Changelog

New updates and product improvements

Introduction

We are removing app.settings.jwt_secret from the postgres database on 2024/11/22.

This setting has previously been available through our PostgREST integration, and could be accessed using current_setting('app.settings.jwt_secret') in SQL.

Why are we doing this?

The jwt_secret can be used to mint new, custom JWTs and is security sensitive. Supabase limits access to the jwt_secret , through both the dashboard and API, to specific roles (owner, admin and developer). Allowing access to this setting directly in the database can allow bypassing of these restrictions.

What do you need to do?

If you need the jwt_secret, it can be retrieved through the Supabase dashboard.

If you are using the app.settings.jwt_secret in SQL, you will need to update your function to retrieve this value from Vault.


_10
select vault.create_secret('JWT_SECRET', 'app.jwt_secret', 'The jwt secret');
_10
_10
-- retrieve the value, this replaces select current_setting('app.settings.jwt_secret')
_10
select decrypted_secret
_10
from vault.decrypted_secrets
_10
where name = 'app.jwt_secret';

Also, please consult the changelog entry for Asymmetric Keys to understand the coming changes to jwt_secret and how keys at Supabase are changing.

Table Editor Performance Improvements

We've set aside some time to look into improving the performance of the Table Editor over the past few weeks, in particular shortening both perceived and actual loading times as you navigate around the Table Editor. This all comes together in several PRs as we explored from 2 angles:

  • Optimizing the queries that are firing behind the scenes by removing redundant sections + minimise waterfall requests
  • Introducing prefetching behaviours as your mouse cursor goes through the list of tables to have the tables' contents ready by the time you open it in the UI

Performance improvements have always been a consistent topic with the team, and we don't intend to stop here! Hopefully these changes will make it smoother and faster for you to build your project with the dashboard and as always let us know any feedback! šŸ™‚šŸ™ Just a button away in the top right corner of the dashboard to get your thoughts heard šŸ˜„

PRs:

Link: https://supabase.com/dashboard/project/_/editor

Other bug fixes and improvements

Table Editor

  • Simplified header when rows are selected (PR)
  • Allow exporting of data on tables that are protected (PR)

Authentication

  • Fixed provider "Enabled" state when viewing user details if user's provider is LinkedIn (PR)
  • Sorting users on a column will shift users with NULL values on that column to the bottom (PR)
  • Fix "Last signed in at" column showing up as "Waiting for verification" on subsequent pages as page is scrolled down (PR)

Storage

  • Add ability to toggle image transformations from settings (PR)

šŸš€ Announcement: Weā€™ve just released supabase-js version 2.46.2-rc.3, which resolves several type errors in the PostgREST client.

Notable issues resolved:

Weā€™d love your feedback to ensure everything runs smoothly!


Important Notes:

This update might require regenerating your database types. You can do this via the Supabase CLI (ā‰„v1.207.8) or the dashboard. For instructions, check out our guide here.


Potential Issues

This version introduces stricter alignment between runtime behavior and type inference. As a result, some types might appear "broken" but are actually being corrected.

The main changes to be aware of:

  1. The result of an embedding now correctly infers a single object or an array based on the relationship.
  2. The result of an object embedding now more accurately identifies whether the result can be null.

Before reporting a bug, please double-check that the inferred types are truly incorrect based on your query and database schema.


Bug Reporting:

If your project is hosted on Supabase, please open a support ticket here and check "Allow Supabase Support to access your project temporarily." This will enable us to investigate your database types directly.

Alternatively, you can open an issue on GitHub. Please include:

  1. The generated Database type used to instantiate the client (e.g., createClient<Database>(process.env.SUPABASE_URL, process.env.SUPABASE_ANON_KEY)). If possible a minimal SQL declaration resulting in such Database type.
  2. The query where type inference failed (e.g., .from('which-table').select('which-query')).
  3. Your TypeScript version (npx tsc -v).

From Supabase CLI version 1.215.0 or higher you can configure a custom entrypoint to your Edge Functions. This can be used to write Edge Functions in pure JavaScript instead of TypeScript.

Save your Function as a JavaScript file (eg: index.js) and then update the supabase/config.toml as follows:


_10
[functions.hello-world]
_10
# other entries
_10
entrypoint = './functions/hello-world/index.js' # path must be relative to config.toml

You can use any .ts, .js, .tsx, .jsx or .mjs file as the entrypoint for a Function.

More details: https://supabase.com/docs/guides/functions/quickstart#not-using-typescript

Each Edge Function can now have its own deno.json or deno.jsonc file to manage dependencies. You will need to deploy your functions using Supabase CLI version v1.215.0 or above to make use of this feature.

How to use deno.json

Create a deno.json in your function's folder:


_10
// supabase/functions/function-name/deno.json
_10
{
_10
"imports": {
_10
"lodash": "https://cdn.skypack.dev/lodash"
_10
}
_10
}

You can now use aliased imports in your source code:


_10
// supabase/functions/function-name/index.ts
_10
import lodash from 'lodash'

To test your function locally, run supabase functions serve. When you're ready, you can deploy it to hosted platform by running supabase functions deploy function-name

For more details, check the guide: https://supabase.com/docs/guides/functions/import-maps#using-denojson-recommended

Spam validation check now added to Auth templates

We've now added a spam validation checker for your email templates in the Auth section of the dashboard! This is powered by SpamAssassin and is in hopes to assist you with writing email content in a way to avoid being marked as spam by email clients.

You will still be able to save your email templates regardless of whether you're using the built-in SMTP provider or a custom SMTP provider. However, we highly recommend fixing these warnings since they can affect email deliverability.

PR: https://github.com/supabase/supabase/pull/30188

Links: https://supabase.com/dashboard/project/_/auth/templates

Other improvements and bug fixes

Authentication

  • Hovering over auth logs for a user will show relative time info (PR)
  • Allow sorting on last signed in at for users (PR)
  • Allow selection of functions that return void for auth hooks (PR)
  • Allow updating of SMS rate limit irregardless of SMS autoconfirm being enabled (PR)

Storage

  • Fix developer roles not being able to update buckets (PR)

Database

  • Fix create index "Select a table" combobox not using search input (PR)
  • Support opening tables in table editor from the schema visualizer (PR)

Logs & Analytics

  • Fix filters for log reports (PR)

Edge Functions now support importing NPM packages from private registries. You will need to deploy your functions using Supabase CLI version v1.207.9 or above to make use of this feature.

How to use packages from private registries

Create a .npmrc file within supabase/functions. This will allow you to import the private packages into multiple functions. Alternatively, you can place the .npmrc file directly inside supabase/functions/function-name directory.

Add your registry details in the .npmrc file. Follow this guide to learn more about the syntax of npmrc files.


_10
@myorg:registry=https://npm.registryhost.com
_10
//npm.registryhost.com/:_authToken=VALID_AUTH_TOKEN

After that, you can import the package directly in your function code or add it to the import_map.json (https://supabase.com/docs/guides/functions/import-maps#using-import-maps).


_10
import MyPackage from "npm:@myorg/private-package@v1.0.1"
_10
_10
// use MyPackage

To test your function locally, run supabase functions serve. When you're ready, you can deploy it to hosted platform by running supabase functions deploy function-name

Disk size usage section under organization settings

Screenshot 2024-10-13 at 03 21 37

We've added a new disk size section for paid plans to give a quick overview of each project under the organization and their respective disk sizes for better visibility over the corresponding charges. This is only an initial iteration for this UI, we do plan to add historical statistics and more to improve visibility and transparency over what you're using and what you're paying for šŸ™‚

PR: https://github.com/supabase/supabase/pull/29862

Link: https://supabase.com/dashboard/org/_/usage

Bug fixes and other improvements

Table Editor

  • Fix views filtering in table editor for local dashboard (PR)
  • Fix exporting a table that contains columns of enum array types to CSV (PR)

SQL Editor

  • Fix snippets not loading for local dashboard (PR)

Authentication

  • Support searching by properties when viewing a user's raw JSON (PR)

We improved the information architecture (IA) on our docs site.

Why?

Weā€™d outgrown the IA! As we added more features and guides, some sections grew to contain a miscellaneous collection of things that donā€™t belong together. They just had no better place to go.

With the new IA, it should be easier to find what youā€™re looking for.

Summary of changes

  • Two top-level menus, Build and Manage, to replace the old Build menu
  • Build menu:
    • Local development / CLI is now primarily about local dev, CI/CD information has been moved to Deployment
    • Information on both Vercel and Supabase integrations now moved to Integrations section
    • New Deployment section covers everything needed to get your changes onto hosted Supabase (including branching, Terraform, CI/CD, and production checklists)
  • Manage menu:
    • Platform management (formerly ā€œPlatformā€) trimmed down to contain information about configuring your Supabase platform (including account management, project permissions, and billing)
    • New Monitoring and troubleshooting section contains troubleshooting guides and information on logging and telemetry

Improved users management UI

One of our oldest pages on the dashboard has finally gotten an upgrade! šŸ˜„ We're taking the first steps towards a pattern of visualizing table data with a data grid, with the Auth users page being our first contender. Couple of stuff that we'd love to highlight that were improved and introduced:

Click on users to grab more details about them in a side panel (PR)

Added a ban functionality within the danger zone at the bottom of the panel

Search now also supports filtering for providers (PR)

Columns can be sorted based on your preference (and will be persisted in local storage)

https://github.com/user-attachments/assets/3f7890ca-04cf-4cb9-8046-63b3db9b6eb9

You can also now toggle column visibility, as well as apply sorts on columns

View authentication logs of the user right from the panel (PR)

These tooling should now allow you to customize the auth users view that best fits your workflow, and we definitely hope to keep making this better so as always, feel free to drop us any feedback good or bad, any bugs via the widget at the top right corner of the dashboard šŸ™‚ We say this all the time and its a promise that we've kept - we look at every feedback that comes in šŸ¤™

PR: https://github.com/supabase/supabase/pull/29105

Link: https://supabase.com/dashboard/project/_/auth/users

Timestamp helper for Logs Collections

https://github.com/user-attachments/assets/80541e0a-4571-4193-ab9e-8d9af4b63d55

Hovering over the date/time string in the left most column of a row in any logs collection will now show a helper tooltip that will depict the time in 4 different formats: UTC, Local TZ, Relative time, and raw numerical timestamp. This will hopefully help with interpreting timestamps much easier and faster and alleviate any confusion around timezones! šŸ™‚šŸ•°ļø We're also planning to use this pattern across the whole dashboard too wherever time data is involved šŸ’ŖšŸ»

PR: https://github.com/supabase/supabase/pull/29530

Link: https://supabase.com/dashboard/project/_/logs/edge-logs

Other bug fixes and improvements

General

  • Added breakdown of security issues dropdown on project home page (PR)

Organization Settings

  • Fixed tooltip not showing up for users with project scoped roles, to show which projects they have roles for (PR)

Table Editor

  • Autofocus on search input when navigating to table editor (PR)
  • Improved column type dropdown with searching for types (PR)
  • Improved datetime editing in table editor grid + support for setting these column values to NULL (PR)

Edge Functions

  • Added validations for adding/removing secrets on SUPABASE_ prefixed secrets (PR)

Reports

  • Added database connections charts to database reports (PR)

Summary

Returning XHTML responses from the Data APIs and Edge Functions is now only allowed if a Custom Domain is being used.

Additionally, you can now serve HTML and XHTML responses from the Storage service as well, if a Custom Domain is being used.

If your use-case requires serving these content types, you can continue to do so by using a Custom Domain add-on.

Affected projects have been notified in advance.

Background

HTML responses (i.e. content-types that can be directly rendered by browsers) were historically disallowed for projects not using a custom domain, in order to prevent abuse on the shared domains used for provisioning Supabase projects. This change updates this behavior to process XHTML responses in the same manner, due to the same rationale.

These breaking changes are rolling out on October 15, 2024 and affects only organizations on the Enterprise plan that have implemented project permissions with members assigned the Developer role.

Supabase launched new granular access control for Enterprise organizations so that its members are given access to specific projects instead of the entire organization. You can check out our Launch Week 12 announcement to learn more.

We recently re-evaluated the access that the Developer role has and decided to implement changes to restrict them on a couple of resources to improve your project's security.

On October 15, 2024, we will turn off certain access that the Developer role currently has to your project's resources. The following table is to illustrate all of the breaking changes that will be going into effect:

ResourceActionDeveloperRead-Only
API Configuration
JWT SecretGenerate newāœ…Ā ā†’ āŒāŒ1
API SettingsUpdateāœ…Ā ā†’ āŒāŒ1
Auth Configuration
Auth SettingsUpdateāœ…Ā ā†’ āŒāŒ1
Advanced SettingsUpdateāœ…Ā ā†’ āŒāŒ1
Storage Configuration
Upload LimitUpdateāœ…Ā ā†’ āŒāŒ1
S3 access keysCreateāœ…Ā ā†’ āŒāŒ1
Deleteāœ…Ā ā†’ āŒāŒ1
Edge Functions Configuration
SecretsCreateāœ…Ā ā†’ āŒāŒ1
Deleteāœ…Ā ā†’ āŒāŒ1
Authentication
ProvidersUpdateāœ…Ā ā†’ āŒāŒ1
Rate LimitsUpdateāœ…Ā ā†’ āŒāŒ1
Email TemplatesUpdateāœ…Ā ā†’ āŒāŒ1
URL ConfigurationUpdateāœ…Ā ā†’ āŒāŒ1
Logs & Analytics
Events CollectionsCreateāœ…Ā ā†’ āŒāŒ1
Updateāœ…Ā ā†’ āŒāŒ1
Deleteāœ…Ā ā†’ āŒāŒ1
Warehouse Access TokensCreateāœ…Ā ā†’ āŒāŒ1
Revokeāœ…Ā ā†’ āŒāŒ1

You can learn more about our Platform Access Control here: https://supabase.com/docs/guides/platform/access-control.

If you have any questions or concerns please contact support.

Footnotes

  1. Role's permission to the resource and action will remain the same. ā†© ā†©2 ā†©3 ā†©4 ā†©5 ā†©6 ā†©7 ā†©8 ā†©9 ā†©10 ā†©11 ā†©12 ā†©13 ā†©14 ā†©15 ā†©16 ā†©17 ā†©18

Deployment of up to 5 read replicas now supported on larger compute sizes

Previously, each project could only deploy up to 2 read replicas, but we're now raising this limit to 5 for projects on larger compute sizes (XL and above).

PR: https://github.com/supabase/supabase/pull/29250

Link: https://supabase.com/dashboard/project/_/settings/infrastructure

Catch queries that contains an update query without a where clause in SQL Editor

Another effort to safeguard against running queries with unintended side effects - this time, we're checking for UPDATE queries without a WHERE clause - this check kicks in prior to running the query. We've also consolidated this warning with our existing warning against destructive operations to catch both cases if they exist in the same query.

PR: https://github.com/supabase/supabase/pull/28458

Link: https://supabase.com/dashboard/project/_/sql

Other bug fixes and improvements

General

  • Support querying a table via CMDK by opening the SQL editor (PR)
  • Update Supabase Assistant with GPT 4o from 3.5 (PR)

Table Editor

  • Improve pagination input field, by only navigating to page on Enter (PR)

SQL Editor

  • Fix inability to share queries that are under favorites (PR)
  • Fix moving snippets into folders (PR)

Storage Explorer

  • Fix to prevent continuously retrying when a file of an invalid mime type is uploaded (PR)

Auth

  • Support searching by UID (PR)
  • Add confirmation modal when closing tab with unsaved changes on templates page (PR)
  • Support adding/removing multiple redirect URLs (PR)

Database

  • Fix index page crashing when creating an index on a table with no columns (PR)

Logs Explorer

  • Layout shift and scroll fixes (PR)
  • Prevent use of WITH, ILIKE or wildcards (PR)

The initial launch of Read Replicas allowed for up to two Read Replicas per project.

The limit for projects on XL compute add-ons and larger has now been raised to 5 Read Replicas per project.

Projects on compute add-ons smaller than XL are still allowed up to 2 Read Replicas per project.

As our user base has grown, we are taking steps to make sure we are able to continue to provide a safe, secure, robust free plan experience. To ensure that email-based auth continues to work for all users on Supabase, we're making changes if you're using the default email provider. This allows us to continue to offer our default provider in a more sustainable and resilient manner.

For maximum flexibility and control over your auth emails, we suggest one of the following:

If you still want to use the default email provider, these are the changes being planned:

  • Email template customization will be allowed and customized email templates will not be reverted to default.

  • 26th September: If you do not have a custom SMTP server set up, emails can only be sent to email addresses in your project's organization. So for example, if your organization has the following members: person-a@example.com, person-b@example.com and person-c@example.com , this means that email messages from Auth will only be sent to these addresses.

These measures are taken to prevent abuse to our shared SMTP service. In the future, we may consider increasing the email rate limits once we see a drop in abuse.

Frequently asked questions

Why such a short notice?

Supabase uses a third-party email sending provider that has mandated we reduce email abuse significantly or they will be forced to block all email sending. A tragedy of the commons.

Can't Supabase switch to a different email sending partner?

Yes, but we would run into the same issues. All email sending services are required to monitor abuse and force their customers to follow the same rules.

Can't Supabase send emails on their own, without a third party?

Not really. You can't just send email on the web today without investing a lot of money and time (unblocking port 25, keeping IP addresses out of spam lists, etc.). This is not our core competency and do not have plans to start doing this today.

How long does it take to set up a custom SMTP provider?

Fortunately this is very easy. You can use any email sending service for this, really popular ones include:

All you need to do is create an account, verify your sending domain and finally input the SMTP username and password in the Auth settings page.

What if I turn off email confirmations, can I use it then?

Currently this behavior is not supported and we'll be rolling out a fix for it during the first week of October.

Confirming email addresses is where most of the email message activity for a project originates. Turning it off can be a viable option for some projects that are still in the early testing, development or experimental phase.

Be aware that even if you turn off email confirmations the forgot password or reset password flows in your app continue to function. They also send messages, and starting 26th September those messages will be delivered only to the members of the Supabase organization that owns the project. All other end-users will get a message similar to "Email address not authorized." Effectively, the forgot password / reset password flow will be broken for your project.

What if I want just username + password authentication and using <username>@<fakedomain> instead?

Please don't do this. Part of the reason why we were forced to lock down these changes is bounced emails, probably from use cases like this.

Official username + password support is going to be made available in the coming year, and until then:

  • Use a real domain, that you control
  • Send emails to that domain, so set up a receiving server

But the best thing to do is:

  • Set up a Send Email Auth Hook that does nothing. You don't even need to use a server or an Edge Function. Just define a Postgres function that just does nothing.

All projects using generate link via the admin API without custom SMTP have been patched to allow the behavior. We still strongly urge those customers to set up custom SMTP regardless.

Just because you're mostly using the admin API to generate links to send in custom email messages, doesn't mean that the Auth server is not configured to use Supabase's shared SMTP service. Your Auth API can be called from your frontend at any time, especially in edge cases such as to handle forgot password or other similar flows, which you may not be handling via the admin API.

Therefore we urge all customers that do use the admin API to set up a custom SMTP sending service regardless.

If you are not interested in setting this up, you can instruct the Auth server to ignore all emails (pretend it's sending them) by configuring a Send Email Auth Hook as a Postgres function that does nothing.

How can I disable the warning banner?

You can disable the warning banner by setting up a custom SMTP provider , or, if your project doesn't use email at all, by disabling the email provider.

Updates

20th September 2024

Email template customization will be allowed and customized email templates will not be reverted to default.

Team has decided that restricting email template customization is not viable and a big breaking change. We may need to do go back to this in the future if abuse continues and our other measures like allowing projects to only send messages to authorized email addresses do not improve the situation. We continue to urge all customers regardless of plan that use the default SMTP service for live applications to move to a custom SMTP provider as soon as able.

  • 20th September: Email template customization will no longer be possible without setting up a custom SMTP provider. Email templates already customized can still be customized until 24th September.

  • 24th September: Projects without a custom SMTP provider will have their custom email templates returned back to the default ones from Supabase. This means that any auth emails sent out from your project will use the default email template.

Update (2nd October 2024): We have decided to push back the launch from 7th October 2024 to Q4 2024 to roll this out meticulously; we want to perform exhaustive security checks and spend more time dogfooding internally.

Asymmetric key changelog

Introduction

We are introducing asymmetric key cryptography to Supabase Auth in Q4 2024 on 7th October 2024. This will be provided as an additional option to the JWT secret currently shown in the JWT settings page.

Why are we doing this?

Supabase Auth has always been using a symmetric secret (known as the JWT secret) for signing and verifying JWTs. While this is simple and convenient (since the same secret is used for both signing and verifying), it presents the following problems:

  1. Extra network request required to verify the userā€™s JWT with the symmetric secret. Currently, one needs to make a request to Supabase Auth in order to verify the userā€™s JWT or copy the JWT secret into their environment. While the latter suggestion improves performance, it can result in security implications if the secret is accidentally leaked, which requires all your keys to be rolled.
  2. Difficult to roll with zero downtime. Since the symmetric secret cannot be shared publicly, developers need to wrangle with rolling the secret across their environments while ensuring that the new secret is used.

Benefits of using asymmetric keys

Asymmetric keys rely on public / private key cryptography, which means that the private key is only used for signing, while the public key is only used for verifying. This solves the above problems in the following way:

  • Usage of asymmetric key cryptography rather than a shared symmetric secret for signing and verifying JWTs. Since asymmetric keys donā€™t use a shared secret, there is less risk of the secret being leaked.
  • Faster JWT verification times since thereā€™s no need to make a network call to Supabase Auth via getUser() . The public key can be used for verifying the JWT. Note that adding the symmetric secret to your server-side environment to verify the JWT also has the same effect but is potentially less secure since there is an increased risk of the secret being leaked if it is used in multiple applications.
  • Zero-downtime key rotation. Public keys can be exposed in a JSON Web Key Set (JWKs) format, which allows any one of them to be used for verification. When the asymmetric key is rotated, we can still keep the previously used public key in the JWKs endpoint to verify existing JWTs. New JWTs will be signed by the new asymmetric key.

These will include the following changes:

  • A public JWKs endpoint for retrieving the public JWK to verify JWTs. This will be exposed through the https://<project_ref>.supabase.co/auth/v1/.well-known/jwks.json endpoint. The symmetric secret will not be exposed through this endpoint for security reasons.
  • A new method called getClaims() , which handles verifying the JWT and returning the claims in it.
  • Ability to download the public keys in different formats through the dashboard (e.g. PEM, JWKs).

Migration to Asymmetric JWTs

New projects that are created after 1st May 2025 will be created with an RSA asymmetric key by default. Existing projects can choose to start using asymmetric keys by doing the following:

  1. Ensure that you are using the new API keys.
  2. Update all your clients to use at least supabase-js version x.x.x (the version number will be updated closer to the release date). In this version, we are introducing a new method called getClaims which handles verifying both symmetric and asymmetric JWTs:
    • Example successful response payload for getClaims()


      _29
      {
      _29
      "data": {
      _29
      "iss": "https://projectref.supabase.co",
      _29
      "sub": "565dafb5-fd66-4274-9c37-f0ff720f5637",
      _29
      "aud": "authenticated",
      _29
      "exp": 1824717902,
      _29
      "iat": 1724717902,
      _29
      "email": "foo@example.com",
      _29
      "phone": "",
      _29
      "app_metadata": {
      _29
      "provider": "email",
      _29
      "providers": ["email"]
      _29
      },
      _29
      "user_metadata": {
      _29
      ...
      _29
      },
      _29
      "role": "authenticated",
      _29
      "aal": "aal1",
      _29
      "amr": [
      _29
      {
      _29
      "method": "oauth",
      _29
      "timestamp": 1724717902
      _29
      }
      _29
      ],
      _29
      "session_id": "479c1cbf-bd52-42d4-894f-1519f39b3241",
      _29
      "is_anonymous": false
      _29
      },
      _29
      "error": null
      _29
      }

    • Using getClaims() to verify the JWT


      _13
      import { createClient } from 'supabase/supabase-js'
      _13
      _13
      const supabase = createClient(SUPABASE_URL, SUPABASE_KEY)
      _13
      _13
      // previously, using getUser() requires making an
      _13
      // additional network request to Supabase Auth to verify the JWT
      _13
      //
      _13
      // const { data, error } = await supabase.auth.getUser()
      _13
      _13
      // getClaims() will always return the JWT payload if the JWT is verified
      _13
      // If it's an asymmetric JWT, getClaims() will verify using the JWKs endpoint.
      _13
      // If it's a symmetric JWT, getClaims() calls getUser() to verify the JWT.
      _13
      const { data, error } = await supabase.auth.getClaims(jwks)

  3. Create an asymmetric key through the dashboard. At this point the symmetric JWT moves to a Previously Used state. Existing JWTs signed with the symmetric JWT continue to be valid, but new JWTs are signed via the asymmetric JWT. Note: The UI mockup below is subjected to change and is just meant to illustrate the different possible states of a signing key.

  1. After the JWT expiry period, you can safely revoke the ā€œPreviously Usedā€ symmetric JWT, since new JWTs will now be signed with the asymmetric key.

Frequently Asked Questions

  • What do I need to do before I can start using asymmetric keys in Supabase Auth?
    • See migration section above for the detailed steps
  • Can I create a symmetric key after I create an asymmetric key?
    • Yes. You will still be able to create a new symmetric key under the JWT settings page in the dashboard. New projects will be created with an asymmetric key by default on 1st May 2025.
  • Will the private asymmetric key be exposed?
    • No. Only the public keys will be exposed in various formats (e.g. PEM, JWKs) since those are needed for verification.
  • Will I be able to bring my own private key?
    • Yes, you can bring your own private key as long as it complies with the key types allowed.
  • What key types can I use to create asymmetric JWTs?
    • By default, asymmetric keys will be created with RS256 by default. You can optionally choose to use ECC or Ed25519. ECC keys are more performant, but not as widely supported as RS256. You can also fallback to HS256 (symmetric keys).

Introduction

Weā€™re changing the way API keys work in Supabase to improve your projectā€™s security and developer experience and plan to roll out these changes Q4 2024. Rest assured that the current API keys in your existing projects will continue to work for another year until 1st October 2025 during the transition.

Weā€™ll contact you when we launch the new API keys, and when we do, no immediate action is required. However, we strongly recommend that you migrate your projectā€™s existing API keys for the new set when they are introduced. Updating to use the new API keys is a quick and painless process and can be as simple as a change in environment variable and take just a few minutes.

Timeline

Update (2nd October 2024): We have decided to push back the launch from 7th October 2024 to Q4 2024 to roll this out meticulously; we want to perform exhaustive security checks and spend more time dogfooding internally.

Key DatesDescriptionUser Action Needed
Q4 2024
7th October 2024
Introduction of new API keys.

New projects will automatically generate both new API keys and legacy API keys to help ease the transition.

Existing projects can continue to use the legacy API keys and can opt in to use the new API keys by manually generating them.
No immediate action needed. We strongly recommend that you migrate to use the new API keys.
1st May 2025We will start sending you monthly reminders to migrate off legacy API keys and start using the new keys.

New projects will be created with only new API keys.

Projects restored from 1st May 2025 will no longer be restored with the legacy API keys.
You are highly encouraged to migrate off to use the new API keys before this date since paused projects that are restored risk being broken as they wonā€™t have the legacy keys.
1st October 2025Legacy API keys will be deleted and removed from the Docs / Dashboard.You have to migrate to use the new API keys by this point or your app will break.

Why are we doing this?

Currently there is a tight coupling between API keys and the JWT secret which presents a few challenges:

  1. Difficult to revoke the service_role or anon key. Imagine if someone in your Supabase organization leaves the team, and you want to roll your projectā€™s JWT secret to revoke their access? Or you accidentally commit the service_role key into your version control system and need to roll it?

    If either of these keys gets leaked, the developerā€™s only option is to roll the JWT secret by generating a new one. When the JWT secret is rolled, all authenticated users would be logged out, clients using the older anon and service keys would break. Realistically, there is no way to roll the JWT secret without downtime.

  2. Sub-optimal developer experience to create an API key with a custom role. Developer needs to sign a JWT with a long expiry time and their custom role using the secret.

The introduction of new API keys solves the above problems by allowing the developer to:

  • roll individual API keys
  • roll the API keys without logging out their users
  • create custom API keys easily

API Key changes

These are the planned changes for the API keys:

  • anon key will be renamed to publishable key and the service_role key will be renamed to secret key. publishable api keys are meant to be used along with Supabase Auth users and secret api keys are for use from the server side and bypasses all row level security policies. We chose to use publishable and secret to align with stripeā€™s terminology and preferred it to terms like public and private since those could be confused with public / private key cryptography when we introduce asymmetric JWTs to Supabase Auth.

  • New API keys will look like regular strings instead of JWTs:

    Legacy API KeysEquivalent New API Keys
    anon key: eyJhbGciOiJIUzI1...FDsBGn0iqSmL28Zeg8f0publishable key: sb_publishable_123abc
    service_role key: eyJhbGciOiJIUzI1...SEVEyZQNhffCoSj4P5Asecret key: sb_secret_123abc
  • With the new API keys, it will be possible to revoke individual API keys and without revoking the JWT secret. Once the legacy API key is revoked, it wonā€™t be possible to restore them.

  • New projects will be created with both new and legacy API keys until 1st May 2025. New projects created after this date will only be created with new API keys.

  • Projects that are restored after 1st May 2025 will not be restored with legacy API keys.

  • Legacy API keys will no longer work for all projects after 1st October 2025.

Migration to the new API keys

  1. If you want to use the new API keys, all you need to do is to swap out your keys for the new ones:
Legacy API KeysEquivalent New API Keys
anon keypublishable key
service_role keysecret key
  1. Update your .env file to contain the new API key

_10
# the legacy anon key
_10
SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...w6PYobnC7Ep7EnDd9DG25qBFDsBGn0iqSmL28Zeg8f0
_10
_10
# the new publishable key
_10
SUPABASE_PUBLISHABLE_KEY=sb_publishable_123abc

  1. Instantiate the supabase client with the new API Keys.

_10
import { createClient } from 'supabase/supabase-js'
_10
_10
const supabase = createClient(SUPABASE_URL, SUPABASE_PUBLISHABLE_KEY)

  1. After all your clients have been instantiated with the new API keys, you can revoke the legacy keys from the dashboard.

Frequently Asked Questions

  • What is the timeline for the migration?
    • See "Timeline" section above
  • My app is deployed through Vercel / Netlify, how do I use the new API keys?
    • If youā€™re using Vercel or Netlify, changing the keys in your environment will only be reflected when you trigger a new deployment.
  • I only connect to the database via the connection string ā€”Ā do I need to worry about this at all?
    • No, unless you use the supabase client libraries to make queries to the database.
  • How do we do custom claims?
    • Currently, users have to manually create a new key with their custom claims using the JWT secret provided.
    • There will be support for creating new API keys with custom properties in the dashboard and management API.
  • What benefit do we get from migrating to use the new API keys?
    • You can revoke an individual key in the event of a compromise
    • You can revoke keys without logging out existing users
    • You donā€™t have to deal with minting a new JWT using the JWT secret if you want to add custom claims to an API key.
  • What is the interaction between the apikey header, the Authorization header and the underlying Postgres role used?
    • The new API keys are just regular strings instead of JWTs.
    • By default, secret API keys assume the service_role. When creating the new secret API keys, you can override this behavior and assign a custom role. Downstream services like postgREST and storage assume this role when they are called with this API key.
    • By default, publishable API keys default to the anon role. When a user JWT is passed in via the Authorization header, the role claim in the JWT is used instead. You cannot map publishable keys to custom roles when creating the key, like you will be able to do with secret API keys.

Schema Visualizer nodes are now persisted

This was yet another request that we've commonly heard from everyone and we're taking a first step to making this happen šŸ˜„ Position of the nodes will now be stored within local storage so that you won't have to re-position them each time you land on this page. We've also added a button to help arrange the nodes automatically if that might be preferred!

Note that if you add new tables to the schema however, the node positions will be defaulted to a certain position that may overlap with other nodes - we're definitely looking into how we can make that better so that new nodes can be easily identified (and then shifted around to your liking šŸ™‚)

PR: https://github.com/supabase/supabase/pull/29136

Link: https://supabase.com/dashboard/project/_/schemas

Other improvements and bug fixes

General

  • Minor improvements to layouts and buttons to ensure their visibility on smaller screens (PR)
  • Fix project status filter on home page to only show active projects if only the active checkbox is checked (PR)

Table Editor

  • Fix client crash when creating an empty table with no columns (PR)
  • Fix handling of of large JSON / text fields in the side panel text editor (PR)

SQL Editor

  • Add client side validation for query size (max 1MB) (PR)
  • Couple of fixes around adding a new folder with the same name as an existing one (PR)

Database

  • Update Stripe Wrapper with more tables (PR)
  • Remove docs button for database extensions that have no documentation yet (PR)

Supabase Edge Runtime version 1.57 is compatible with Deno 1.45.

Supabase's hosted platform was upgraded to use this release when serving Edge Functions starting last week.

If you're using Supabase CLI for local development latest stable release 1.192.5, it adds compatibility for Deno 1.45.

How do I find which version of Edge Runtime I'm running?

Supabase CLI (local)

When you run supabase functions serve, it should show the current version of Edge Runtime used (and its Deno compatibility)


_10
> supabase functions serve
_10
_10
Setting up Edge Functions runtime...
_10
Serving functions on http://127.0.0.1:54321/functions/v1/<function-name>
_10
Using supabase-edge-runtime-1.58.2 (compatible with Deno v1.45.2)

Hosted Platform

You can check the served_by field in log events to see which Edge Runtime version was used to serve your function.

We try our best to maintain backward compatibility in these upgrades. If you're experiencing any issues, please feel free to make a support request

Upgrade your organization directly from our pricing page

https://github.com/user-attachments/assets/2262d816-0c69-4c58-a6e2-1ce4868122f2

Users who are logged in will now be able to select and upgrade their organization from the pricing page itself when clicking on the Upgrade to Pro / Team plan buttons. This is mainly to help streamline this process so that users can upgrade their existing organizations, and prevent confusions where users end up creating new paid organizations instead.

PR: https://github.com/supabase/supabase/pull/28942

Link: https://supabase.com/pricing

UI improvements around credit card billing information

Screenshot 2024-08-29 at 12 45 11

The selected payment method on the billing page is easily missed as you'll need to scroll down before finding it. In particular with outstanding invoices, it may not be obvious that the wrong card (or even expired card) might have been selected as the default. As such we now will

  • Indicate which cards are about to expire (within the current month)
  • Indicate which cards have expired
  • Show the selected payment method, along with a quick link to change it on the invoices page

PR: https://github.com/supabase/supabase/pull/28971

Link: https://supabase.com/dashboard/org/_/billing

Set payment method as default when adding a new payment method

Screenshot 2024-08-27 at 17 59 50

When adding a new payment method, we have now added a checkbox to set the card as default which is toggled on by default. This should resolve a UX issue whereby customers needed to explicitly set the card as default in a separate manual step after adding it.

PR: https://github.com/supabase/supabase/pull/28921

Link: https://supabase.com/dashboard/org/_/billing

Choose which schemas to share with OpenAI

This mainly applies to wherever the Supabase AI assistant is present in the dashboard (SQL Editor + RLS policies). You can now choose which schemas to share with OpenAI as opposed to sending information from all schemas in hopes to improve the output quality of the assistant by only sharing relevant information for your prompts to the assistant.

Do keep in mind that you'll need to opt in to sending anonymous data to OpenAI prior to doing this šŸ™‚ You may also verify exactly what data is being sent here as well under "Important information regarding opting in"!

PR: https://github.com/supabase/supabase/pull/28594

Link: https://supabase.com/dashboard/project/_/sql/new

Other improvements and bug fixes

General

  • Show which is the last sign in method used on login page (PR)
  • Added 3 new regions to spin up projects from: Ohio, Stockholm, Paris, and Zurich (PR)
  • Commands added for cmd+k to search and open snippets in the SQL Editor (PR)
  • Support pasting image (via Cmd/Ctrl + v) in the feedback widget (PR)
  • Use expanding text area for RLS AI assistant for multi line prompts (PR)

Table Editor

  • Save last selected schema, no longer defaults to public schema (PR)
  • Set the correct schema in the schema selector when opening a table via URL directly (PR)
  • Support exporting table data as SQL seed file (PR)
  • Couple of fixes for bugs around composite foreign keys (PR)
  • Improve display of estimated row count for the table if the table has > 50k rows, to emphasize that it's an estimated count (PR)
  • Spreadsheet import now checks column types from imported spreadsheet (PR)

SQL Editor

  • Fix folder name editing where clicking on the input field toggles the folder (PR)
  • Support opening cell value via right click into a side panel for a more detailed view (PR)

Auth

  • "With check" checkbox is toggled on by default for commands that involve a with check expression (PR)

Storage

  • Support searching and sorting buckets (PR)

Logs Explorer

  • Support copying cell content via context menu (PR)

The SQL Editor got an upgrade this week, finally letting you organize snippets into folders!

  • Favourites and Shared snippets are in folders now
  • Organize Private snippets in folders as you like
  • Share snippets with your team as you could before

Link: https://supabase.com/dashboard/project/_/sql/new PR: https://github.com/supabase/supabase/pull/27881

Other bug fixes and improvements

Project compute size badge

  • See project compute details and upgrade right from the home screen (PR)

SQL Editor

  • Update the SQL Editor AI Assistant model to the latest from OpenAI (PR)

tldr:

  • No changes for Free Plan users
  • Billing for paid plan organizations will be based on provisioned disk rather than used database space:
    • Each project starts with 8 GB disk provisioned by default.
    • The first 8 GB of provisioned disk per project is free, then $0.125 per additional GB.
    • Charges are prorated down to the hour, which is advantageous for short-lived projects and branches.
    • Provisioned disk from Read Replicas will also be included in billing.
    • Enables upcoming features for enhanced control over disk and Postgres parameters.

Timeline

This change will be rolled out to new customers on August 26th, 2024 and will be gradually rolled out to existing customers shortly after.

Changes

We are adjusting our pricing to offer more flexibility and self-serve for developers wanting to tune their disk and Postgres configuration. For example:

  • Some developers want disks with higher throughput
  • Some developers want to store more than 1GB of WAL (for tools like Airbyte/PeerDB, or adding more read replicas)

To make this available we will start billing for provisioned disk size (rather than database space used). Previously, costs associated with WAL files were not directly billed but also users could not control change max_wal_size (default is 1GB).

There is no action needed on your end. You will automatically be transitioned to the new billing model throughout the next couple of weeks. In case there is any change in your monthly bill, we will reach out to you proactively with additional information and give you a grace period to decrease your usage.

For customers on the Free Plan, there will be no changes; the total database space remains capped at 500MB. These adjustments only apply to customers on paid plans. The database disk will continue to autoscale when nearing capacity for paid plan customers.

BeforeAfter (August 26th, 2024)
Price$0.125 / GB$0.000171 / GB-Hr
ChangeWe take the average database space used for all projects, independent of how many days/hours you store the files and sum it up.We will you based on the provisioned disk usage every hour. First 8GB per project are free. Read replicas will also incur disk costs.
Invoice ItemYour invoices display 'Total Database size'.Your invoices will display 'Disk Size GB-Hrs'.

Example 1: Pro plan org, active for whole month

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

Project# Days ActiveAverage Database Space UsedProvisioned DiskAfter: Provisioned Disk Size GB-Hrs
Project A3025 GB40.5 GB29,160 (720 hours * 40.5 GB)
Project B3010 GB27 GB19,440 (720 hours * 27 GB)
Project C305 GB8 GB5,760 (720 hours * 8 GB)
Total40 GB54,360 GB-Hrs

Billing

BeforeAfter
Total Usage40 GB54,360 GB-Hrs
Usage Discount (Pro Plan)(8 GB)(17,280 GB-Hrs - first 8 GB per project included)
Billable Usage32 GB37,080 GB-Hrs
Price$0.125 / GB$0.000171 / GB-Hr
Total Cost$4.00$6.43

Example 2: Pro plan org, active for part of the month

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

Project# Days ActiveAverage Database Space UsedProvisioned DiskAfter: Provisioned Disk Size GB-Hrs
Project A309 GB12 GB8,640 (720 hours * 12 GB)
Project B159 GB12 GB4,320 (360 hours * 12 GB)
Project C29 GB12 GB576 (48 hours * 12 GB)
Total27 GB13,536 GB-Hrs

Billing

BeforeAfter
Total Usage27 GB13,536 GB-Hrs
Usage Discount (Pro Plan)(8 GB)(9,024 - first 8 GB per project included)
Billable Usage19 GB4,512 GB-Hrs
Price$0.125 / GB$0.000171 / GB-Hr
Total Cost$2.38$0.77

Where do I see my disk size?

You can see your projectā€™s disk size in your database settings (Project Settings > Database).

Screenshot 2024-07-25 at 09 36 09

How can I resize my disk down?

Your disk size is based on your database space usage. As a first step, you need to identify current database space usage and reduce it. To see your current database space usage, head over to the built-in ā€œDatabaseā€ project report. Once you have reduced your database space and want to reduce your provisioned disk, you can upgrade your Postgres version through your project settings to automatically rightsize your disk. For further information around disk management and reducing database space, please refer to our docs.

Is this going to affect my monthly bill?

If your current disk size is >8GB, this is likely going to impact you. Note that this will be gradually rolled out and you will be notified about the concrete impact on your organization and given a 3-month grace period, which gives you time to right-size your disk and minimize the impact of this change.

Further to earlier discussions, the threshold for transitioning large databases to use physical backups for their daily backups is being lowered to 15GB in the next few days.

Physical backups are more performant, have lower impact on the db, and avoid holding locks for long periods of time. Restores continue to work as expected, but backups taken using this method can no longer be downloaded from the dashboard.

Over the next few months, we'll be introducing functionality to restore to a separate, new database, allowing for the perusal of the backed up data without disruption to the original project.

Please refer to supabase.com/docs/guides/platform/backups#daily-backups-process for additional details.

Currently, usage data on the invoice breakdown and organization usage page has a 24-hour delay. Starting from August 26th, the usage data will have no more of 1 hour delay for new customers. Afterwards, the changes will be rolled out to existing customer gradually. We're also working on additional improvements to provide better usage insights.

Screenshot 2024-07-31 at 21 06 58

Additionally, we are revamping invoices to provide more detailed breakdowns of usage for enhanced transparency. Due to our new proration of project add-ons and storage down to the hour, you may notice slight variances in your monthly bill. For the majority of line items, youā€™ll see the project reference and usage on the invoice, which should make it clearer which project allocated the usage/costs.

A few examples:

Compute Hours is broken down per project and the compute credits ($10) is displayed as discount for the compute line item.

Screenshot 2024-08-08 at 20 34 47

Egress is broken down to each project and displays included quota (250GB) and over-age pricing ($0.09/GB)

Screenshot 2024-08-08 at 20 34 57

Realtime Messages line item shows package-based pricing with $2.50 per million.

Screenshot 2024-08-08 at 20 35 26

Moving to hourly usage-based billing for IPv4, Custom Domain and Point-in-time recovery

Weā€™re moving to billing all project add-ons usage-based and prorated down to the hour at the end of your billing cycle. We're not altering the monthly prices.


Timeline

This change will be rolled out to new customers on August 26th, 2024 and will be gradually rolled out to existing customers shortly after.


Changes

BeforeAfter (August 26th, 2024)
Custom Domain$10 / month$0.0137 / hour
IPv4$4 / month / database$0.0055 / hour / database
Point-in-time Recovery - 7 Days$100 / month$0.137 / hour
Point-in-time Recovery - 14 Days$200 / month$0.274 / hour
Point-in-time Recovery - 28 Days$400 / month$0.55 / hour
ChangeProject add-ons are paid upfront. Every time you change an add-on, you immediately pay for remaining time or get credits for unused time. Each change triggers an additional invoice.We bill you at the end of your billing cycle for the hours youā€™ve used the project add-ons. No in-between charges, credit prorations or additional invoices.
Invoice ItemYour invoices display 'Add-on Name'.Your invoices will display 'Add-on Name Hours'.

Details

We're updating how we bill project add-ons (IPv4, Point-in-time recovery, Custom Domain) without changing their monthly prices. This change will be rolled out on August 26th, 2024 for new customers and shortly after for existing customers.

Previously, when you added a project add-on, like IPv4 or PITR, you were immediately invoiced and charged for the remaining billing cycle period. At the start of a new cycle, you paid upfront for the entire month. If you removed an add-on mid-cycle, you received a credit for unused time.

Starting August 26th, you will be billed retrospectively for these add-ons, similar to Compute Hours. There are no more upfront charges, prorated invoices, or credits. You simply pay for the exact hours you use the project add-ons.

Plans (Pro/Team/Enterprise) are still charged upfront and there are no changes to how they are billed.

Hourly Billing for Storage

Weā€™re moving to more granular billing periods. We're not altering the prices or storage quotas. Every customer will benefit from this change, especially short-lived projects and customers using Branching.

Timeline

This change will be rolled out to new customers on August 26th, 2024 and will be gradually rolled out to existing customers shortly after.

Changes

The price will move to "GB per hour" instead of "Total storage GB":

BeforeAfter (August 26th, 2024)
Price$0.021 / GB$0.00002919 / GB / hour
ChangeWe take the average storage size for all projects, independent of how many days/hours you store the files.We bill you only for the exact GBs used each hour.
Invoice ItemYour invoices display 'Total storage size'.Your invoices will display 'Storage Size GB-Hrs'.

Let's step through 2 scenarios to explain how this change will benefit developers:




Example 1: Pro Plan Org, active for the full month

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

The projects are running for the entire month:

Storage# Days ActiveActive Hours (After)
Project A200 GB30144,000 (720 hours * 200 GB)
Project B1,500 GB301,080,000 (720 hours * 1,500 GB)
Project C2,500 GB301,800,000 (720 hours * 2,500 GB)
----
Total4,200 GB3,024,000 hours

Billing

After the billing changes on August 26th there would be no change in pricing:

BeforeAfter
Total Usage4,200 GB3,024,000 hours
Usage Discount (Pro Plan)(100 GB)(74,400 hours)
Billable Usage4,100 GB2,949,600 hours
---
Price$0.021 / GB$0.00002919 / GB / hour
Total Cost$86.10$86.10



Example 2: Pro Plan Org, active for part of the month

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

In this scenario, some of the projects are only active for a few days in the month:

Storage# Days ActiveAfter: GB Hours
Project A200 GB29,600 (48 hours * 200 GB)
Project B1,500 GB15540,000 (360 hours * 1,500 GB)
Project C2,500 GB301,800,000 (720 hours * 2,500 GB)
----
Total4,200 GB2,349,600 hours

Billing

Currently we charge you for the full 4,200 GB, even though Project A and B werenā€™t active for the entire month. After August 26th, this scenario will be 22.87% cheaper:

BeforeAfter
Total Usage4,200 GB2,349,600 hours
Usage Discount (Pro Plan)(100 GB)(74,400 hours)
Billable Usage4,100 GB2,275,200 hours
---
Price$0.021 / GB$0.00002919 / GB / hour
Total Cost$86.10$66.41



Feedback

This change should be universally beneficial, but if there is anything that we have missed just let us know and we will make sure we consider it before rolling out this change.

WebAssembly Foreign Data Wrapper (Wasm FDW) is now on public alpha from Wrappers version >= 0.4.1. This release also contains two new Wasm FDWs: Snowflake and Paddle.

What is Wasm FDW?

In previous versions of Wrappers, all the foreign data wrappers need to be built into wrappers extension. The develop/test/release cycle is time consuming and fully on Supabase teams. To speed up this process and give more flexibility to community, we're adding Wasm to the Wrappers framework. With this new feature, users can build their own FDW using Wasm and use it instantly on Supabase platform.

Another benefit is because of the improved modularity, each FDW can be updated and loaded individually. New FDWs release will be quicker than before. Also, wrappers extension size won't be bloated as more FDWs added in.

What are the changes?

There is no changes from end-users' perspective, all existing native FDWs are still same. The Wasm FDW only brings a new way of developing and distributing FDW.

How to use it?

Visit Database -> Platform -> Wrappers on Supabase Studio, enable Wrappers and choose Snowflake or Paddle, then create foreign tables.

Visit Snowflake Wasm FDW docs or Paddle Wasm FDW docs for more details.

How to develop my own Wasm FDW?

To build your own Wasm FDW, visit the example project to get started.

We have several updates and new features to share with you this month. Dive in to see whatā€™s new from Supabase.

Edge Runtime Inspector Feature (CLI)

Weā€™ve introduced the Edge Runtime Inspector, a powerful new feature in the CLI that helps you inspect and debug edge functions more efficiently. Pull Request

View and Abort Running Queries (Supabase Studio)

You can now view and abort queries currently running on your database (primary or replica) in the Supabase Studio SQL Editor. This feature gives you greater control and flexibility in managing your queries. Pull Request

Logging Integration With The ELK Stack

The Logflare to Elastic filebeat backend has been merged. This integration enables log drains to ELK stacks, providing more robust logging and monitoring capabilities. Documentation

Interpreting Supabase Grafana I/O Charts

We have published a guide on how to use the Supabase I/O charts to identify when you may need to scale your database, optimize your queries, or spin up a read replica. Github Discussion

Breaking Change to Supabase Platform Access Control

On July 26, 2024, Supabase will be making breaking changes to our platformā€™s access control system. Developer and Read-Only roles will no longer have write access to an organizationā€™s GitHub and Vercel integrations. These changes will not affect existing integrations that are in place. Github Discussion

Change to Retention of Paused Free Tier Projects

Starting June 24, 2024, paused Free Tier projects are restorable for 90 days. There is a grace period where all paused projects will continue to be restorable until September 22, 2024. Github Discussion

Billing Improvements

Weā€™ve made significant improvements to our billing system to help you better understand compute pricing. These changes aim to prevent unexpected charges and provide clarity on ā€œCompute Hours.ā€ Github Discussion

Quick product announcements

[Edge Functions] Weā€™ve implemented some key updates to Edge Functions, including adding Deno 1.43 support [Github Discussion]

New Engineering and Troubleshooting Guides

Made with Supabase

  • Dribble - Flutter NBA name guess game available for iOS and Android [Website]
  • EvalHub - an open-source platform for researchers to discover AI evaluation metrics [Website]
  • SVGPS - Removes the burden of working with a cluster of SVG files by converting your icons into a single JSON file [Website]
  • CleanCoffee - Lean coffee discussion utility where you can create boards and share with friends [Website]
  • Rewritebar - Improve your writing in any macOS application with AI assistance. Quickly correct grammar mistakes, change writing styles or translate text [Website]

Community highlights

  • Building a Basic Social Network with Remix and Supabase [YouTube]
  • Next Level Supabase Techniques For Your Production App! [YouTube]
  • Building a Local-First React Native App with PowerSync and Supabase [YouTube]
  • Build a Fullstack Job Portal App with Next.js 14, Tailwind, Supabase, Stripe, Clerk [YouTube]
  • Generate Vector Tiles with PostGIS [Blog] [YouTube]

Supabase HTTP APIs are no longer using DigiCert as the root CA. This should have no impact on the vast majority of environments, as the other CAs in use are essentially universally trusted.

If your client environment only trusts certificates signed by DigiCert, you could be impacted. We're currently using Cloudflare to serve our HTTP APIs, and recommend ensuring that any client environment that only trusts a specific subset of CAs trusts all of the CAs Cloudflare uses.

In an effort to simplify pricing, we are going to remove usage-based billing for the number of Edge Functions in your projects. Instead, we are going for a bigger quota across all plans at no extra costs. We picked the limits to ensure all customers are benefiting from this change.

Free Plan customers can now create 25 instead of 10 functions without the need to upgrade to a paid Plan.

Free PlanPro PlanTeam PlanĀ Enterprise Plan
Before10 included100 included, then $10 per additional 100100 included, then $10 per additional 100Custom
After25 included500 included1000 includedUnlimited

This change is effective immediately and in case you were previously exceeding the number of included functions on a paid Plan, you will no longer be charged for it.

These breaking changes are rolling out on July 26, 2024 and affects all organizations that have members assigned either the Developer or Read-Only roles.

All Supabase organizations invite users and assign them to one of the following roles as part of membership to an organization:

  • Owner
  • Administrator
  • Developer
  • Read-Only (available only on Team and Enterprise plans).

Depending on the role, members are authorized to access a specific set of the organization's resources, such as permission to create a new project or change the billing email.

We recently re-evaluated the access that the Developer and Read-Only roles have and decided to implement changes to restrict them on a couple of resources to improve your organizations' security.

On July 26, 2024, we will turn off certain access that the Developer and Read-Only roles currently have to your organization's resources. The following table is to illustrate the breaking changes that will be going into effect:

ResourceActionDeveloperRead-Only
Integrations1
Authorize GitHub-āœ…Ā ā†’ āŒāœ…Ā ā†’ āŒ
Add GitHub Repositories-āœ…Ā ā†’ āŒāœ…Ā ā†’ āŒ
GitHub ConnectionsDeleteāœ…Ā ā†’ āŒāŒ2
Vercel ConnectionsUpdateāœ…Ā ā†’ āŒāŒ2
Deleteāœ…Ā ā†’ āŒāŒ2

You can learn more about our Platform Access Control here: https://supabase.com/docs/guides/platform/access-control.

If you have any questions or concerns please contact support.

Footnotes

  1. Existing integrations will continue to work. ā†©

  2. Role's permission to the resource and action will remain the same. ā†© ā†©2 ā†©3

Option to use a dedicated api schema for your project

By default, the public schema is used to generate API routes for your database. In some cases, it's better to use a custom schema - this is important if you use tools that generate tables in the public schema to prevent accidental exposure of your data.

The dashboard supports this workflow through 2 options: either at the project creation step under "Security Options", or in the project's API settings after your project has been created. More information about this workflow in our documentation here!

Link: https://supabase.com/dashboard/project/_/settings/api

PR: https://github.com/supabase/supabase/pull/27918

Other bug fixes and improvements

SQL Editor

  • Text area under AI assistant is now expandable for better UX with multi-line prompts (PR)

Database

  • Added placeholder for function body editor section to hint the syntax if language selected is plpgsql (PR)

Logs Explorer

  • Fixed logs explorer placeholder query for local set up (PR)

Supabase support for Postgres 13 is being deprecated as of 15th July 2024, and support for it will be fully removed on 15th November 2024.

All Postgres 13 projects should be upgraded to Postgres 15 before 15th November, 2024.

Any projects still on Postgres 13 after the 15th of November 2024 will be automatically upgraded to Postgres 15. If any Postgres extensions or functions are in use that cause the upgrade process to fail, a backup will be taken instead, and the project will be paused.

Postgres 15 comes with numerous features, bug fixes and performance improvements. Check out the announcement blog posts to find out what each version introduces.

Deprecation Timeline

  • 15th July: All users are notified via email about Postgres 13 Deprecation. Users can self-serve upgrade to Postgres 15 from our dashboard.
  • 30th September: Users are reminded of impending deprecation via email.
  • 30th October: Users are sent a final email reminder.
  • 15th November: Any remaining projects on PG13 start getting migrated to PG15 (or paused, if there are upgrade issues).

Option to disable Data API when creating projects

Screenshot 2024-06-24 at 6 58 14ā€ÆPM

You can now opt to disable the Data API when creating a new project under a section called "Advanced Options", such that you will only be able to connect to your database via connection string. Note that this setting can be subsequently updated again in the project's API settings if and when you want to connect your project via the client libraries.

PR: https://github.com/supabase/supabase/pull/26809

Link: https://supabase.com/dashboard/new/_

Authorization for Realtime is now available!

You can now control client access to Realtime Broadcast and Presence by adding Row Level Security policies to the realtime.messages table! Read more about through our documentation here!

PR: https://github.com/supabase/supabase/pull/27362

Link: https://supabase.com/dashboard/project/_/realtime/inspector\

Optimizations for table editor row count query

image

Previously, the Table Editor on the dashboard would run a select count(*) from table query to retrieve the number of rows in the table and display it in the editor (this also supports the pagination logic as well). However, understandably this query can be resource intensive and expensive if the table in question is particularly large. As such, we've chucked some optimizations around this logic to only retrieve the exact row count if the table has less than 50k rows, otherwise we'll retrieve an estimate of the row count instead. You'll still be able to get the exact row count but on demand instead.

PR: https://github.com/supabase/supabase/pull/27612

Link: https://supabase.com/dashboard/project/_/editor

Support showing all entity types in the database/tables page

PR: https://github.com/supabase/supabase/pull/27749

Link: https://supabase.com/dashboard/project/_/database/tables

Other improvements and bug fixes

General

  • More granular project statuses for pausing and restoration (PR)
  • Support filtering projects by status (either active or paused) (PR)

Account

  • Added instructions on how to change your email for your account (PR)

Storage

  • Fix uploading a folder to the storage explorer causes all files to be uploaded in a flat list with the folder name prefixed to the file name (PR)

Table Editor

  • Optimized table editor select query when cutting off column values (PR)

SQL Editor

  • Added labels and grid to SQL editor charts (PR)

Greater clarity on costs when creating new projects

Screenshot 2024-06-14 at 17 06 16

One of our bigger papercuts in terms of billing is customers not understand compute pricing and that they cannot launch unlimited projects for $25 in total per month. Customers also get confused with "Compute Hours" on their bill. The changes aim to alleviate any "surprise" compute charges and serves as kaizen improvement.

Changes involved are only applicable to paid plan organizations, as it's irrelevant for free plan organizations.

PR: https://github.com/supabase/supabase/pull/27268

Link: https://supabase.com/dashboard/new/_

Address Table Editor "resorting" of rows when rows are updated and no active sorts applied

If you've tried updating a table via the Table Editor without an active sort in place, you'd have noticed that the rows seem to re-sort themselves, specifically the row that you were updating. While this is because rows are returned in an unspecified order without a sort clause from the select query, it certainly must've been a confusing UX. We've alleviated this problem by setting a default sort by clause when reading the table via the Table Editor, which will get overriden once you've set a sort via the UI.

PR: https://github.com/supabase/supabase/pull/27097

Link: https://supabase.com/dashboard/project/_/editor

Other improvements and bug fixes

General

  • Greater granularity in project statuses, specifically for when project is restoring, when restoring failed and when pausing failed (PR)

Database

  • Table searching is now case in-sensitive (PR)
  • Add duplicate table CTA (Similar to the Table Editor) (PR)

SQL Editor

  • Auto limit fix for when SQL query has "fetch first n rows only" (PR)
  • Preserve whitespace in results (PR)

Query Performance

  • Support index advisor for queries from Postgrest (PR)

Org Billing

  • Users can now only manage a single tax ID instead of multiple (PR)

This only impacts projects on the Free Plan because projects in any of the paid plans cannot be paused.

Beginning June 24, 2024, we're updating some project pause/restore behavior:

  • paused Free projects are restorable for 90 days following their pause date
  • any Free projects paused before June 24 will be able to restore at any point before September 22, 2024 so they have a full 90 days from when this announcement is made
  • once a project is no longer restorable, the "restore" option is replaced with an option to download the latest logical backup, taken right before the project is paused, and all Storage objects

This change is being made to enable us to maintain high development velocity on the platform. Previously, paused projects could be restored indefinitely. That creates the need for the platform to remain fully backwards compatible with outdated versions of Postgres and associated extensions. The update allows us to provide a reasonable pause/restore window while gaining the ability to evolve the platform.

Supabase Edge Runtime version 1.54 is compatible with Deno 1.43.

Supabase's hosted platform was upgraded to use this release when serving Edge Functions starting today.

If you're using Supabase CLI for local development latest stable release 1.176.10, it adds compatibility for Deno 1.43.

How do I find which version of Edge Runtime I'm running?

Supabase CLI (local)

When you run supabase functions serve, it should show the current version of Edge Runtime used (and its Deno compatibility)


_10
> supabase functions serve
_10
_10
Setting up Edge Functions runtime...
_10
Serving functions on http://127.0.0.1:54321/functions/v1/<function-name>
_10
Using supabase-edge-runtime-1.54.2 (compatible with Deno v1.43.0)

Hosted Platform

You can check the served_by field in log events to see which Edge Runtime version was used to serve your function .

We try our best to maintain backward compatibility in these upgrades. If you're experiencing any issues, please feel free to make a support request

Supabase underwent Consolidation Monthā„¢ to focus on initiatives that improve the stability, scalability, and security of our products. We also have exciting product announcements that we canā€™t wait to share. Letā€™s dive in!

Consolidation Monthā„¢

We kicked off Consolidation Month (no itā€™s not actually trademarked) during the month of May. During this time, every product team within Supabase addressed outstanding performance and stability issues of existing features. Hereā€™s a small subset of initiatives and product announcements as part of Consolidation Month:

Auth Launches @supabase/ssr for Better SSR Framework Support

The newly released @supabase/ssr package improves cookie management, developer experience, and handling of edge cases in various SSR and CSR contexts. Weā€™ve added extensive testing to prevent issues that users experienced with the @supabase/auth-helpers package.

Announcement

pgvector v0.7.0 Release Features Significant Performance Improvements

pgvector v0.7.0 introduced float16 vectors that further improve HNSW build times by 30% while reducing shared memory and disk space by 50% when both index and underlying table use 16-bit float. The latest version also adds sparse and bit vectors as well as L1, Hamming, and Jaccard distance functions.

Announcement

Edge Functions Improves Memory Handling

The Edge Functions team has significantly reduced the error rate for functions encountering memory issues by implementing better safeguards. This has greatly minimized errors with the 502 status code. Additionally, status codes and limits are now documented separately.

Status Codes | Limits

Dashboard Supports Bigger Workloads as Projects Grow

The Supabase Dashboard is now better equipped to handle your projects, regardless of their size. We have implemented sensible defaults for the amount of data rendered and returned in the Table and SQL Editors to prevent browser performance issues while maintaining a snappy user experience.

Announcement

Realtime Standardizes Error Codes

Realtime now emits standardized error codes, providing descriptions of their meanings and suggested actions. This enhancement improves your error-handling code and helps to narrow down whether the issue lies with the database, Realtime service, or client error.

Realtime Error Codes

RLS AI Assistant v2

Weā€™ve improved the prompt and output of our RLS AI Assistant by including best practices found in our RLS docs and upgrading to OpenAIā€™s newest GPT-4o. Weā€™ve also introduced numerous test scenarios to make sure youā€™re getting the right security and performance recommendations by comparing parsed SQL with the help of pg_query.

Pull Request

Quick product announcements

  • [Functions] JSR modules are supported in Edge Functions & Edge Runtime [Announcement]

  • [Functions] Debug Edge Functions with Chrome DevTools [Docs]

  • [Functions] Use HonoJS web Framework with Edge Functions [Docs]

  • [Analytics] Log Drains is in Private Alpha [Announcement]

  • [Realtime] Realtime Authorization Early Access [Announcement]

  • [Docs] SQL to PostgREST API Translator [Docs]

  • [Client libs] Supabase JavaScript SDK Sentry Integration now supports Sentry SDK v8 [Commit]

Made with Supabase

  • GroupUp - organize social gatherings to hang out with friends [Website]
  • HabitKit - track habits, view daily progress, and stay motivated as you work towards your goals [Website]
  • Meteron AI - LLM and generative AI metering, load-balancing and storage [Website]
  • EQMonitor - An app that displays and notifies earthquake information in Japan [Website]
  • GitAuto - AI software engineer that writes, reads, and creates pull requests [Website]
  • GenPPT - Free AI powerpoint presentation generator to help you create beautiful slides in minutes [Website]

Community highlights

  • Make your queries 43,240x faster [Video]
  • Exploring Support Tooling at Supabase: A Dive into SLA Buddy [Article]
  • FlutterFlow SuperApp Complex Template : Developing Feed with Supabase [Video]
  • How We Use Supabase in Betashares Direct [Video]
  • AI Assistant to Chat with Supabase Database [Video]
  • How to use wrappers in Supabase [Video]
  • Build Realtime Apps with Next.js and Supabase [Video]
  • SvelteKit & Supabase Project Build [Video]
  • Next.js 14 x Supabase ā€” Build a Team component using shadcn [Article]
  • Create a Real Time Chat App with Supabase and Angular [Article]

This discussion was created from the release Developer Updates - May 2024.

You might be wondering what we've been up to the past few weeks when we'd usually have some cadence in our weekly updates with our GitHub discussion updates - the team at Supabase had decided to commit to a month of consolidation by putting our efforts into each of the following pillars: Alerting, Testing, and Scaling. Let's jump right in to see what this means for the Dashboard! šŸ’ŖšŸ»

šŸšØĀ Alerts: Enabling proactive resolution to issues that users run into

We want to find out about bugs before you do. In an effort to lower the time between deploying a bug and fixing it, weā€™ve set up some alerts that will enable us to be more proactively catch bugs, in particular for show-stopping problems (e.g that awful ā€œA client side exception has occurredā€ screen)!

  • Added alerts for critical points of failures (PR) This includes any errors that will completely prevent you from using the Supabase dashboard.
  • Added alerts for full page client crash events with a custom error boundary (PR) Having a custom error boundary also allows us to potentially provide contextual hints/resolutions to the problem faced, such as what we did in this PR.

šŸ› ļøĀ Testing: Identifying and covering critical points of failure

We believe in ensuring that minimally our critical paths are covered by tests as opposed to ensuring our dashboard has 100% test coverage. Anything that might completely block our users from doing what they need to do should be caught as much as possible before reaching production.

  • Moved to Vitest + Integrating packages to make writing tests easier (PR) Weā€™ve revamped our current test set up to use Vitest instead of Jest and have integrated Mock Service Workers (MSW) and next-router-mock. These are all to support writing better tests easier, and also to reduce the amount of configuration we need to set up the tests.
  • Expanded on Playwright for E2E tests (PR) We previously had a couple of Playwright tests written over in our tests repository that weā€™ve decided to shift over to our main repository. Weā€™re also in the midst of writing more tests and making them public

šŸ“ˆĀ Scaling: Supporting bigger workloads as the project grows

The dashboard should be able to keep up with your projects, no matter how big they grow - and even if unable to, it should never block you, or leave you feeling confused. This effort involved several solutions: gracefully failing if unable to handle large workloads, better observability, or even just better error handling to allow our users to self-service most errors. We were able to get improvements out for several common issues. Check out each individual PR for more information šŸ˜„

  • Rendering large column data within the Table Editor (PR) Weā€™re now limiting rendering each text/JSON based column data in the table editor at a max of 10kB when initially viewing the table, which should alleviate browser performance issues when rendering tables with large row data. You may load the entire column data on demand instead.
  • Handling large results within the SQL editor (PR) A limit parameter will now be added as a suffix to select queries that are run in the SQL editor, which should prevent the browser performance from degrading when trying to query too much data. The limit parameter can be optionally removed if your intention might be to pull data in greater quantity.
  • View ongoing queries in the SQL editor and support terminating them (PR) This came in response to a user who accidentally ran a large query through the SQL editor which ended up in the API request timing out, giving the impression that the query stopped running when in fact it was still running on the database in the background. This should help surface such problems and give the tooling required to abort erroneous queries.
  • Contextual errors when something goes wrong (PR) While the attached PR was more of a POC, this is the direction we want to move towards to by providing contextual information and suggest possible resolutions whenever users run into an error

Of course consolidation is not a one time event, but an ongoing effort that our team is committing to in parallel to shipping new and exciting features. We hope that as our users, you will all be able to benefit from this with less blockers to keep you from building cool stuff šŸ™‚

As always, if you have any feedback for us - we're just a message away through the feedback widget to the top right corner of the dashboard! We're always listening šŸ‘‚šŸ» (as in reading šŸ‘€).

Go here for latest update

Hey everyone,

I'm Stojan a member of the Supabase Auth team, bringing some updates about what's next with @supabase/ssr. This is the recommended package that helps you use the Supabase JavaScript client with SSR frameworks such as NextJS, Remix, SvelteKit and others.

We've been quite busy recently gathering feedback, reviewing common complaints and bugs with the package, and using it in the popular SSR frameworks. We've identified a few areas needing improvement and we've already started implementing them.

The package is still on major version 0, indicating its beta status. We plan to move it to major version 1 in the coming months making it the preferred way of using the Supabase JavaScript library in your favorite SSR framework.

First, we'll extract @supabase/ssr's code from the auth-helpers repository into its own. Weā€™re doing this because:

  • @supabase/auth-helpers-x (like for NextJS) is no longer supported by the team, as we expect people to move to @supabase/ssr.
  • It's no longer about "auth-helpers," but rather about how you can most effectively and ergonomically use the Supabase Client in various SSR and CSR contexts.
  • A standalone repo makes it easier for the community to contribute and for us to track issues.

We're going to release a fairly ground-up reimplementation of the package. This should come as version 0.4.0 around mid-June. We've received a lot of signal in the past months from developers and the community about possible improvements for developer ergonomics and better handling for edge cases.

The reason for this change is because @supabase/ssr is really just a thin layer for cookie management on top of @supabase/supabase-js. We've identified some improvements that reduce odd and difficult-to-diagnose behavior. The new implementation will boast over 90% test coverage, including testing for issues that weā€™ve seen commonly reported so far.

As part of the new implementation, we are changing the API. The old API will be deprecated when we reach v1.0.0. This is to ensure the best possible experience for both developers and users. For most use cases and happy paths, the deprecated API will continue working during the phase-out, but we encourage switching as soon as possible. Once we release v1.0.0, major version 0 will no longer be maintained.

The change in the API is quite simple, so hereā€™s an example of how it will look like. Instead of defining three cookie access methods get, set and remove like so:


_13
createServerClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
_13
cookies: {
_13
get: async (name) => {
_13
// ...
_13
},
_13
set: async(name, value, options) => {
_13
// ...
_13
},
_13
remove: async(name) => {
_13
// ...
_13
}
_13
}
_13
})

You would need to define two ā€” getAll and setAll cookie access methods like so:


_10
createServerClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
_10
cookies: {
_10
getAll: async() => {
_10
// return all cookies you have access to
_10
},
_10
setAll: async(cookiesToSet: { name: string; value: string; options: CookieOptions; }[]) => {
_10
// set the cookies exactly as they appear in the cookiesToSet array
_10
}
_10
}
_10
})

Note that for createBrowserClient nothing needs to be done in most cases, it automatically works with the document.cookie API.

The change should be trivial for most SSR frameworks, and we'll be sure to update the guides to instruct you on how to change your code into this new way of accessing cookies.

Thanks for all your feedback! Feel free to ask any questions below!

Log drains is currently private alpha, and is available for Teams and Enterprise customers. We are still firming up the pricing and documentation, however it will likely involve a flat fee and variable egress usage. This will be announced separately through official channels.

We will be supporting Datadog as our initial provider.

The following destinations are in the works:

  1. Elastic/Filebeat
  2. Syslog

We are currently onboarding interested customers manually, so please fill out this form to get started: https://forms.supabase.com/logdrains.

We've released a fix to the deployment instructions for the supabase-grafana monitoring application.

If you're ingesting the metrics endpoint into your pre-existing managed infrastructure without using the supabase-grafana app, this change does not affect you. If you're running the supabase-grafana app using the docker-compose mechanism, you are also not affected.

Fly applications launched off the repository between December 10, 2023, and May 16, 2024 are impacted, and will experience:

  • Fly application being shut down after periods of inactivity of a few minutes (default Fly.io behaviour)
  • Historical data will not be persisted after such a shutdown

The fix to the deployment instructions ensures that a persistent volume is created to store the data on, which prevents loss in case of a machine shutdown or restart. Additionally, autoshutdown behaviour is disabled, in order to prevent the app from being paused due to inactivity.

In order to fix an existing, already deployed Fly application, you can edit its configuration to disable auto_stop_machines, and create a persistent volume, and mount it at /data (similar to the updated deployment instructions). Please note that as the newly created persistent volume will be empty to start, any existing metrics data will not be preserved as part of this change. If doing so is necessary, you can initially mount it at a separate path, copy the data over, and finally mount it at /data.

If you need further help, please reach out to Support via https://supabase.help

Conversational AI assistant in the SQL Editor

This was previously behind a feature flag but we're now making this available by default, which will replace the existing single prompt UI that you saw previously at the top of the SQL editor. Once again, thank you all so much for the feedback that you've left us - we really appreciate them and they definitely do help in guiding us towards the ideal dashboard experience for everyone. šŸ™‚šŸ™

We're also aware that the feature preview functionality is missing in the local set up - rest assured we're looking into it and hope to get a fix out soon for everyone!

PR: https://github.com/supabase/supabase/pull/23142

Link: https://supabase.com/dashboard/project/_/sql

A step towards slightly more contextual error messages

A topic that came up in one of our discussions internally was regarding self-serviceability, and we realised that our error messages could do a much better job than just informing users what the error is about - especially when their errors from Postgres directly and the messages could be slightly cryptic for those not familiar with Postgres (yet šŸ˜‰). The PR linked here is just a small idea and example for what we plan to do with error messages in the future, by giving users more context about the errors like possible solutions and links to relevant documentation. Hopefully this will make using the dashboard slightly more easier šŸ™‚

PR: https://github.com/supabase/supabase/pull/23135

Link: https://supabase.com/dashboard/project/_/editor

Other improvements and bug fixes

Branching

  • Disable branch reset while branch is initializing (PR)

Database

  • Allow searching for schema and tables when creating indexes (PR)
  • Allow SQL language for writing database functions (PR)

Hereā€™s everything we shipped during our GA week:

Day 1 - Supabase is officially launching into General Availability (GA)

Supabase has moved to General Availability (GA) with over 1 million databases under management and over 2,500 databases launched daily. Weā€™ve been production ready for years and now we are fully confident that we can help every customer become successful, from weekend projects to enterprise initiatives at organizations like Mozilla, 1Password, and PwC.

Full announcement | Video announcement | X space

Day 2 - Supabase Functions now supports AI models

Supabase Functions has added a native API that makes it easy to run AI models within your functions while removing nasty cold starts. You can use the gte-small embedding model to generate text embeddings or bring your own Ollama server to tap into many more embedding models and Large Language Models (LLMs) like Llama3 and Mistral. Soon weā€™ll provide hosted Ollama servers so you wonā€™t have to manage them yourselves for a more seamless experience.

Blog post | Video announcement | X space

Day 3 - Supabase Auth now supports Anonymous sign-ins

Supabase Auth heard your requests and went to work building anonymous sign-ins which enable you to create temporary users that have yet to sign up for your application. This lowers the friction for visitors to use your application while making it easy to convert them to permanent users once theyā€™re hooked.

Blog post | Video announcement | X space

Day 4 - Supabase Storage now supports the S3 protocol

Supabase Storage already has standard and resumable uploads and now supports the industry standard S3 protocol enabling multipart upload and compatibility with a myriad of tools such as AWS CLI, Clickhouse, and Airbyte for a wide array of use cases.

Blog post | Video announcement | X space

Day 5 - Supabase Security & Performance Advisor

Supabase has managed over 1 million databases over the last four years and has seen all manner of use cases with common pitfalls that weā€™re helping our customers address with our Security, Performance, and Index Advisors. These Advisors will help to surface and fix insecure database configurations and recommend database and query optimizations to keep your database secure and performant for your mission critical workloads.

Blog post | Video announcement | X space

GA Week Hackathon Winners

We are delighted that so many high quality projects were submitted but in the end there could only be one Best Overall Project. The decision wasnā€™t easy but the Supabase panel of judges chose vdbs (vision database SQL) for the honorific. Congratulations šŸ‘ to @xavimonp who will receive the prize of Apple AirPods.

Full list of winners | All the submissions

One more thing from GA Week

Just kidding, thereā€™s always more than one. Hereā€™s more awesome things we shipped:

Community Highlights

  • Changing Databases 5 Times in 48 Hours Boosted Our Launch to 35,000 Views [Article]
  • Crazy new Supabase feature: Understand and learn about anonymous users [Video]
  • Support unstructured data in Postgres with JSON columns [Video]
  • Build an AI-powered blogging platform (Next.js, Langchain & CopilotKit) [Article]
  • How to Secure Your Supabase Database and Storage [Blog post]
  • Self-host Protomaps PMTiles onĀ Supabase Storage [Video]
  • Supabase Realtime - How to deal with multiplayers in Next.js [Blog post]
  • The Hard Parts of Building an Application, Made Easy with Supabase [Article]

This discussion was created from the release Developer Updates - April 2024.

You can now use JSR packages in your Edge Functions. JSR is a modern package registry for JavaScript and TypeScript created by the Deno team. With JSR support, you can use the latest versions of popular Deno packages like Oak.

How to use:


_10
import { Application } from "jsr:@oak/oak/application";
_10
import { Router } from "jsr:@oak/oak/router";

For local development, you will need to update Supabase CLI for the version v1.166.1 or above.

Edge Functions also supports using NPM and deno.land/x packages. If you are already using them, no changes are needed.

Other improvements and bug fixes

We've been focusing on improving existing features on the dashboard and fixing some issues over the past week, so while we've got nothing shiny to shout out about, here's still a list of things that we've shipped! šŸ™‚ As always, feel free to let us know if there's something that you guys really want to see in the dashboard - we'll see how we can make it happen šŸ˜‰

General

  • Feedback widget will not clear its contents when closing until explicitly cleared or submitted [PR]

Table Editor

  • Reinstate link button for foreign keys in table editor side panel [PR]
  • Fix creating foreign key on new column after changing column's name [PR]

SQL Editor

  • Set column width of results to be relative to column content length [PR]

Authentication

  • Added Create policy CTA under each table for convenience [PR]

Storage

  • Added file size validation against project's upload limit when uploading files in dashboard [PR]

Database

  • Query performance: Fix searching via role and query [PR]
  • Query performance: Add db inspect docs link for visibility to aid in helping identify potential Postgres issues [PR]
  • Enumerated types: clean up form field when reopening create enumerated type panel [PR]
  • Tables: Add ellipses to table descriptions to prevent odd wrapping for long descriptions [PR]

March Beta 2021

Apr 6, 2021

Launch week, Storage, Supabase CLI, Connection Pooling, Supabase UI, and Pricing. Here's what we released last month.

This is also available as a blog post and a video demo.

Supabase Storage

Need to store images, audio, and video clips? Well now you can do it onĀ SupabaseĀ Storage. It's backed by S3 and our newĀ OSS storage APIĀ written in Fastify and Typescript. Read the full blog post.

Connection Pooling

TheĀ SupabaseĀ API already handles Connection Pooling, but if you're connecting to your database directly (for example, with Prisma) we nowĀ bundle PgBouncer. Read the full blog post.

React UI Component Library

We open sourced our internal UI component library, so that anyone can use and contribute to theĀ SupabaseĀ aesthetic. It lives atĀ ui.supabase.ioĀ . It was also the #1 Product of the Day on Product Hunt.

CLI

Now you can runĀ SupabaseĀ locally in the terminal with supabaseĀ start. We have done some preliminary work on diff-based schema migrations, and added some new tooling for self-hostingĀ SupabaseĀ with Docker.Ā Blog post here.

OAuth Scopes

Thanks to a comunity contribution (@_mateomorris and @Beamanator), Supabase Auth now includes OAuth scopes. These allow you to request elevated access during login. For example, you may want to request access to a list of Repositories when users log in with GitHub. Check out theĀ Documentation.

Kaizen

  • You can now manage your PostgREST configuration inside the Dashboard.
  • Our website has been redesigned. Check out our new Homepage and Blog, and our new Database, Auth, and Storage product pages.
  • We refactored some of our Filter methods to make them even easier to use. Check out the Full Text Search refactor.
  • We have added several new sections to our Docs including: Local Dev, Self Hosting, and Postgres Reference docs (all still under development).

Supabase is an open source Firebase alternative. We've now been building for one year. Here's what we released last month.

This is also available as a blog post and a video demo.

Dashboard Sidebars

We've improved the UX of our Dashboard with sidebars in every section, including the Table view, the Auth section, and the SQL Editor.

SQL Autocomplete

Writing SQL just got 10x easier. We added autocomplete to the SQL editor, including table & column suggestions.

Auth Redirects

Redirect your users to specific route within your site on signIn() and signUp().

Redirect your users after sign up

Learning Resources

We've released a new Resources section in our docs, as well as two new Auth modules: GoTrue Overview and Google OAuth.

New Region

Launch your database in South Africa.

Kaizen

New year, new features. We've been busy at Supabase during January and our community has been even busier. Here's a few things you'll find interesting.

This is also available as a blog post and a video demo.

Count functionality

Anyone who has worked with Firebase long enough has become frustrated over the lack of count functionality. This isn't a problem with PostgreSQL! Our libraries now have support for PostgREST's exact, planned, and estimated counts. A massive thanks to @dshukertjr for this adding support to our client library.

New Auth Providers

We enabled 2 new Auth providers - Facebook and Azure. Thanks to @Levet for the Azure plugin, and once again to Netlify's amazing work with GoTrue to implement Facebook.

Auth Audit Trail

We have exposed the audit trail directly in the dashboard, as well as the GoTrue logs. Great for security and debugging.

Auth UI widget

In case our Auth endpoints aren't easy enough already, we've built a React Auth Widget for you to drop into your app and to get up-and-running in minutes.

New auth.email() function

We added a helper function for extracting the logged in user's email address.

New Regions

Launch your database in London or Sydney!

Launch your database in London or Sydney

Copy rows as Markdown

You can now copy SQL results as Markdown - super useful for adding to blogs and issues.

React server components

If you're excited by React Server components then check out the Supabase + Server Components experimental repo. https://github.com/supabase/next-server-components

Learn

We know that Auth can be a bit daunting when you're just starting out, so we have created some intro videos to get you up to speed in no time:

Kaizen

  • Performance: We migrated all of our subdomains to Route53, implementing custom Let's Encrypt certs for your APIs. As a result, our read benchmarks are measuring up 12% faster.
  • Performance: We upgrade your databases to the new GP3 storage for faster and more consistent throughput.

Build in a weekend, scale to millions