Introduction#
We are removing app.settings.jwt_secret from the postgres database on 2024/11/22.
This setting has previously been available through our PostgREST integration, and could be accessed using current_setting('app.settings.jwt_secret') in SQL.
Why are we doing this?#
The jwt_secret can be used to mint new, custom JWTs and is security sensitive. Supabase limits access to the jwt_secret , through both the dashboard and API, to specific roles (owner, admin and developer). Allowing access to this setting directly in the database can allow bypassing of these restrictions.
What do you need to do?#
If you need the jwt_secret, it can be retrieved through the Supabase dashboard.
If you are using the app.settings.jwt_secret in SQL, you will need to update your function to retrieve this value from Vault.
_10select vault.create_secret('JWT_SECRET', 'app.jwt_secret', 'The jwt secret');_10_10-- retrieve the value, this replaces select current_setting('app.settings.jwt_secret')_10select decrypted_secret _10 from vault.decrypted_secrets _10 where name = 'app.jwt_secret';
Also, please consult the changelog entry for Asymmetric Keys to understand the coming changes to jwt_secret and how keys at Supabase are changing.