaction Mode while port 5432 continues to support Session Mode.

We’re making this change because Session Mode is already available on port 5432 and this streamlines our connection pooler’s ports and their respective modes.

Required steps:

1. Update your application/database clients to use port 5432 for Session Mode.
2. In your project’s Database Settings (”Connection pooling configuration”), set “Pool Mode” to “Transaction” and click “Save” (please keep in mind that this will restart all your connections connected to the Pooler).

Please reach out to our support if you have any questions or concerns regarding this change.

UI Overhaul for Log Explorer log details#

https://github.com/user-attachments/assets/1f752ebc-a814-4f1c-845f-4659a0dc87d3

The changes here addresses some UX friction whereby depending on the query, the detail panel of the log would be hard to read. We've hence updated the log detail drawing to add better spacing, the option to expand rows, and also use our TimestampInfo tooltip in the UI as well!

PR: https://github.com/supabase/supabase/pull/31684

Link: https://supabase.com/dashboard/project/_/logs/explorer

Toggle for enabling connection via S3 protocol in Storage#

PR: https://github.com/supabase/supabase/pull/31209

Link: https://supabase.com/dashboard/project/_/settings/storage

Credit Balance Top Up#

It is now possible to top up your credit balance through your organization's billing settings. Read more about this in our discussions page here

PR: https://github.com/supabase/supabase/pull/32680

Link: https://supabase.green/dashboard/org/_/billing

Other bug fixes and improvements#

Auth

• Fix impersonation and searching users with single quotes (PR)

Advisors

• Add "Ask Assistant" CTA to advisor issues (PR)

SQL Editor

• Persist last selected database (PR)

Logs Explorer

• Add copy as CSV + JSON options (PR)

Edge Functions

• A number of general improvements (more details in the PR) (PR)

Cron

• Add last and next run for cron jobs (PR)

It is now possible to top up your credit balance through your organization's billing settings. On successful payment, an invoice will be issued and you'll be granted credits. Credits will be applied to future invoices only and are not refundable. The topped up credits do not expire.

This can be useful in many scenarios:

• Issues with recurring payments (i.e. due to Indian banking regulations)
• More control about how often your credit card gets charged
• Easier for some accounting departments
• Yearly upfront payments

If you run out of credits while you are still on a paid plan, your credit card will be charged as usual.

If you are interested in larger (>$1,000) credit packages, please reach out.

If you are using our TypeScript SDK with automatically generated types, you are in for a treat. Starting version 2.47.12, our @supabase/supabase-js SDK will correctly validate all query filter values in eq, neq and in methods. Including not only primitives, but enums as well. In both tables, views, and arbitrarily-nested relations.

When using enums, LSP auto-completion also works out-of-the-box now.

Want to start using them? See our guides for how to get started: https://supabase.com/docs/guides/api/rest/generating-types https://supabase.com/docs/reference/javascript/typescript-support

Some organizations require using all modules from a private NPM registry for security and compliance reasons. Edge Functions now supports configuring a private registry to load all NPM modules using the NPM_CONFIG_REGISTRY environment variable.

You can define a private registry in the project's .env file or directly specify it when running the deploy command:

You will need Supabase CLI version 2.2.8 or higher to use this feature.

Note that Edge Functions also supports importing private NPM packages (which can be published on any registry).

Check the Managing dependencies guide to learn more about how to configure and use external dependencies in your Edge Functions.

Improved mobile navigation for the dashboard#

https://github.com/user-attachments/assets/a2e1c815-6d65-486f-ae77-1d5993377c40

We've heard many feedback around mobile support for the dashboard and we're taking the first step towards supporting that 📱🙂 While this PR doesn't completely optimize the mobile UX for the dashboard, navigating around the dashboard on mobile is now supported! We'll definitely be looking into optimizing other parts of the dashboard for mobile use so stay tuned! 😉

PR: https://github.com/supabase/supabase/pull/31080

Link: https://supabase.com/dashboard

Inline completions via Assistant in SQL Editor#

In hopes to make the Assistant's UX more seamless while in the SQL editor, we've added support for adjusting your SQL snippets inline while in the SQL editor without having to open the Assistant panel. Highlight the section that you'd like to edit, and hit CMD / CTRL + K to pop open the inline prompt 💬 Less clicking, more typing!

PR: https://github.com/supabase/supabase/pull/30706

Link: https://supabase.com/dashboard/project/_/sql/new

Improve date time editing in Table Editor Grid#

We've also seen a couple of feedback around supporting copying and pasting raw date time values from the Table Editor. We've previously been using the browser native date time input field which we've realised have been less than optimal for the following reasons:

• Adjusting the value typically takes several clicks which can feel frustrating
• The precision of time values in JS does not match the precision of time values in Postgres
• The UX varies a lot across browsers since each browser has their own implementation of the native date time input

As such we've decided to move towards supporting editing your raw values for date, timestamp, and timestamptz type fields, with a helper tooltip to show the time formatted in UTC and your relative timezone. This UX also allows us to support setting values to NULL which we struggled to do so gracefully with native browser date time inputs. Hope this helps make editing your data via the Table Editor easier 🙏🙂 More screenshots available in the attached PR below!

PR: https://github.com/supabase/supabase/pull/31121

Link: https://supabase.com/dashboard/project/_/editor

Support for bulk delete users#

Also another feature that we've heard many requests for - you can now delete your users in bulk! Select the users that you'd like via the checkboxes and a button will appear to allow you to delete them all. There is, however, a temporary limitation that you may only delete up to 20 users at once, but we'll be looking into lifting this limitation eventually 🙂

PR: https://github.com/supabase/supabase/pull/31271

Link: https://supabase.com/dashboard/project/_/auth/users

Other bug fixes and improvements#

General

• Add ability for Assistant to retrieve database functions within a schema (PR)
• Limit local storage memory to 20 chat messages for Assistant (PR)
• Support scrolling up in chat while a new response is being streamed (PR)
• Adjust warnings for destructive prompts via the Assistant (PR)
• Assistant to adhere to Supabase Linter rules when generating responses (PR)

Table Editor

• Add dropdown menu item to copy table name (PR)

Launch Week 13 has wrapped up and it's now the holiday season! 🎄🎁 If you might have missed our launches last week - fret not! We've got you covered with a brief summary of the changes that landed in the dashboard right here 🙂

Dashboard Integrations#

You should have noticed by now, but we've added a new Integrations page where you can easily manage all things related to your database that may not necessarily be directly about your database. This allows us to consolidate some features that were in slightly odd places such as the GraphiQL IDE or Database Webhooks, and also provide UIs that are specific to certain database extension(s) such as Vault, or the newly added Queues and Crons (more on that below!). Database Wrappers have also been shifted here as well, and we hope that this shift will help make finding things around the dashboard easier for everyone 🙂🙏

Link: https://supabase.com/dashboard/project/_/integrations

PR: https://github.com/supabase/supabase/pull/30476

AI Assistant V2#

We've always had the AI assistant sprinkled around the dashboard in the SQL Editor, and RLS Editor. Today we're making it accessible from anywhere in the dashboard, spiced with several new abilities to go along with 🎁 Read more about this in our blog post and learn how you can leverage the assistant to get more done, and quicker! 😄

Blog Post: https://supabase.com/blog/supabase-ai-assistant-v2

Link: https://supabase.com/project/_

PR: https://github.com/supabase/supabase/pull/30523

Cron#

Create recurring jobs to run SQL snippets, or call database functions, Supabase Edge Functions, and even remote webhooks with our new Postgres Module, Cron! Supabase Cron is built on the powerful pg_cron extension by the team at Citus Data, and we appreciate the Citus Data for generously licensing their extension with the OSI-compatible PostgreSQL license, allowing us to support existing tools wherever possible. 💪🏻

Blog Post: https://supabase.com/blog/supabase-cron

Link: https://supabase.com/dashboard/project/_/integrations

PR: https://github.com/supabase/supabase/pull/29291

Queues#

Process and manage asynchronous tasks with Supabase Queues! This is a Postgres-native, durable Message Queue with guaranteed delivery, improving the scalability and resiliency of your applications, and it's designed to work seamlessly with the entire Supabase platform. Similarly to Cron, Supabase Queues is built on the pgmq extension by the team at Tembo, and we appreciate the Tembo team for licensing their extension with OSI-compatible PostgreSQL license as well! 🙏

Blog Post: https://supabase.com/blog/supabase-queues

Link: https://supabase.com/dashboard/project/_/integrations

PR: https://github.com/supabase/supabase/pull/30300

Restore to a new project#

You can now copy data easily from an existing Supabase project to an entirely new and independent one! This has been a well requested functionality and we're happy to share that it's finally possible to do so via the dashboard 🙂 Read more about this in our blog post, or in our documentation 🙏

Blog Post: https://supabase.com/blog/restore-to-a-new-project

Docs: https://supabase.com/docs/guides/platform/backups#restore-to-a-new-project

Link: https://supabase.com/dashboard/project/_/database/backups/restore-to-new-project

PR: https://github.com/supabase/supabase/pull/30325

Other bug fixes and improvements#

Table Editor

• Fix rendering of OID cell types causing a client crash (PR)

Dear Users,

Slack has deprecated their existing v1 API and will fully sunset the API over the next two years. This means that Slack Applications using the v1 Slack (Deprecated) provider will stop functioning if no action is taken. In turn, Supabase Auth users using the Slack (Deprecated) provider will also not be able to sign in via the Slack OAuth provider if no action is taken.

We’ve introduced a new replacement OAuth provider named “Slack (OIDC)” which supports the latest Slack API and will send out an email to affected users next week with instructions on how to migrate.

To migrate your authentication system, you'll need to:

1. Create a new Slack Application in your Slack dashboard
2. Update your credentials in the Supabase Dashboard by switching from the deprecated Slack (Deprecated) provider to the new Slack (OIDC) provider. You can find the provider in your project under Authentication > Providers > Slack (Deprecated)
3. Update your code to use the new provider in all OAuth calls, like this:

4. If you are using the Supabase CLI , you will also need to update your config.toml to use [auth.external.slack_oidc] in place of [auth.external.slack_oidc]. See the local development docs for a detailed example.

Refer to our documentation for further details

Further configuration of the deprecated Slack provider will not be possible past 15th Jan 2025 as we will remove Slack provider from the dashboard then. If you need more time to access the configuration page , reach out to us via a support ticket.

Slack will terminate support for Legacy bots and Classic Apps on March 31, 2025 and March 31, 2026 respectively.

Please reach out via support or on the thread if there are any questions or concerns.

Introduction#

We are removing app.settings.jwt_secret from the postgres database on 2024/11/22.

This setting has previously been available through our PostgREST integration, and could be accessed using current_setting('app.settings.jwt_secret') in SQL.

Why are we doing this?#

The jwt_secret can be used to mint new, custom JWTs and is security sensitive. Supabase limits access to the jwt_secret , through both the dashboard and API, to specific roles (owner, admin and developer). Allowing access to this setting directly in the database can allow bypassing of these restrictions.

What do you need to do?#

If you need the jwt_secret, it can be retrieved through the Supabase dashboard.

If you are using the app.settings.jwt_secret in SQL, you will need to update your function to retrieve this value from Vault.

Also, please consult the changelog entry for Asymmetric Keys to understand the coming changes to jwt_secret and how keys at Supabase are changing.

Table Editor Performance Improvements#

We've set aside some time to look into improving the performance of the Table Editor over the past few weeks, in particular shortening both perceived and actual loading times as you navigate around the Table Editor. This all comes together in several PRs as we explored from 2 angles:

• Optimizing the queries that are firing behind the scenes by removing redundant sections + minimise waterfall requests
• Introducing prefetching behaviours as your mouse cursor goes through the list of tables to have the tables' contents ready by the time you open it in the UI

Performance improvements have always been a consistent topic with the team, and we don't intend to stop here! Hopefully these changes will make it smoother and faster for you to build your project with the dashboard and as always let us know any feedback! 🙂🙏 Just a button away in the top right corner of the dashboard to get your thoughts heard 😄

PRs:

• Query optimizations Part 1: https://github.com/supabase/supabase/pull/30184
• Query optimizations Part 2: https://github.com/supabase/supabase/pull/30295
• Prefetching on the table editor: https://github.com/supabase/supabase/pull/29987
• Prefetching on the home page: https://github.com/supabase/supabase/pull/30317

Link: https://supabase.com/dashboard/project/_/editor

Other bug fixes and improvements#

Table Editor

• Simplified header when rows are selected (PR)
• Allow exporting of data on tables that are protected (PR)

Authentication

• Fixed provider "Enabled" state when viewing user details if user's provider is LinkedIn (PR)
• Sorting users on a column will shift users with NULL values on that column to the bottom (PR)
• Fix "Last signed in at" column showing up as "Waiting for verification" on subsequent pages as page is scrolled down (PR)

Storage

• Add ability to toggle image transformations from settings (PR)

🚀 Announcement: We’ve just released supabase-js version 2.46.2-rc.3, which resolves several type errors in the PostgREST client.

Notable issues resolved:#

• https://github.com/supabase/postgrest-js/issues/523
• https://github.com/supabase/supabase-js/issues/943
• https://github.com/supabase/postgrest-js/issues/450
• https://github.com/supabase/postgrest-js/issues/546
• https://github.com/supabase/supabase-js/issues/930

We’d love your feedback to ensure everything runs smoothly!

Important Notes:#

This update might require regenerating your database types. You can do this via the Supabase CLI (≥v1.207.8) or the dashboard. For instructions, check out our guide here.

Potential Issues#

This version introduces stricter alignment between runtime behavior and type inference. As a result, some types might appear "broken" but are actually being corrected.

The main changes to be aware of:

1. The result of an embedding now correctly infers a single object or an array based on the relationship.
2. The result of an object embedding now more accurately identifies whether the result can be null.

Before reporting a bug, please double-check that the inferred types are truly incorrect based on your query and database schema.

Bug Reporting:#

If your project is hosted on Supabase, please open a support ticket here and check "Allow Supabase Support to access your project temporarily." This will enable us to investigate your database types directly.

Alternatively, you can open an issue on GitHub. Please include:

1. The generated Database type used to instantiate the client (e.g., createClient<Database>(process.env.SUPABASE_URL, process.env.SUPABASE_ANON_KEY)). If possible a minimal SQL declaration resulting in such Database type.
2. The query where type inference failed (e.g., .from('which-table').select('which-query')).
3. Your TypeScript version (npx tsc -v).

From Supabase CLI version 1.215.0 or higher you can configure a custom entrypoint to your Edge Functions. This can be used to write Edge Functions in pure JavaScript instead of TypeScript.

Save your Function as a JavaScript file (eg: index.js) and then update the supabase/config.toml as follows:

You can use any .ts, .js, .tsx, .jsx or .mjs file as the entrypoint for a Function.

More details: https://supabase.com/docs/guides/functions/quickstart#not-using-typescript

Each Edge Function can now have its own deno.json or deno.jsonc file to manage dependencies. You will need to deploy your functions using Supabase CLI version v1.215.0 or above to make use of this feature.

How to use deno.json#

Create a deno.json in your function's folder:

You can now use aliased imports in your source code:

To test your function locally, run supabase functions serve. When you're ready, you can deploy it to hosted platform by running supabase functions deploy function-name

For more details, check the guide: https://supabase.com/docs/guides/functions/import-maps#using-denojson-recommended

Spam validation check now added to Auth templates#

We've now added a spam validation checker for your email templates in the Auth section of the dashboard! This is powered by SpamAssassin and is in hopes to assist you with writing email content in a way to avoid being marked as spam by email clients.

You will still be able to save your email templates regardless of whether you're using the built-in SMTP provider or a custom SMTP provider. However, we highly recommend fixing these warnings since they can affect email deliverability.

PR: https://github.com/supabase/supabase/pull/30188

Links: https://supabase.com/dashboard/project/_/auth/templates

Other improvements and bug fixes#

Authentication

• Hovering over auth logs for a user will show relative time info (PR)
• Allow sorting on last signed in at for users (PR)
• Allow selection of functions that return void for auth hooks (PR)
• Allow updating of SMS rate limit irregardless of SMS autoconfirm being enabled (PR)

Storage

• Fix developer roles not being able to update buckets (PR)

Database

• Fix create index "Select a table" combobox not using search input (PR)
• Support opening tables in table editor from the schema visualizer (PR)

Logs & Analytics

• Fix filters for log reports (PR)

Edge Functions now support importing NPM packages from private registries. You will need to deploy your functions using Supabase CLI version v1.207.9 or above to make use of this feature.

How to use packages from private registries#

Create a .npmrc file within supabase/functions. This will allow you to import the private packages into multiple functions. Alternatively, you can place the .npmrc file directly inside supabase/functions/function-name directory.

Add your registry details in the .npmrc file. Follow this guide to learn more about the syntax of npmrc files.

After that, you can import the package directly in your function code or add it to the import_map.json (https://supabase.com/docs/guides/functions/import-maps#using-import-maps).

To test your function locally, run supabase functions serve. When you're ready, you can deploy it to hosted platform by running supabase functions deploy function-name

Disk size usage section under organization settings#

We've added a new disk size section for paid plans to give a quick overview of each project under the organization and their respective disk sizes for better visibility over the corresponding charges. This is only an initial iteration for this UI, we do plan to add historical statistics and more to improve visibility and transparency over what you're using and what you're paying for 🙂

PR: https://github.com/supabase/supabase/pull/29862

Link: https://supabase.com/dashboard/org/_/usage

Bug fixes and other improvements#

Table Editor

• Fix views filtering in table editor for local dashboard (PR)
• Fix exporting a table that contains columns of enum array types to CSV (PR)

SQL Editor

• Fix snippets not loading for local dashboard (PR)

Authentication

• Support searching by properties when viewing a user's raw JSON (PR)

We improved the information architecture (IA) on our docs site.

Why?#

We’d outgrown the IA! As we added more features and guides, some sections grew to contain a miscellaneous collection of things that don’t belong together. They just had no better place to go.

With the new IA, it should be easier to find what you’re looking for.

Summary of changes#

• Two top-level menus, Build and Manage, to replace the old Build menu
• Build menu:
  • Local development / CLI is now primarily about local dev, CI/CD information has been moved to Deployment
  • Information on both Vercel and Supabase integrations now moved to Integrations section
  • New Deployment section covers everything needed to get your changes onto hosted Supabase (including branching, Terraform, CI/CD, and production checklists)
• Manage menu:
  • Platform management (formerly “Platform”) trimmed down to contain information about configuring your Supabase platform (including account management, project permissions, and billing)
  • New Monitoring and troubleshooting section contains troubleshooting guides and information on logging and telemetry

Improved users management UI#

One of our oldest pages on the dashboard has finally gotten an upgrade! 😄 We're taking the first steps towards a pattern of visualizing table data with a data grid, with the Auth users page being our first contender. Couple of stuff that we'd love to highlight that were improved and introduced:

Click on users to grab more details about them in a side panel (PR)#

Added a ban functionality within the danger zone at the bottom of the panel#

Search now also supports filtering for providers (PR)#

Columns can be sorted based on your preference (and will be persisted in local storage)#

https://github.com/user-attachments/assets/3f7890ca-04cf-4cb9-8046-63b3db9b6eb9

You can also now toggle column visibility, as well as apply sorts on columns#

View authentication logs of the user right from the panel (PR)#

These tooling should now allow you to customize the auth users view that best fits your workflow, and we definitely hope to keep making this better so as always, feel free to drop us any feedback good or bad, any bugs via the widget at the top right corner of the dashboard 🙂 We say this all the time and its a promise that we've kept - we look at every feedback that comes in 🤙

PR: https://github.com/supabase/supabase/pull/29105

Link: https://supabase.com/dashboard/project/_/auth/users

Timestamp helper for Logs Collections#

https://github.com/user-attachments/assets/80541e0a-4571-4193-ab9e-8d9af4b63d55

Hovering over the date/time string in the left most column of a row in any logs collection will now show a helper tooltip that will depict the time in 4 different formats: UTC, Local TZ, Relative time, and raw numerical timestamp. This will hopefully help with interpreting timestamps much easier and faster and alleviate any confusion around timezones! 🙂🕰️ We're also planning to use this pattern across the whole dashboard too wherever time data is involved 💪🏻

PR: https://github.com/supabase/supabase/pull/29530

Link: https://supabase.com/dashboard/project/_/logs/edge-logs

Other bug fixes and improvements#

General

• Added breakdown of security issues dropdown on project home page (PR)

Organization Settings

• Fixed tooltip not showing up for users with project scoped roles, to show which projects they have roles for (PR)

Table Editor

• Autofocus on search input when navigating to table editor (PR)
• Improved column type dropdown with searching for types (PR)
• Improved datetime editing in table editor grid + support for setting these column values to NULL (PR)

Edge Functions

• Added validations for adding/removing secrets on SUPABASE_ prefixed secrets (PR)

Reports

• Added database connections charts to database reports (PR)

Summary#

Returning XHTML responses from the Data APIs and Edge Functions is now only allowed if a Custom Domain is being used.

Additionally, you can now serve HTML and XHTML responses from the Storage service as well, if a Custom Domain is being used.

If your use-case requires serving these content types, you can continue to do so by using a Custom Domain add-on.

Affected projects have been notified in advance.

Background#

HTML responses (i.e. content-types that can be directly rendered by browsers) were historically disallowed for projects not using a custom domain, in order to prevent abuse on the shared domains used for provisioning Supabase projects. This change updates this behavior to process XHTML responses in the same manner, due to the same rationale.

These breaking changes are rolling out on October 15, 2024 and affects only organizations on the Enterprise plan that have implemented project permissions with members assigned the Developer role.

Supabase launched new granular access control for Enterprise organizations so that its members are given access to specific projects instead of the entire organization. You can check out our Launch Week 12 announcement to learn more.

We recently re-evaluated the access that the Developer role has and decided to implement changes to restrict them on a couple of resources to improve your project's security.

On October 15, 2024, we will turn off certain access that the Developer role currently has to your project's resources. The following table is to illustrate all of the breaking changes that will be going into effect:

You can learn more about our Platform Access Control here: https://supabase.com/docs/guides/platform/access-control.

If you have any questions or concerns please contact support.

Deployment of up to 5 read replicas now supported on larger compute sizes#

Previously, each project could only deploy up to 2 read replicas, but we're now raising this limit to 5 for projects on larger compute sizes (XL and above).

PR: https://github.com/supabase/supabase/pull/29250

Link: https://supabase.com/dashboard/project/_/settings/infrastructure

Catch queries that contains an update query without a where clause in SQL Editor#

Another effort to safeguard against running queries with unintended side effects - this time, we're checking for UPDATE queries without a WHERE clause - this check kicks in prior to running the query. We've also consolidated this warning with our existing warning against destructive operations to catch both cases if they exist in the same query.

PR: https://github.com/supabase/supabase/pull/28458

Link: https://supabase.com/dashboard/project/_/sql

Other bug fixes and improvements#

General

• Support querying a table via CMDK by opening the SQL editor (PR)
• Update Supabase Assistant with GPT 4o from 3.5 (PR)

Table Editor

• Improve pagination input field, by only navigating to page on Enter (PR)

SQL Editor

• Fix inability to share queries that are under favorites (PR)
• Fix moving snippets into folders (PR)

Storage Explorer

• Fix to prevent continuously retrying when a file of an invalid mime type is uploaded (PR)

Auth

• Support searching by UID (PR)
• Add confirmation modal when closing tab with unsaved changes on templates page (PR)
• Support adding/removing multiple redirect URLs (PR)

Database

• Fix index page crashing when creating an index on a table with no columns (PR)

Logs Explorer

• Layout shift and scroll fixes (PR)
• Prevent use of WITH, ILIKE or wildcards (PR)

The initial launch of Read Replicas allowed for up to two Read Replicas per project.

The limit for projects on XL compute add-ons and larger has now been raised to 5 Read Replicas per project.

Projects on compute add-ons smaller than XL are still allowed up to 2 Read Replicas per project.

As our user base has grown, we are taking steps to make sure we are able to continue to provide a safe, secure, robust free plan experience. To ensure that email-based auth continues to work for all users on Supabase, we're making changes if you're using the default email provider. This allows us to continue to offer our default provider in a more sustainable and resilient manner.

For maximum flexibility and control over your auth emails, we suggest one of the following:

• Use a custom SMTP provider instead
• Send emails through your own email provider using the email send hook

If you still want to use the default email provider, these are the changes being planned:

• Email template customization will be allowed and customized email templates will not be reverted to default.

• 26th September: If you do not have a custom SMTP server set up, emails can only be sent to email addresses in your project's organization. So for example, if your organization has the following members: [email protected], [email protected] and [email protected] , this means that email messages from Auth will only be sent to these addresses.

These measures are taken to prevent abuse to our shared SMTP service. In the future, we may consider increasing the email rate limits once we see a drop in abuse.

Frequently asked questions#

Why such a short notice?#

Supabase uses a third-party email sending provider that has mandated we reduce email abuse significantly or they will be forced to block all email sending. A tragedy of the commons.

Can't Supabase switch to a different email sending partner?#

Yes, but we would run into the same issues. All email sending services are required to monitor abuse and force their customers to follow the same rules.

Can't Supabase send emails on their own, without a third party?#

Not really. You can't just send email on the web today without investing a lot of money and time (unblocking port 25, keeping IP addresses out of spam lists, etc.). This is not our core competency and do not have plans to start doing this today.

How long does it take to set up a custom SMTP provider?#

Fortunately this is very easy. You can use any email sending service for this, really popular ones include:

• Resend
• AWS SES
• Postmark
• SendGrid
• Zepto Mail
• Brevo

All you need to do is create an account, verify your sending domain and finally input the SMTP username and password in the Auth settings page.

What if I turn off email confirmations, can I use it then?#

Currently this behavior is not supported and we'll be rolling out a fix for it during the first week of October.

Confirming email addresses is where most of the email message activity for a project originates. Turning it off can be a viable option for some projects that are still in the early testing, development or experimental phase.

Be aware that even if you turn off email confirmations the forgot password or reset password flows in your app continue to function. They also send messages, and starting 26th September those messages will be delivered only to the members of the Supabase organization that owns the project. All other end-users will get a message similar to "Email address not authorized." Effectively, the forgot password / reset password flow will be broken for your project.

What if I want just username + password authentication and using <username>@<fakedomain> instead?#

Please don't do this. Part of the reason why we were forced to lock down these changes is bounced emails, probably from use cases like this.

Official username + password support is going to be made available in the coming year, and until then:

• Use a real domain, that you control
• Send emails to that domain, so set up a receiving server

But the best thing to do is:

• Set up a Send Email Auth Hook that does nothing. You don't even need to use a server or an Edge Function. Just define a Postgres function that just does nothing.

I'm using the admin API to generate links, and not really sending using Supabase's default provider. Do I need to do anything?#

All projects using generate link via the admin API without custom SMTP have been patched to allow the behavior. We still strongly urge those customers to set up custom SMTP regardless.

Just because you're mostly using the admin API to generate links to send in custom email messages, doesn't mean that the Auth server is not configured to use Supabase's shared SMTP service. Your Auth API can be called from your frontend at any time, especially in edge cases such as to handle forgot password or other similar flows, which you may not be handling via the admin API.

Therefore we urge all customers that do use the admin API to set up a custom SMTP sending service regardless.

If you are not interested in setting this up, you can instruct the Auth server to ignore all emails (pretend it's sending them) by configuring a Send Email Auth Hook as a Postgres function that does nothing.

How can I disable the warning banner?#

You can disable the warning banner by setting up a custom SMTP provider , or, if your project doesn't use email at all, by disabling the email provider.

Updates#

20th September 2024#

Email template customization will be allowed and customized email templates will not be reverted to default.

Team has decided that restricting email template customization is not viable and a big breaking change. We may need to do go back to this in the future if abuse continues and our other measures like allowing projects to only send messages to authorized email addresses do not improve the situation. We continue to urge all customers regardless of plan that use the default SMTP service for live applications to move to a custom SMTP provider as soon as able.

• 20th September: Email template customization will no longer be possible without setting up a custom SMTP provider. Email templates already customized can still be customized until 24th September.

• 24th September: Projects without a custom SMTP provider will have their custom email templates returned back to the default ones from Supabase. This means that any auth emails sent out from your project will use the default email template.

Update (19th December 2024): Asymmetric Keys will not be released in Q4 2024 because it needs further development work. We will finalize the timeline and announce the updated timeline in Q1 2025.

Update (2nd October 2024): We have decided to push back the launch from 7th October 2024 to Q4 2024 to roll this out meticulously; we want to perform exhaustive security checks and spend more time dogfooding internally.

Asymmetric key changelog#

Introduction#

We are introducing asymmetric key cryptography to Supabase Auth in Q4 2024 on 7th October 2024. This will be provided as an additional option to the JWT secret currently shown in the JWT settings page.

Why are we doing this?#

Supabase Auth has always been using a symmetric secret (known as the JWT secret) for signing and verifying JWTs. While this is simple and convenient (since the same secret is used for both signing and verifying), it presents the following problems:

1. Extra network request required to verify the user’s JWT with the symmetric secret. Currently, one needs to make a request to Supabase Auth in order to verify the user’s JWT or copy the JWT secret into their environment. While the latter suggestion improves performance, it can result in security implications if the secret is accidentally leaked, which requires all your keys to be rolled.
2. Difficult to roll with zero downtime. Since the symmetric secret cannot be shared publicly, developers need to wrangle with rolling the secret across their environments while ensuring that the new secret is used.

Benefits of using asymmetric keys#

Asymmetric keys rely on public / private key cryptography, which means that the private key is only used for signing, while the public key is only used for verifying. This solves the above problems in the following way:

• Usage of asymmetric key cryptography rather than a shared symmetric secret for signing and verifying JWTs. Since asymmetric keys don’t use a shared secret, there is less risk of the secret being leaked.
• Faster JWT verification times since there’s no need to make a network call to Supabase Auth via getUser() . The public key can be used for verifying the JWT. Note that adding the symmetric secret to your server-side environment to verify the JWT also has the same effect but is potentially less secure since there is an increased risk of the secret being leaked if it is used in multiple applications.
• Zero-downtime key rotation. Public keys can be exposed in a JSON Web Key Set (JWKs) format, which allows any one of them to be used for verification. When the asymmetric key is rotated, we can still keep the previously used public key in the JWKs endpoint to verify existing JWTs. New JWTs will be signed by the new asymmetric key.

These will include the following changes:

• A public JWKs endpoint for retrieving the public JWK to verify JWTs. This will be exposed through the https://<project_ref>.supabase.co/auth/v1/.well-known/jwks.json endpoint. The symmetric secret will not be exposed through this endpoint for security reasons.
• A new method called getClaims() , which handles verifying the JWT and returning the claims in it.
• Ability to download the public keys in different formats through the dashboard (e.g. PEM, JWKs).

Migration to Asymmetric JWTs#

New projects that are created after 1st May 2025 will be created with an RSA asymmetric key by default. Existing projects can choose to start using asymmetric keys by doing the following:

1. Ensure that you are using the new API keys.
2. Update all your clients to use at least supabase-js version x.x.x (the version number will be updated closer to the release date). In this version, we are introducing a new method called getClaims which handles verifying both symmetric and asymmetric JWTs:

   • Example successful response payload for getClaims()

     
     

     _29

     {

     _29

     "data": {

     _29

     "iss": "https://projectref.supabase.co",

     _29

     "sub": "565dafb5-fd66-4274-9c37-f0ff720f5637",

     _29

     "aud": "authenticated",

     _29

     "exp": 1824717902,

     _29

     "iat": 1724717902,

     _29

     "email": "[email protected]",

     _29

     "phone": "",

     _29

     "app_metadata": {

     _29

     "provider": "email",

     _29

     "providers": ["email"]

     _29

     },

     _29

     "user_metadata": {

     _29

     ...

     _29

     },

     _29

     "role": "authenticated",

     _29

     "aal": "aal1",

     _29

     "amr": [

     _29

     {

     _29

     "method": "oauth",

     _29

     "timestamp": 1724717902

     _29

     }

     _29

     ],

     _29

     "session_id": "479c1cbf-bd52-42d4-894f-1519f39b3241",

     _29

     "is_anonymous": false

     _29

     },

     _29

     "error": null

     _29

     }

     
     

   • Using getClaims() to verify the JWT

     
     

     _13

     import { createClient } from 'supabase/supabase-js'

     _13

     _13

     const supabase = createClient(SUPABASE_URL, SUPABASE_KEY)

     _13

     _13

     // previously, using getUser() requires making an

     _13

     // additional network request to Supabase Auth to verify the JWT

     _13

     //

     _13

     // const { data, error } = await supabase.auth.getUser()

     _13

     _13

     // getClaims() will always return the JWT payload if the JWT is verified

     _13

     // If it's an asymmetric JWT, getClaims() will verify using the JWKs endpoint.

     _13

     // If it's a symmetric JWT, getClaims() calls getUser() to verify the JWT.

     _13

     const { data, error } = await supabase.auth.getClaims(jwks)

     
     
3. Create an asymmetric key through the dashboard. At this point the symmetric JWT moves to a Previously Used state. Existing JWTs signed with the symmetric JWT continue to be valid, but new JWTs are signed via the asymmetric JWT. Note: The UI mockup below is subjected to change and is just meant to illustrate the different possible states of a signing key.

4. After the JWT expiry period, you can safely revoke the “Previously Used” symmetric JWT, since new JWTs will now be signed with the asymmetric key.

Frequently Asked Questions#

• What do I need to do before I can start using asymmetric keys in Supabase Auth?
  • See migration section above for the detailed steps
• Can I create a symmetric key after I create an asymmetric key?
  • Yes. You will still be able to create a new symmetric key under the JWT settings page in the dashboard. New projects will be created with an asymmetric key by default on 1st May 2025.
• Will the private asymmetric key be exposed?
  • No. Only the public keys will be exposed in various formats (e.g. PEM, JWKs) since those are needed for verification.
• Will I be able to bring my own private key?
  • Yes, you can bring your own private key as long as it complies with the key types allowed.
• What key types can I use to create asymmetric JWTs?
  • By default, asymmetric keys will be created with RS256 by default. You can optionally choose to use ECC or Ed25519. ECC keys are more performant, but not as widely supported as RS256. You can also fallback to HS256 (symmetric keys).

Update (19th December 2024): Changes to Supabase API Keys will not be released in Q4 2024 because it needs further development work. We will finalize the timeline and announce the updated timeline in Q1 2025.

Introduction#

We’re changing the way API keys work in Supabase to improve your project’s security and developer experience and plan to roll out these changes Q4 2024. Rest assured that the current API keys in your existing projects will continue to work for another year until 1st October 2025 during the transition.

We’ll contact you when we launch the new API keys, and when we do, no immediate action is required. However, we strongly recommend that you migrate your project’s existing API keys for the new set when they are introduced. Updating to use the new API keys is a quick and painless process and can be as simple as a change in environment variable and take just a few minutes.

Timeline#

Update (2nd October 2024): We have decided to push back the launch from 7th October 2024 to Q4 2024 to roll this out meticulously; we want to perform exhaustive security checks and spend more time dogfooding internally.

Why are we doing this?#

Currently there is a tight coupling between API keys and the JWT secret which presents a few challenges:

1. Difficult to revoke the service_role or anon key. Imagine if someone in your Supabase organization leaves the team, and you want to roll your project’s JWT secret to revoke their access? Or you accidentally commit the service_role key into your version control system and need to roll it?

   If either of these keys gets leaked, the developer’s only option is to roll the JWT secret by generating a new one. When the JWT secret is rolled, all authenticated users would be logged out, clients using the older anon and service keys would break. Realistically, there is no way to roll the JWT secret without downtime.

2. Sub-optimal developer experience to create an API key with a custom role. Developer needs to sign a JWT with a long expiry time and their custom role using the secret.

The introduction of new API keys solves the above problems by allowing the developer to:

• roll individual API keys
• roll the API keys without logging out their users
• create custom API keys easily

API Key changes#

These are the planned changes for the API keys:

• anon key will be renamed to publishable key and the service_role key will be renamed to secret key. publishable api keys are meant to be used along with Supabase Auth users and secret api keys are for use from the server side and bypasses all row level security policies. We chose to use publishable and secret to align with stripe’s terminology and preferred it to terms like public and private since those could be confused with public / private key cryptography when we introduce asymmetric JWTs to Supabase Auth.

• New API keys will look like regular strings instead of JWTs:

  Legacy API Keys	Equivalent New API Keys
  anon key: eyJhbGciOiJIUzI1...FDsBGn0iqSmL28Zeg8f0	publishable key: sb_publishable_123abc
  service_role key: eyJhbGciOiJIUzI1...SEVEyZQNhffCoSj4P5A	secret key: sb_secret_123abc

• With the new API keys, it will be possible to revoke individual API keys and without revoking the JWT secret. Once the legacy API key is revoked, it won’t be possible to restore them.

• New projects will be created with both new and legacy API keys until 1st May 2025. New projects created after this date will only be created with new API keys.

• Projects that are restored after 1st May 2025 will not be restored with legacy API keys.

• Legacy API keys will no longer work for all projects after 1st October 2025.

Migration to the new API keys#

1. If you want to use the new API keys, all you need to do is to swap out your keys for the new ones:

2. Update your .env file to contain the new API key

3. Instantiate the supabase client with the new API Keys.

4. After all your clients have been instantiated with the new API keys, you can revoke the legacy keys from the dashboard.

Frequently Asked Questions#

• What is the timeline for the migration?
  • See "Timeline" section above
• My app is deployed through Vercel / Netlify, how do I use the new API keys?
  • If you’re using Vercel or Netlify, changing the keys in your environment will only be reflected when you trigger a new deployment.
• I only connect to the database via the connection string — do I need to worry about this at all?
  • No, unless you use the supabase client libraries to make queries to the database.
• How do we do custom claims?
  • Currently, users have to manually create a new key with their custom claims using the JWT secret provided.
  • There will be support for creating new API keys with custom properties in the dashboard and management API.
• What benefit do we get from migrating to use the new API keys?
  • You can revoke an individual key in the event of a compromise
  • You can revoke keys without logging out existing users
  • You don’t have to deal with minting a new JWT using the JWT secret if you want to add custom claims to an API key.
• What is the interaction between the apikey header, the Authorization header and the underlying Postgres role used?
  • The new API keys are just regular strings instead of JWTs.
  • By default, secret API keys assume the service_role. When creating the new secret API keys, you can override this behavior and assign a custom role. Downstream services like postgREST and storage assume this role when they are called with this API key.
  • By default, publishable API keys default to the anon role. When a user JWT is passed in via the Authorization header, the role claim in the JWT is used instead. You cannot map publishable keys to custom roles when creating the key, like you will be able to do with secret API keys.

Schema Visualizer nodes are now persisted#

This was yet another request that we've commonly heard from everyone and we're taking a first step to making this happen 😄 Position of the nodes will now be stored within local storage so that you won't have to re-position them each time you land on this page. We've also added a button to help arrange the nodes automatically if that might be preferred!

Note that if you add new tables to the schema however, the node positions will be defaulted to a certain position that may overlap with other nodes - we're definitely looking into how we can make that better so that new nodes can be easily identified (and then shifted around to your liking 🙂)

PR: https://github.com/supabase/supabase/pull/29136

Link: https://supabase.com/dashboard/project/_/schemas

Other improvements and bug fixes#

General

• Minor improvements to layouts and buttons to ensure their visibility on smaller screens (PR)
• Fix project status filter on home page to only show active projects if only the active checkbox is checked (PR)

Table Editor

• Fix client crash when creating an empty table with no columns (PR)
• Fix handling of of large JSON / text fields in the side panel text editor (PR)

SQL Editor

• Add client side validation for query size (max 1MB) (PR)
• Couple of fixes around adding a new folder with the same name as an existing one (PR)

Database

• Update Stripe Wrapper with more tables (PR)
• Remove docs button for database extensions that have no documentation yet (PR)

Supabase Edge Runtime version 1.57 is compatible with Deno 1.45.

Supabase's hosted platform was upgraded to use this release when serving Edge Functions starting last week.

If you're using Supabase CLI for local development latest stable release 1.192.5, it adds compatibility for Deno 1.45.

How do I find which version of Edge Runtime I'm running?#

Supabase CLI (local)#

When you run supabase functions serve, it should show the current version of Edge Runtime used (and its Deno compatibility)

Hosted Platform#

You can check the served_by field in log events to see which Edge Runtime version was used to serve your function.

We try our best to maintain backward compatibility in these upgrades. If you're experiencing any issues, please feel free to make a support request

Upgrade your organization directly from our pricing page#

https://github.com/user-attachments/assets/2262d816-0c69-4c58-a6e2-1ce4868122f2

Users who are logged in will now be able to select and upgrade their organization from the pricing page itself when clicking on the Upgrade to Pro / Team plan buttons. This is mainly to help streamline this process so that users can upgrade their existing organizations, and prevent confusions where users end up creating new paid organizations instead.

PR: https://github.com/supabase/supabase/pull/28942

Link: https://supabase.com/pricing

UI improvements around credit card billing information#

The selected payment method on the billing page is easily missed as you'll need to scroll down before finding it. In particular with outstanding invoices, it may not be obvious that the wrong card (or even expired card) might have been selected as the default. As such we now will

• Indicate which cards are about to expire (within the current month)
• Indicate which cards have expired
• Show the selected payment method, along with a quick link to change it on the invoices page

PR: https://github.com/supabase/supabase/pull/28971

Link: https://supabase.com/dashboard/org/_/billing

Set payment method as default when adding a new payment method#

When adding a new payment method, we have now added a checkbox to set the card as default which is toggled on by default. This should resolve a UX issue whereby customers needed to explicitly set the card as default in a separate manual step after adding it.

PR: https://github.com/supabase/supabase/pull/28921

Link: https://supabase.com/dashboard/org/_/billing

Choose which schemas to share with OpenAI#

This mainly applies to wherever the Supabase AI assistant is present in the dashboard (SQL Editor + RLS policies). You can now choose which schemas to share with OpenAI as opposed to sending information from all schemas in hopes to improve the output quality of the assistant by only sharing relevant information for your prompts to the assistant.

Do keep in mind that you'll need to opt in to sending anonymous data to OpenAI prior to doing this 🙂 You may also verify exactly what data is being sent here as well under "Important information regarding opting in"!

PR: https://github.com/supabase/supabase/pull/28594

Link: https://supabase.com/dashboard/project/_/sql/new

Other improvements and bug fixes#

General

• Show which is the last sign in method used on login page (PR)
• Added 3 new regions to spin up projects from: Ohio, Stockholm, Paris, and Zurich (PR)
• Commands added for cmd+k to search and open snippets in the SQL Editor (PR)
• Support pasting image (via Cmd/Ctrl + v) in the feedback widget (PR)
• Use expanding text area for RLS AI assistant for multi line prompts (PR)

Table Editor

• Save last selected schema, no longer defaults to public schema (PR)
• Set the correct schema in the schema selector when opening a table via URL directly (PR)
• Support exporting table data as SQL seed file (PR)
• Couple of fixes for bugs around composite foreign keys (PR)
• Improve display of estimated row count for the table if the table has > 50k rows, to emphasize that it's an estimated count (PR)
• Spreadsheet import now checks column types from imported spreadsheet (PR)

SQL Editor

• Fix folder name editing where clicking on the input field toggles the folder (PR)
• Support opening cell value via right click into a side panel for a more detailed view (PR)

Auth

• "With check" checkbox is toggled on by default for commands that involve a with check expression (PR)

Storage

• Support searching and sorting buckets (PR)

Logs Explorer

• Support copying cell content via context menu (PR)

The SQL Editor got an upgrade this week, finally letting you organize snippets into folders!

• Favourites and Shared snippets are in folders now
• Organize Private snippets in folders as you like
• Share snippets with your team as you could before

Link: https://supabase.com/dashboard/project/_/sql/new PR: https://github.com/supabase/supabase/pull/27881

Other bug fixes and improvements#

Project compute size badge

• See project compute details and upgrade right from the home screen (PR)

SQL Editor

• Update the SQL Editor AI Assistant model to the latest from OpenAI (PR)

tldr:

• No changes for Free Plan users
• Billing for paid plan organizations will be based on provisioned disk rather than used database space:
  • Each project starts with 8 GB disk provisioned by default.
  • The first 8 GB of provisioned disk per project is free, then $0.125 per additional GB.
  • Charges are prorated down to the hour, which is advantageous for short-lived projects and branches.
  • Provisioned disk from Read Replicas will also be included in billing.
  • Enables upcoming features for enhanced control over disk and Postgres parameters.

Timeline

This change will be rolled out to new customers on August 26th, 2024 and will be gradually rolled out to existing customers shortly after.

Changes

We are adjusting our pricing to offer more flexibility and self-serve for developers wanting to tune their disk and Postgres configuration. For example:

• Some developers want disks with higher throughput
• Some developers want to store more than 1GB of WAL (for tools like Airbyte/PeerDB, or adding more read replicas)

To make this available we will start billing for provisioned disk size (rather than database space used). Previously, costs associated with WAL files were not directly billed but also users could not control change max_wal_size (default is 1GB).

There is no action needed on your end. You will automatically be transitioned to the new billing model throughout the next couple of weeks. In case there is any change in your monthly bill, we will reach out to you proactively with additional information and give you a grace period to decrease your usage.

For customers on the Free Plan, there will be no changes; the total database space remains capped at 500MB. These adjustments only apply to customers on paid plans. The database disk will continue to autoscale when nearing capacity for paid plan customers.

Example 1: Pro plan org, active for whole month#

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

Billing

Example 2: Pro plan org, active for part of the month#

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

Billing

Where do I see my disk size?#

You can see your project’s disk size in your database settings (Project Settings > Database).

How can I resize my disk down?#

Your disk size is based on your database space usage. As a first step, you need to identify current database space usage and reduce it. To see your current database space usage, head over to the built-in “Database” project report. Once you have reduced your database space and want to reduce your provisioned disk, you can upgrade your Postgres version through your project settings to automatically rightsize your disk. For further information around disk management and reducing database space, please refer to our docs.

Is this going to affect my monthly bill?#

If your current disk size is >8GB, this is likely going to impact you. Note that this will be gradually rolled out and you will be notified about the concrete impact on your organization and given a 3-month grace period, which gives you time to right-size your disk and minimize the impact of this change.

Further to earlier discussions, the threshold for transitioning large databases to use physical backups for their daily backups is being lowered to 15GB in the next few days.

Physical backups are more performant, have lower impact on the db, and avoid holding locks for long periods of time. Restores continue to work as expected, but backups taken using this method can no longer be downloaded from the dashboard.

Over the next few months, we'll be introducing functionality to restore to a separate, new database, allowing for the perusal of the backed up data without disruption to the original project.

Please refer to supabase.com/docs/guides/platform/backups#daily-backups-process for additional details.

Currently, usage data on the invoice breakdown and organization usage page has a 24-hour delay. Starting from August 26th, the usage data will have no more of 1 hour delay for new customers. Afterwards, the changes will be rolled out to existing customer gradually. We're also working on additional improvements to provide better usage insights.

Additionally, we are revamping invoices to provide more detailed breakdowns of usage for enhanced transparency. Due to our new proration of project add-ons and storage down to the hour, you may notice slight variances in your monthly bill. For the majority of line items, you’ll see the project reference and usage on the invoice, which should make it clearer which project allocated the usage/costs.

A few examples:

Compute Hours is broken down per project and the compute credits ($10) is displayed as discount for the compute line item.

Egress is broken down to each project and displays included quota (250GB) and over-age pricing ($0.09/GB)

Realtime Messages line item shows package-based pricing with $2.50 per million.

Moving to hourly usage-based billing for IPv4, Custom Domain and Point-in-time recovery#

We’re moving to billing all project add-ons usage-based and prorated down to the hour at the end of your billing cycle. We're not altering the monthly prices.

Timeline#

This change will be rolled out to new customers on August 26th, 2024 and will be gradually rolled out to existing customers shortly after.

Changes#

Details#

We're updating how we bill project add-ons (IPv4, Point-in-time recovery, Custom Domain) without changing their monthly prices. This change will be rolled out on August 26th, 2024 for new customers and shortly after for existing customers.

Previously, when you added a project add-on, like IPv4 or PITR, you were immediately invoiced and charged for the remaining billing cycle period. At the start of a new cycle, you paid upfront for the entire month. If you removed an add-on mid-cycle, you received a credit for unused time.

Starting August 26th, you will be billed retrospectively for these add-ons, similar to Compute Hours. There are no more upfront charges, prorated invoices, or credits. You simply pay for the exact hours you use the project add-ons.

Plans (Pro/Team/Enterprise) are still charged upfront and there are no changes to how they are billed.

Hourly Billing for Storage#

We’re moving to more granular billing periods. We're not altering the prices or storage quotas. Every customer will benefit from this change, especially short-lived projects and customers using Branching.

Timeline#

This change will be rolled out to new customers on August 26th, 2024 and will be gradually rolled out to existing customers shortly after.

Changes#

The price will move to "GB per hour" instead of "Total storage GB":

Let's step through 2 scenarios to explain how this change will benefit developers:

Example 1: Pro Plan Org, active for the full month#

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage#

The projects are running for the entire month:

Billing#

After the billing changes on August 26th there would be no change in pricing:

Example 2: Pro Plan Org, active for part of the month#

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

In this scenario, some of the projects are only active for a few days in the month:

Billing

Currently we charge you for the full 4,200 GB, even though Project A and B weren’t active for the entire month. After August 26th, this scenario will be 22.87% cheaper:

Feedback#

This change should be universally beneficial, but if there is anything that we have missed just let us know and we will make sure we consider it before rolling out this change.

WebAssembly Foreign Data Wrapper (Wasm FDW) is now on public alpha from Wrappers version >= 0.4.1. This release also contains two new Wasm FDWs: Snowflake and Paddle.

What is Wasm FDW?#

In previous versions of Wrappers, all the foreign data wrappers need to be built into wrappers extension. The develop/test/release cycle is time consuming and fully on Supabase teams. To speed up this process and give more flexibility to community, we're adding Wasm to the Wrappers framework. With this new feature, users can build their own FDW using Wasm and use it instantly on Supabase platform.

Another benefit is because of the improved modularity, each FDW can be updated and loaded individually. New FDWs release will be quicker than before. Also, wrappers extension size won't be bloated as more FDWs added in.

What are the changes?#

There is no changes from end-users' perspective, all existing native FDWs are still same. The Wasm FDW only brings a new way of developing and distributing FDW.

How to use it?#

Visit Database -> Platform -> Wrappers on Supabase Studio, enable Wrappers and choose Snowflake or Paddle, then create foreign tables.

Visit Snowflake Wasm FDW docs or Paddle Wasm FDW docs for more details.

How to develop my own Wasm FDW?#

To build your own Wasm FDW, visit the example project to get started.

We have several updates and new features to share with you this month. Dive in to see what’s new from Supabase.

Edge Runtime Inspector Feature (CLI)#

We’ve introduced the Edge Runtime Inspector, a powerful new feature in the CLI that helps you inspect and debug edge functions more efficiently. Pull Request

View and Abort Running Queries (Supabase Studio)#

You can now view and abort queries currently running on your database (primary or replica) in the Supabase Studio SQL Editor. This feature gives you greater control and flexibility in managing your queries. Pull Request

Logging Integration With The ELK Stack#

The Logflare to Elastic filebeat backend has been merged. This integration enables log drains to ELK stacks, providing more robust logging and monitoring capabilities. Documentation

Interpreting Supabase Grafana I/O Charts#

We have published a guide on how to use the Supabase I/O charts to identify when you may need to scale your database, optimize your queries, or spin up a read replica. Github Discussion

Breaking Change to Supabase Platform Access Control#

On July 26, 2024, Supabase will be making breaking changes to our platform’s access control system. Developer and Read-Only roles will no longer have write access to an organization’s GitHub and Vercel integrations. These changes will not affect existing integrations that are in place. Github Discussion

Change to Retention of Paused Free Tier Projects#

Starting June 24, 2024, paused Free Tier projects are restorable for 90 days. There is a grace period where all paused projects will continue to be restorable until September 22, 2024. Github Discussion

Billing Improvements#

We’ve made significant improvements to our billing system to help you better understand compute pricing. These changes aim to prevent unexpected charges and provide clarity on “Compute Hours.” Github Discussion

Quick product announcements#

[Edge Functions] We’ve implemented some key updates to Edge Functions, including adding Deno 1.43 support [Github Discussion]

New Engineering and Troubleshooting Guides#

• How Postgres chooses which index to use
• Using SQLAlchemy with Supabase
• Supabase & Your Network: IPv4 and IPv6 compatibility
• Understanding the Usage Summary on the Dashboard
• Supavisor and Connection Terminology Explained
• Prisma Error Management
• How to change max database connections
• Inspecting edge function environment variables

Made with Supabase#

• Dribble - Flutter NBA name guess game available for iOS and Android [Website]
• EvalHub - an open-source platform for researchers to discover AI evaluation metrics [Website]
• SVGPS - Removes the burden of working with a cluster of SVG files by converting your icons into a single JSON file [Website]
• CleanCoffee - Lean coffee discussion utility where you can create boards and share with friends [Website]
• Rewritebar - Improve your writing in any macOS application with AI assistance. Quickly correct grammar mistakes, change writing styles or translate text [Website]

Community highlights#

• Building a Basic Social Network with Remix and Supabase [YouTube]
• Next Level Supabase Techniques For Your Production App! [YouTube]
• Building a Local-First React Native App with PowerSync and Supabase [YouTube]
• Build a Fullstack Job Portal App with Next.js 14, Tailwind, Supabase, Stripe, Clerk [YouTube]
• Generate Vector Tiles with PostGIS [Blog] [YouTube]

Supabase HTTP APIs are no longer using DigiCert as the root CA. This should have no impact on the vast majority of environments, as the other CAs in use are essentially universally trusted.

If your client environment only trusts certificates signed by DigiCert, you could be impacted. We're currently using Cloudflare to serve our HTTP APIs, and recommend ensuring that any client environment that only trusts a specific subset of CAs trusts all of the CAs Cloudflare uses.

In an effort to simplify pricing, we are going to remove usage-based billing for the number of Edge Functions in your projects. Instead, we are going for a bigger quota across all plans at no extra costs. We picked the limits to ensure all customers are benefiting from this change.

Free Plan customers can now create 25 instead of 10 functions without the need to upgrade to a paid Plan.

This change is effective immediately and in case you were previously exceeding the number of included functions on a paid Plan, you will no longer be charged for it.

These breaking changes are rolling out on July 26, 2024 and affects all organizations that have members assigned either the Developer or Read-Only roles.

All Supabase organizations invite users and assign them to one of the following roles as part of membership to an organization:

• Owner
• Administrator
• Developer
• Read-Only (available only on Team and Enterprise plans).

Depending on the role, members are authorized to access a specific set of the organization's resources, such as permission to create a new project or change the billing email.

We recently re-evaluated the access that the Developer and Read-Only roles have and decided to implement changes to restrict them on a couple of resources to improve your organizations' security.

On July 26, 2024, we will turn off certain access that the Developer and Read-Only roles currently have to your organization's resources. The following table is to illustrate the breaking changes that will be going into effect:

You can learn more about our Platform Access Control here: https://supabase.com/docs/guides/platform/access-control.

If you have any questions or concerns please contact support.

Option to use a dedicated api schema for your project#

By default, the public schema is used to generate API routes for your database. In some cases, it's better to use a custom schema - this is important if you use tools that generate tables in the public schema to prevent accidental exposure of your data.

The dashboard supports this workflow through 2 options: either at the project creation step under "Security Options", or in the project's API settings after your project has been created. More information about this workflow in our documentation here!

Link: https://supabase.com/dashboard/project/_/settings/api

PR: https://github.com/supabase/supabase/pull/27918

Other bug fixes and improvements#

SQL Editor

• Text area under AI assistant is now expandable for better UX with multi-line prompts (PR)

Database

• Added placeholder for function body editor section to hint the syntax if language selected is plpgsql (PR)

Logs Explorer

• Fixed logs explorer placeholder query for local set up (PR)

Supabase support for Postgres 13 is being deprecated as of 15th July 2024, and support for it will be fully removed on 15th November 2024.

All Postgres 13 projects should be upgraded to Postgres 15 before 15th November, 2024.

Any projects still on Postgres 13 after the 15th of November 2024 will be automatically upgraded to Postgres 15. If any Postgres extensions or functions are in use that cause the upgrade process to fail, a backup will be taken instead, and the project will be paused.

Postgres 15 comes with numerous features, bug fixes and performance improvements. Check out the announcement blog posts to find out what each version introduces.

• Postgres 14 Launch
• Postgres 15 Launch

Deprecation Timeline#

• 15th July: All users are notified via email about Postgres 13 Deprecation. Users can self-serve upgrade to Postgres 15 from our dashboard.
• 30th September: Users are reminded of impending deprecation via email.
• 30th October: Users are sent a final email reminder.
• 15th November: Any remaining projects on PG13 start getting migrated to PG15 (or paused, if there are upgrade issues).

Option to disable Data API when creating projects#

You can now opt to disable the Data API when creating a new project under a section called "Advanced Options", such that you will only be able to connect to your database via connection string. Note that this setting can be subsequently updated again in the project's API settings if and when you want to connect your project via the client libraries.

PR: https://github.com/supabase/supabase/pull/26809

Link: https://supabase.com/dashboard/new/_

Authorization for Realtime is now available!#

You can now control client access to Realtime Broadcast and Presence by adding Row Level Security policies to the realtime.messages table! Read more about through our documentation here!

PR: https://github.com/supabase/supabase/pull/27362

Link: https://supabase.com/dashboard/project/_/realtime/inspector\

Optimizations for table editor row count query#

Previously, the Table Editor on the dashboard would run a select count(*) from table query to retrieve the number of rows in the table and display it in the editor (this also supports the pagination logic as well). However, understandably this query can be resource intensive and expensive if the table in question is particularly large. As such, we've chucked some optimizations around this logic to only retrieve the exact row count if the table has less than 50k rows, otherwise we'll retrieve an estimate of the row count instead. You'll still be able to get the exact row count but on demand instead.

PR: https://github.com/supabase/supabase/pull/27612

Link: https://supabase.com/dashboard/project/_/editor

Support showing all entity types in the database/tables page#

PR: https://github.com/supabase/supabase/pull/27749

Link: https://supabase.com/dashboard/project/_/database/tables

Other improvements and bug fixes#

General

• More granular project statuses for pausing and restoration (PR)
• Support filtering projects by status (either active or paused) (PR)

Account

• Added instructions on how to change your email for your account (PR)

Storage

• Fix uploading a folder to the storage explorer causes all files to be uploaded in a flat list with the folder name prefixed to the file name (PR)

Table Editor

• Optimized table editor select query when cutting off column values (PR)

SQL Editor

• Added labels and grid to SQL editor charts (PR)

Greater clarity on costs when creating new projects#

One of our bigger papercuts in terms of billing is customers not understand compute pricing and that they cannot launch unlimited projects for $25 in total per month. Customers also get confused with "Compute Hours" on their bill. The changes aim to alleviate any "surprise" compute charges and serves as kaizen improvement.

Changes involved are only applicable to paid plan organizations, as it's irrelevant for free plan organizations.

PR: https://github.com/supabase/supabase/pull/27268

Link: https://supabase.com/dashboard/new/_

Address Table Editor "resorting" of rows when rows are updated and no active sorts applied#

If you've tried updating a table via the Table Editor without an active sort in place, you'd have noticed that the rows seem to re-sort themselves, specifically the row that you were updating. While this is because rows are returned in an unspecified order without a sort clause from the select query, it certainly must've been a confusing UX. We've alleviated this problem by setting a default sort by clause when reading the table via the Table Editor, which will get overriden once you've set a sort via the UI.

PR: https://github.com/supabase/supabase/pull/27097

Link: https://supabase.com/dashboard/project/_/editor

Other improvements and bug fixes#

General

• Greater granularity in project statuses, specifically for when project is restoring, when restoring failed and when pausing failed (PR)

Database

• Table searching is now case in-sensitive (PR)
• Add duplicate table CTA (Similar to the Table Editor) (PR)

SQL Editor

• Auto limit fix for when SQL query has "fetch first n rows only" (PR)
• Preserve whitespace in results (PR)

Query Performance

• Support index advisor for queries from Postgrest (PR)

Org Billing

• Users can now only manage a single tax ID instead of multiple (PR)

This only impacts projects on the Free Plan because projects in any of the paid plans cannot be paused.

Beginning June 24, 2024, we're updating some project pause/restore behavior:

• paused Free projects are restorable for 90 days following their pause date
• any Free projects paused before June 24 will be able to restore at any point before September 22, 2024 so they have a full 90 days from when this announcement is made
• once a project is no longer restorable, the "restore" option is replaced with an option to download the latest logical backup, taken right before the project is paused, and all Storage objects

This change is being made to enable us to maintain high development velocity on the platform. Previously, paused projects could be restored indefinitely. That creates the need for the platform to remain fully backwards compatible with outdated versions of Postgres and associated extensions. The update allows us to provide a reasonable pause/restore window while gaining the ability to evolve the platform.

Supabase Edge Runtime version 1.54 is compatible with Deno 1.43.

Supabase's hosted platform was upgraded to use this release when serving Edge Functions starting today.

If you're using Supabase CLI for local development latest stable release 1.176.10, it adds compatibility for Deno 1.43.

How do I find which version of Edge Runtime I'm running?#

Supabase CLI (local)#

When you run supabase functions serve, it should show the current version of Edge Runtime used (and its Deno compatibility)

Hosted Platform#

You can check the served_by field in log events to see which Edge Runtime version was used to serve your function .

We try our best to maintain backward compatibility in these upgrades. If you're experiencing any issues, please feel free to make a support request

Launch week, Storage, Supabase CLI, Connection Pooling, Supabase UI, and Pricing. Here's what we released last month.

This is also available as a blog post and a video demo.

Supabase Storage#

Need to store images, audio, and video clips? Well now you can do it on Supabase Storage. It's backed by S3 and our new OSS storage API written in Fastify and Typescript. Read the full blog post.

Connection Pooling#

The Supabase API already handles Connection Pooling, but if you're connecting to your database directly (for example, with Prisma) we now bundle PgBouncer. Read the full blog post.

React UI Component Library#

We open sourced our internal UI component library, so that anyone can use and contribute to the Supabase aesthetic. It lives at ui.supabase.io . It was also the #1 Product of the Day on Product Hunt.

CLI#

Now you can run Supabase locally in the terminal with supabase start. We have done some preliminary work on diff-based schema migrations, and added some new tooling for self-hosting Supabase with Docker. Blog post here.

OAuth Scopes#

Thanks to a comunity contribution (@_mateomorris and @Beamanator), Supabase Auth now includes OAuth scopes. These allow you to request elevated access during login. For example, you may want to request access to a list of Repositories when users log in with GitHub. Check out the Documentation.

Kaizen#

• You can now manage your PostgREST configuration inside the Dashboard.
• Our website has been redesigned. Check out our new Homepage and Blog, and our new Database, Auth, and Storage product pages.
• We refactored some of our Filter methods to make them even easier to use. Check out the Full Text Search refactor.
• We have added several new sections to our Docs including: Local Dev, Self Hosting, and Postgres Reference docs (all still under development).

Supabase is an open source Firebase alternative. We've now been building for one year. Here's what we released last month.

This is also available as a blog post and a video demo.

Dashboard Sidebars#

We've improved the UX of our Dashboard with sidebars in every section, including the Table view, the Auth section, and the SQL Editor.

SQL Autocomplete#

Writing SQL just got 10x easier. We added autocomplete to the SQL editor, including table & column suggestions.

Auth Redirects#

Redirect your users to specific route within your site on signIn() and signUp().

Learning Resources#

We've released a new Resources section in our docs, as well as two new Auth modules: GoTrue Overview and Google OAuth.

New Region#

Launch your database in South Africa.

Kaizen#

• We filled up our Examples page with a lot of new content.
• We released a Docker Compose file for running Supabase locally. This will be used in our upcoming CLI.
• We have a couple of pending RFCs which you may want to participate in:
  • Planning our CLI and Local Development
  • Connection Pooling on Supabase

New year, new features. We've been busy at Supabase during January and our community has been even busier. Here's a few things you'll find interesting.

This is also available as a blog post and a video demo.

Count functionality#

Anyone who has worked with Firebase long enough has become frustrated over the lack of count functionality. This isn't a problem with PostgreSQL! Our libraries now have support for PostgREST's exact, planned, and estimated counts. A massive thanks to @dshukertjr for this adding support to our client library.

New Auth Providers#

We enabled 2 new Auth providers - Facebook and Azure. Thanks to @Levet for the Azure plugin, and once again to Netlify's amazing work with GoTrue to implement Facebook.

Auth Audit Trail#

We have exposed the audit trail directly in the dashboard, as well as the GoTrue logs. Great for security and debugging.

Auth UI widget#

In case our Auth endpoints aren't easy enough already, we've built a React Auth Widget for you to drop into your app and to get up-and-running in minutes.

New auth.email() function#

We added a helper function for extracting the logged in user's email address.

New Regions#

Launch your database in London or Sydney!

Copy rows as Markdown#

You can now copy SQL results as Markdown - super useful for adding to blogs and issues.

React server components#

If you're excited by React Server components then check out the Supabase + Server Components experimental repo. https://github.com/supabase/next-server-components

Learn#

We know that Auth can be a bit daunting when you're just starting out, so we have created some intro videos to get you up to speed in no time:

• Supabase Auth Deep Dive Part 1: JWTs
• Supabase Auth Deep Dive Part 2: Restrict Table Access
• Supabase Auth Deep Dive Part 3: User Based Access Policies

Kaizen#

• Performance: We migrated all of our subdomains to Route53, implementing custom Let's Encrypt certs for your APIs. As a result, our read benchmarks are measuring up 12% faster.
• Performance: We upgrade your databases to the new GP3 storage for faster and more consistent throughput.