Changelog

We’re changing the way API keys work in Supabase to improve your project’s security and developer experience. Refer to the timetable below for key dates and info on actions you may need to take in the future.

This change starts out as early preview and is opt-in. No action necessary until at least 1st November 2025. We strongly encourage you to give the new API keys a try!

What's the change?#

These are the planned changes for the API keys:

• anon and service_role keys remain available for use.
• A single publishable key with the form sb_publishable_... can be used to replace the anon key.
• You can create multiple secret keys with the form sb_secret_.... You can also choose not to have a secret key if you don’t need one. Secret keys replace the service_role key.
• You can disable and re-enable the anon and service_role keys, as needed during the migration period.

Summarized, there are 4 types of API keys that can now be used with Supabase. This chart should illustrate it better:

Timetable#

Why are we doing this?#

Since the start of Supabase, the JWT-based anon and service_role keys were the right trade-off between simplicity and relative security for your project. Unfortunately they pose some real challenges in live applications, especially around rotation and security best practices.

The main reasons for making this change are:

• Tight coupling between the JWT secret (which itself can be compromised, if you mint your own JWTs) and the anon (low privilege), service_role (high privilege), and authenticated (issued by Supabase Auth) Postgres roles.
• Inability to independently rotate each aspect of the keys, without downtime.
• Inability to roll-back an unnecessary or problematic JWT secret rotation.
• Publishing new versions of mobile applications can take days and often weeks in the app review phase with Apple's App Store and Google's Play Store. A forced rotation can cause weeks of downtime for mobile app users.
• Users may continue using desktop, CLI and mobile apps with very old versions, making rotation impossible without a forced version upgrade.
• JWTs had 10-year expiry duration, giving malicious actors more to work with.
• JWTs were self-referential and full of redundant information not necessary for achieving their primary purpose.
• JWTs are large, hard to parse, verify, and manipulate -- leading to insecure logging or bad security practices.
• They were signed with a symmetric JWT secret, preventing future development of Auth features.

Start using the new API keys#

It’s easy to start using the new API keys. You can opt in in the Supabase dashboard. This will create the default publishable key and a single secret API key.

For the most part, you can substitute the sb_publishable_... and sb_secret_... values anywhere you used the anon and service_role keys respectively. They work roughly the same in terms of permissions and data access.

You can initialize any version of the Supabase Client libraries with the new values without any additional changes, and we don't expect any backward compatibility issues.

Key differences to be aware of#

We've redesigned how the Supabase hosted platform deals with API keys with a few key goals:

• Advanced and enterprise-ready security features
• Zero-downtime rotation
• Solid foundations for the introduction of asymmetric JWT support and other Auth features requiring this

To achieve these, the new API keys have some subtle differences from anon and publishable:

• Permission and access control. Secret keys are hidden by default and need to be individually "revealed." Each event appears in your organization's Audit Log.
• Instant revocation. By deleting a secret key it is instantly revoked.
• Forbidden use in a browser. Using a secret key in a browser is no longer possible and will always fail with HTTP 401 Unauthorized.
• Limitation with Realtime: Connections last 24 hours when there’s no signed in user, or when using a secret key. Sign users in to extend connections indefinitely.
• Limitation with Edge Functions: Edge Functions provide the option --no-verify-jwt which means they can be called without knowing any API key. You will need to apply this option to functions you are protecting without it.
• Use of the Authorization header. It is no longer possible to use a publishable or secret key inside the Authorization header — because they are not a JWT. Instead pass in the user’s JWT, or leave the header empty. For backward compatibility, it is only allowed if the value in the header exactly matches the value in the apikey header.

We believe these limitations are minor and not likely to impact even a single-digit percentage of existing customers. Should you find any additional limitation do not hesitate to bring it up in this discussion or via Supabase Support.

Schema Visualizer nodes are now persisted#

This was yet another request that we've commonly heard from everyone and we're taking a first step to making this happen 😄 Position of the nodes will now be stored within local storage so that you won't have to re-position them each time you land on this page. We've also added a button to help arrange the nodes automatically if that might be preferred!

Note that if you add new tables to the schema however, the node positions will be defaulted to a certain position that may overlap with other nodes - we're definitely looking into how we can make that better so that new nodes can be easily identified (and then shifted around to your liking 🙂)

PR: https://github.com/supabase/supabase/pull/29136

Link: https://supabase.com/dashboard/project/_/schemas

Other improvements and bug fixes#

General

• Minor improvements to layouts and buttons to ensure their visibility on smaller screens (PR)
• Fix project status filter on home page to only show active projects if only the active checkbox is checked (PR)

Table Editor

• Fix client crash when creating an empty table with no columns (PR)
• Fix handling of of large JSON / text fields in the side panel text editor (PR)

SQL Editor

• Add client side validation for query size (max 1MB) (PR)
• Couple of fixes around adding a new folder with the same name as an existing one (PR)

Database

• Update Stripe Wrapper with more tables (PR)
• Remove docs button for database extensions that have no documentation yet (PR)

Supabase Edge Runtime version 1.57 is compatible with Deno 1.45.

Supabase's hosted platform was upgraded to use this release when serving Edge Functions starting last week.

If you're using Supabase CLI for local development latest stable release 1.192.5, it adds compatibility for Deno 1.45.

How do I find which version of Edge Runtime I'm running?#

Supabase CLI (local)#

When you run supabase functions serve, it should show the current version of Edge Runtime used (and its Deno compatibility)

Hosted Platform#

You can check the served_by field in log events to see which Edge Runtime version was used to serve your function.

We try our best to maintain backward compatibility in these upgrades. If you're experiencing any issues, please feel free to make a support request

Upgrade your organization directly from our pricing page#

https://github.com/user-attachments/assets/2262d816-0c69-4c58-a6e2-1ce4868122f2

Users who are logged in will now be able to select and upgrade their organization from the pricing page itself when clicking on the Upgrade to Pro / Team plan buttons. This is mainly to help streamline this process so that users can upgrade their existing organizations, and prevent confusions where users end up creating new paid organizations instead.

PR: https://github.com/supabase/supabase/pull/28942

Link: https://supabase.com/pricing

UI improvements around credit card billing information#

The selected payment method on the billing page is easily missed as you'll need to scroll down before finding it. In particular with outstanding invoices, it may not be obvious that the wrong card (or even expired card) might have been selected as the default. As such we now will

• Indicate which cards are about to expire (within the current month)
• Indicate which cards have expired
• Show the selected payment method, along with a quick link to change it on the invoices page

PR: https://github.com/supabase/supabase/pull/28971

Link: https://supabase.com/dashboard/org/_/billing

Set payment method as default when adding a new payment method#

When adding a new payment method, we have now added a checkbox to set the card as default which is toggled on by default. This should resolve a UX issue whereby customers needed to explicitly set the card as default in a separate manual step after adding it.

PR: https://github.com/supabase/supabase/pull/28921

Link: https://supabase.com/dashboard/org/_/billing

Choose which schemas to share with OpenAI#

This mainly applies to wherever the Supabase AI assistant is present in the dashboard (SQL Editor + RLS policies). You can now choose which schemas to share with OpenAI as opposed to sending information from all schemas in hopes to improve the output quality of the assistant by only sharing relevant information for your prompts to the assistant.

Do keep in mind that you'll need to opt in to sending anonymous data to OpenAI prior to doing this 🙂 You may also verify exactly what data is being sent here as well under "Important information regarding opting in"!

PR: https://github.com/supabase/supabase/pull/28594

Link: https://supabase.com/dashboard/project/_/sql/new

Other improvements and bug fixes#

General

• Show which is the last sign in method used on login page (PR)
• Added 3 new regions to spin up projects from: Ohio, Stockholm, Paris, and Zurich (PR)
• Commands added for cmd+k to search and open snippets in the SQL Editor (PR)
• Support pasting image (via Cmd/Ctrl + v) in the feedback widget (PR)
• Use expanding text area for RLS AI assistant for multi line prompts (PR)

Table Editor

• Save last selected schema, no longer defaults to public schema (PR)
• Set the correct schema in the schema selector when opening a table via URL directly (PR)
• Support exporting table data as SQL seed file (PR)
• Couple of fixes for bugs around composite foreign keys (PR)
• Improve display of estimated row count for the table if the table has > 50k rows, to emphasize that it's an estimated count (PR)
• Spreadsheet import now checks column types from imported spreadsheet (PR)

SQL Editor

• Fix folder name editing where clicking on the input field toggles the folder (PR)
• Support opening cell value via right click into a side panel for a more detailed view (PR)

Auth

• "With check" checkbox is toggled on by default for commands that involve a with check expression (PR)

Storage

• Support searching and sorting buckets (PR)

Logs Explorer

• Support copying cell content via context menu (PR)

The SQL Editor got an upgrade this week, finally letting you organize snippets into folders!

• Favourites and Shared snippets are in folders now
• Organize Private snippets in folders as you like
• Share snippets with your team as you could before

Link: https://supabase.com/dashboard/project/_/sql/new PR: https://github.com/supabase/supabase/pull/27881

Other bug fixes and improvements#

Project compute size badge

• See project compute details and upgrade right from the home screen (PR)

SQL Editor

• Update the SQL Editor AI Assistant model to the latest from OpenAI (PR)

tldr:

• No changes for Free Plan users
• Billing for paid plan organizations will be based on provisioned disk rather than used database space:
  • Each project starts with 8 GB disk provisioned by default.
  • The first 8 GB of provisioned disk per project is free, then $0.125 per additional GB.
  • Charges are prorated down to the hour, which is advantageous for short-lived projects and branches.
  • Provisioned disk from Read Replicas will also be included in billing.
  • Enables upcoming features for enhanced control over disk and Postgres parameters.

Timeline

This change will be rolled out to new customers on August 26th, 2024 and will be gradually rolled out to existing customers shortly after.

Changes

We are adjusting our pricing to offer more flexibility and self-serve for developers wanting to tune their disk and Postgres configuration. For example:

• Some developers want disks with higher throughput
• Some developers want to store more than 1GB of WAL (for tools like Airbyte/PeerDB, or adding more read replicas)

To make this available we will start billing for provisioned disk size (rather than database space used). Previously, costs associated with WAL files were not directly billed but also users could not control change max_wal_size (default is 1GB).

There is no action needed on your end. You will automatically be transitioned to the new billing model throughout the next couple of weeks. In case there is any change in your monthly bill, we will reach out to you proactively with additional information and give you a grace period to decrease your usage.

For customers on the Free Plan, there will be no changes; the total database space remains capped at 500MB. These adjustments only apply to customers on paid plans. The database disk will continue to autoscale when nearing capacity for paid plan customers.

Example 1: Pro plan org, active for whole month#

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

Billing

Example 2: Pro plan org, active for part of the month#

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

Billing

Where do I see my disk size?#

You can see your project’s disk size in your database settings (Project Settings > Database).

How can I resize my disk down?#

Your disk size is based on your database space usage. As a first step, you need to identify current database space usage and reduce it. To see your current database space usage, head over to the built-in “Database” project report. Once you have reduced your database space and want to reduce your provisioned disk, you can upgrade your Postgres version through your project settings to automatically rightsize your disk. For further information around disk management and reducing database space, please refer to our docs.

Is this going to affect my monthly bill?#

If your current disk size is >8GB, this is likely going to impact you. Note that this will be gradually rolled out and you will be notified about the concrete impact on your organization and given a 3-month grace period, which gives you time to right-size your disk and minimize the impact of this change.

Further to earlier discussions, the threshold for transitioning large databases to use physical backups for their daily backups is being lowered to 15GB in the next few days.

Physical backups are more performant, have lower impact on the db, and avoid holding locks for long periods of time. Restores continue to work as expected, but backups taken using this method can no longer be downloaded from the dashboard.

Over the next few months, we'll be introducing functionality to restore to a separate, new database, allowing for the perusal of the backed up data without disruption to the original project.

Please refer to supabase.com/docs/guides/platform/backups#daily-backups-process for additional details.

Claim your ticket for Launch Week 12 kicking off August 12 and read on to learn about a number of new features we have to share with you for the month.

Launch Week 12#

Join us August 12-16 for our next Launch Week event. We will be announcing a number of new features and giving away some great swag!

Claim Your Ticket

Disable Data API for Your Project#

You can now disable the Data API when creating a new project with a setting under "Advanced Options". This option bolsters the security of your data by preventing unintentional access from clients. You can change this behavior on an existing project via the project's API Settings.

Custom Schema for Data API#

Your project's Data API exposes the public schema by default, the most commonly used schema, and can lead to unintentional access to your data. Now, you can dictate which custom schema to expose via the Data API for better security and granular control.

Save Money With Hourly Storage Billing#

On August 20, 2024, Supabase is changing billing for Storage from daily to hourly for new customers and gradually rolling it out for existing customers shortly thereafter. There are no billing changes for projects who continue to use Storage for the entire month while projects using Branching or Storage for partial months will see a reduction in their bill.

Deploy More Functions at No Extra Cost#

We have increased the number of Edge Functions across all plans at no extra cost and removed usage-based billing to simplify your bill.

Quick product announcements#

• [Database] Postgres 13 Deprecation Notice [Github Discussion]
• [Auth] Migrate from Auth0 to Supabase Auth [Docs]
• [Branching] You can customize the public environment variable prefix to use any framework [Pull Request]
• [Docs] Supabase docs now feature global navigation bar [Docs]

Made with Supabase#

• Krea - Realtime and interactive image generation in the browser, the easiest way to generate with AI [Website]
• Cheat Layer - The most powerful no-code agent editor on the planet. Learn new RPA concepts to build future-proof agents that are impossible in other RPA tools [Website]
• Udio - Generative music, you can even edit segments of the tracks using AI [Website]
• Pika - The idea-to-video AI platform that sets your creativity in motion. [Website]
• MakePodcast - Effortlessly craft professional podcasts in minutes using AI [Website]

Community Highlights#

• Using Pre-commit Hook to Upload Local Media to Supabase Bucket [blog]
• Build Library Management System Using React, Shadcn/ui, Supabase and React Query From Scratch [Youtube]
• Instagram Clone in React Native: Video, Backend with Supabase & Push Notifications [YouTube]
• It all starts with Postgres (Interview to Paul Copplestone) [YouTube]
• GraphQL Quickstart with Supabase [YouTube]
• 13min High Intensity Postgres Workout (NO REPEATS) [YouTube]

Some Custom Domain project endpoints are currently signed by Let's Encrypt's cross-signed chain.

These endpoints will start being signed by Let's Encrypt self-signed chain starting the 9th of September, 2024. For additional details, please refer to Cloudflare's documentation for this change.

The primary impact of this will be to disrupt traffic from extremely old systems (e.g. Android =< 7.0) that trust the cross-signed chain, but not the self-signed one.

If you are impacted by this, please reach out to https://supabase.help and we can help you migrate to an alternative CA.

Currently, usage data on the invoice breakdown and organization usage page has a 24-hour delay. Starting from August 26th, the usage data will have no more of 1 hour delay for new customers. Afterwards, the changes will be rolled out to existing customer gradually. We're also working on additional improvements to provide better usage insights.

Additionally, we are revamping invoices to provide more detailed breakdowns of usage for enhanced transparency. Due to our new proration of project add-ons and storage down to the hour, you may notice slight variances in your monthly bill. For the majority of line items, you’ll see the project reference and usage on the invoice, which should make it clearer which project allocated the usage/costs.

A few examples:

Compute Hours is broken down per project and the compute credits ($10) is displayed as discount for the compute line item.

Egress is broken down to each project and displays included quota (250GB) and over-age pricing ($0.09/GB)

Realtime Messages line item shows package-based pricing with $2.50 per million.

Launch week, Storage, Supabase CLI, Connection Pooling, Supabase UI, and Pricing. Here's what we released last month.

This is also available as a blog post and a video demo.

Supabase Storage#

Need to store images, audio, and video clips? Well now you can do it on Supabase Storage. It's backed by S3 and our new OSS storage API written in Fastify and Typescript. Read the full blog post.

Connection Pooling#

The Supabase API already handles Connection Pooling, but if you're connecting to your database directly (for example, with Prisma) we now bundle PgBouncer. Read the full blog post.

React UI Component Library#

We open sourced our internal UI component library, so that anyone can use and contribute to the Supabase aesthetic. It lives at ui.supabase.io . It was also the #1 Product of the Day on Product Hunt.

CLI#

Now you can run Supabase locally in the terminal with supabase start. We have done some preliminary work on diff-based schema migrations, and added some new tooling for self-hosting Supabase with Docker. Blog post here.

OAuth Scopes#

Thanks to a comunity contribution (@_mateomorris and @Beamanator), Supabase Auth now includes OAuth scopes. These allow you to request elevated access during login. For example, you may want to request access to a list of Repositories when users log in with GitHub. Check out the Documentation.

Kaizen#

• You can now manage your PostgREST configuration inside the Dashboard.
• Our website has been redesigned. Check out our new Homepage and Blog, and our new Database, Auth, and Storage product pages.
• We refactored some of our Filter methods to make them even easier to use. Check out the Full Text Search refactor.
• We have added several new sections to our Docs including: Local Dev, Self Hosting, and Postgres Reference docs (all still under development).

Supabase is an open source Firebase alternative. We've now been building for one year. Here's what we released last month.

This is also available as a blog post and a video demo.

Dashboard Sidebars#

We've improved the UX of our Dashboard with sidebars in every section, including the Table view, the Auth section, and the SQL Editor.

SQL Autocomplete#

Writing SQL just got 10x easier. We added autocomplete to the SQL editor, including table & column suggestions.

Auth Redirects#

Redirect your users to specific route within your site on signIn() and signUp().

Learning Resources#

We've released a new Resources section in our docs, as well as two new Auth modules: GoTrue Overview and Google OAuth.

New Region#

Launch your database in South Africa.

Kaizen#

• We filled up our Examples page with a lot of new content.
• We released a Docker Compose file for running Supabase locally. This will be used in our upcoming CLI.
• We have a couple of pending RFCs which you may want to participate in:
  • Planning our CLI and Local Development
  • Connection Pooling on Supabase

New year, new features. We've been busy at Supabase during January and our community has been even busier. Here's a few things you'll find interesting.

This is also available as a blog post and a video demo.

Count functionality#

Anyone who has worked with Firebase long enough has become frustrated over the lack of count functionality. This isn't a problem with PostgreSQL! Our libraries now have support for PostgREST's exact, planned, and estimated counts. A massive thanks to @dshukertjr for this adding support to our client library.

New Auth Providers#

We enabled 2 new Auth providers - Facebook and Azure. Thanks to @Levet for the Azure plugin, and once again to Netlify's amazing work with GoTrue to implement Facebook.

Auth Audit Trail#

We have exposed the audit trail directly in the dashboard, as well as the GoTrue logs. Great for security and debugging.

Auth UI widget#

In case our Auth endpoints aren't easy enough already, we've built a React Auth Widget for you to drop into your app and to get up-and-running in minutes.

New auth.email() function#

We added a helper function for extracting the logged in user's email address.

New Regions#

Launch your database in London or Sydney!

Copy rows as Markdown#

You can now copy SQL results as Markdown - super useful for adding to blogs and issues.

React server components#

If you're excited by React Server components then check out the Supabase + Server Components experimental repo. https://github.com/supabase/next-server-components

Learn#

We know that Auth can be a bit daunting when you're just starting out, so we have created some intro videos to get you up to speed in no time:

• Supabase Auth Deep Dive Part 1: JWTs
• Supabase Auth Deep Dive Part 2: Restrict Table Access
• Supabase Auth Deep Dive Part 3: User Based Access Policies

Kaizen#

• Performance: We migrated all of our subdomains to Route53, implementing custom Let's Encrypt certs for your APIs. As a result, our read benchmarks are measuring up 12% faster.
• Performance: We upgrade your databases to the new GP3 storage for faster and more consistent throughput.

After 10 hectic months of building, Supabase is now in Beta.

This is also available as a blog post and a video demo.

Supabase is now in Beta#

We spent months working on Performance, Security, and Reliability. Read more on our Beta Page.

Improve your docs inline#

Add comments and descriptions to your Tables directly from our auto-generated docs.

Table View now has realtime changes#

Any updates that happen to your database are reflected in the Table View immediately.

Table Pagination#

Our table view now has pagination - better for working with large data sets.

Supabase raised a Seed Round#

We raised $6M from Y Combinator, Mozilla, and Coatue. You can read more on TechCrunch.

Kaizen#

• Supabase is now 26% faster in regions which support Graviton (1460 reqs/s up from 1167 reqs/s)
• We launched a new region in Sao Paulo.
• Postgres Array Support. You can now edit Native Postgres array items in the grid editor or the side panel.
• We added better support for your custom Database Types.
• Fixed some buggy keyboard commands. We're continuously improving key commands in the Table editor.

We've been building for 9 months now, are we're getting even closer to Beta.

This is also available as a blog post and a video demo.

Add users#

You can now add users manually from your dashboard.

User admin#

You can also perform admin functions on existing users - send password reset emails, magic links, and delete users.

Even more powerful SQL Editor#

Last month we announced an improved SQL Editor, and this month we've taken it even further. The SQL Editor is now a full Monaco editor, like you'd find in VS Code. Build your database directly from the browser.

Status page#

We added a Status Page which tracks the uptime and latency of the Supabase platform.

Kaizen#

• We completed a security audit by DigitalXRAID.
• Email confirmations now enabled by default for signups.
• Updated Benchmarking Suite to include more realistic workloads, on various different servers (results published soon).
• You can now set/edit/remove Foreign Keys via the table editor.