Starting with pg_graphql 1.6.0 (shipping in new Supabase projects from 2026-06-15), GraphQL introspection is disabled by default.
Who is affected#
- New projects created on or after 2026-06-15 will run pg_graphql 1.6.0+ and have introspection disabled by default.
- Existing projects are not affected unless and until you upgrade pg_graphql to 1.6.0+ (e.g. by upgrading your project's Postgres version). Older projects keep their current behaviour.
What's changing#
Previously, __schema and __type queries worked without any configuration. From 1.6.0, they return an error unless you explicitly opt in:
_10{ "errors": [{ "message": "Unknown field \"__schema\" on type Query" }] }
If your project uses any of the following, you'll need to opt in before relying on introspection:
- Supabase Studio GraphQL explorer (GraphiQL) — uses introspection to display your schema and provide autocomplete
- External GraphiQL or GraphQL Playground
- Apollo DevTools
- Relay compiler
- Code generators (e.g.
graphql-codegen) - Any tool that calls
__schemaor__typedirectly
Regular data queries are not affected. accountCollection, insertIntoAccountCollection, etc. continue to work normally regardless of this setting.
How to opt in#
Run this SQL once per schema you want to expose introspection on:
_10comment on schema public is e'@graphql({"introspection": true})';
If you already have a comment on your schema (e.g. for inflect_names), combine the keys:
_10comment on schema public is e'@graphql({"inflect_names": true, "introspection": true})';
Why this change#
Introspection exposes your full API surface — all types, fields, and relationships — to anyone who can reach the endpoint. Disabling it by default reduces the risk of API enumeration and makes it easier to keep private schemas private.