Changelog

What's Changing?#

The week of July 6, 2026, the default self-hosted Supabase configuration for API_EXTERNAL_URL will change to include the /auth/v1 path prefix:

• API_EXTERNAL_URL will default to http://localhost:8000/auth/v1 (previously http://localhost:8000)
• GOTRUE_JWT_ISSUER in docker-compose.yml will change to ${API_EXTERNAL_URL} (the actual URL will stay unchanged)
• OAuth redirect configuration placeholders in docker-compose.yml will become ${API_EXTERNAL_URL}/callback
• The API gateway routes for SAML SSO move from /sso/saml/* to /auth/v1/sso/saml/*, so SAML ACS and metadata endpoints become …/auth/v1/sso/saml/acs and …/auth/v1/sso/saml/metadata

This aligns self-hosted Supabase with the platform behavior, and the CLI.

Why?#

• Consistency across deployments. API_EXTERNAL_URL behaves identically on platform, self-hosted, and CLI.
• Custom OAuth providers work out of the box. GoTrue builds custom-provider callback URLs as API_EXTERNAL_URL + /callback. With the prefix now in the base URL, that resolves to …/auth/v1/callback and matches the existing API gateway route.
• SAML aligns with the /auth/v1 convention used by every other auth endpoint, rather than living at a bare /sso/saml/* path.
• The docs become accurate. The guidance that "your callback URL is built from API_EXTERNAL_URL" is now literally true, instead of relying on the /auth/v1 prefix being manually prepended in the compose file.

Am I Affected?#

You are affected if you run self-hosted Supabase from the ./docker directory and pull updates from master, and any of the following apply:

• You've overridden API_EXTERNAL_URL in your .env (e.g. https://my-domain.com) - you'll need to change it to https://my-domain.com/auth/v1.
• You maintain a customized docker-compose.yml with OAuth providers - the redirect URIs change from ${API_EXTERNAL_URL}/auth/v1/callback to ${API_EXTERNAL_URL}/callback to avoid a doubled /auth/v1 prefix.
• You use SAML SSO - your IdP points at the old /sso/saml/* endpoints and must be updated to /auth/v1/sso/saml/*. This is the main breaking case.

You are not affected if you:

• Use the Supabase platform
• Have OAuth providers registered with Google/GitHub/etc. - the final callback URL is unchanged (…/auth/v1/callback), so no re-registration in the provider's developer console is needed
• Don't use SAML SSO and pull the new docker-compose.yml and .env.example together without local changes - the defaults stay consistent

What Should I Do?#

If you pull the updated docker-compose.yml and .env.example together with no customizations, no action is required unless you use SAML SSO.

If you've customized API_EXTERNAL_URL:

1. Append /auth/v1 to your value (e.g. https://my-domain.com → https://my-domain.com/auth/v1)
2. If your override file sets OAuth redirect URIs, change them from ${API_EXTERNAL_URL}/auth/v1/callback to ${API_EXTERNAL_URL}/callback
3. Restart the stack

If you use SAML SSO:

1. Pull the updated docker-compose.yml (or update your Kong and Envoy routes to /auth/v1/sso/saml/acs and /auth/v1/sso/saml/metadata)
2. Restart the stack
3. Re-fetch your service provider metadata from {API_EXTERNAL_URL}/auth/v1/sso/saml/metadata and update your IdP (ACS URL, SP entity ID) with the new endpoints
4. See the self-hosted SAML SSO guide

If you'd rather defer: keep your existing API_EXTERNAL_URL without the /auth/v1 suffix and retain your current OAuth/SAML configuration. This is a default change, not a removal - but we recommend aligning soon, since custom OAuth providers won't work without it.

Rollout#

Realtime Broadcast can now send and receive binary payloads in addition to JSON. This lets you broadcast compact binary data without the overhead of JSON encoding.

Binary payloads are supported across every way you send a Broadcast message: the client libraries (over WebSocket), the REST API, and directly from your database.

When to use binary payloads#

Binary shines whenever your data is numeric, high-frequency or densely packed. In these cases JSON's textual encoding adds significant overhead.

• Sensor and telemetry streams. Connected devices emit steady streams of numeric readings. These can be temperature, accelerometer values, GPS coordinates, battery levels, etc. They can be packed into fixed-width binary fields, where a reading that takes 20–30 characters as JSON text fits in just a few bytes across thousands of devices.
• Screenshot and presentation streaming. A presenter or support agent shares a live view by broadcasting periodic image frames (JPEG/PNG) to viewers. Each frame is transient and inherently binary, so there's no need for durable storage and no reason to pay the base64 tax. Just send the image bytes straight to everyone watching.

Usage#

Client libraries (WebSocket)#

Pass an ArrayBuffer/ArrayBufferView (Uint8Array for example) or the equivalent in non-JS SDKs as the payload.

REST API#

Single-message endpoint where Content-Type selects application/json vs application/octet-stream. channel.httpSend() from JS.

Database#

realtime.send_binary() with a bytea payload.

Minimum versions#

• WebSocket (supabase-js): 2.91.0
• WebSocket (supabase-swift): 2.44.0
• REST API through httpSend (supabase-js): 2.107.0
• Realtime server version: 2.103.2

We are in the process of adding support to binary payloads across all SDKs.

⚠️ Binary payloads sent to clients on older SDK versions (or SDKs that don't support binary payloads) are silently dropped.

More information can generally be found in the Broadcast page of the Realtime guides.

Here's everything that happened with Supabase in the last month:

Supabase Series F#

Supabase has raised a $500M Series F at a $10B pre-money valuation. It’s led by GIC.

Read the blog →

Multigres 0.1 alpha released#

Multigres is a scalable operating system for Postgres: it holistically manages your Postgres instances and gives you sharding, connection pooling, automatic failover, and backup orchestration. Multigres v0.1 alpha is an open-source-only release. Multigres for Supabase is coming soon.

Read the blog →

Passkey Sign-in for Supabase Auth#

Users can now sign in with biometrics (Face ID, Touch ID, Windows Hello), a device PIN, or a hardware security key. Built on the WebAuthn standard, passkeys are passwordless and phishing-resistant. Supabase Auth stores only the public key for verification, while private key material stays on the user's device. Available to all projects in beta today.

Read the docs →

Supabase is now an official ChatGPT app#

Connect your Supabase projects to ChatGPT and manage your database infrastructure conversationally. The integration includes 29 tools covering SQL execution, schema changes, branching, edge function deployment, and live logs, all without leaving ChatGPT. Works on all Supabase plans with paid ChatGPT plans (Plus, Pro, Team, Enterprise).

Read the blog →

Supabase Plugin for AI Coding Agents#

A single install that gives your AI coding agent everything it needs to build on Supabase. The plugin bundles the Supabase MCP server and agent skills so your agent can query databases, manage migrations, deploy Edge Functions, and follow Supabase and Postgres best practices out of the box. Supports Claude Code, Cursor, Codex, and Gemini CLI.

Read the docs →

Feature preview: Temporary token-based database access#

Grant developers direct database access using Personal Access Tokens with; no passwords required. Project admins assign a specific database role and expiry window (up to 90 days) per user. Revoking project access immediately cuts database access too. Fully supported in branch projects, and available on Postgres 17+.

Join the GitHub discussion →

Quick Product Announcements#

• Guide to securing your app against npm supply-chain attacks. [Docs]
• Supabase client libraries now support traces following the W3C standard, compatible with any compliant tracing SDK including OpenTelemetry, Sentry, Datadog, and Honeycomb. [Docs]
• The Schema Visualizer now supports editing tables directly on the page, making it easier to design your database while viewing the full picture. [Twitter]
• Long text columns can now be expanded in the sidebar to view full content, with support for rendering as Markdown. [Twitter]
• The RLS Tester lets you run queries as another user, see which RLS policy took effect, and test via client libraries with AI-assisted SQL conversion. Enable it from the feature previews section in the dashboard. [Twitter]
• Navigation keyboard shortcuts are available in the dashboard. Press cmd+k and open "Show all keyboard shortcuts" to see the full list. [Twitter]
• pg-delta is a new schema-diffing engine built from scratch at Supabase to handle the full range of Postgres objects, including tables, columns, RLS policies, functions, triggers, indexes, and extensions. [Discussions]
• Logs usage is now metered. Pro and Team plans include 5 GB ingest and 1,000 GB query per month, with overage at $0.50/GB and $0.002/GB, respectively. New organizations may move to the new pricing as early as June; existing organizations begin migrating July 1. [Docs]
• Supabase is now available as a connector on Perplexity Computer. With Supabase as the persistent data layer, Computer can read from and write back to your Postgres tables, keeping state across runs without custom glue code. [Perplexity blog]

Meet the Supabase team#

• Webinar: From scattered tools to workflows that scale: Supabase + Perplexity Computer for Small Businesses. June 25 at 10:00 am PT. [Register]
• Webinar: From shipped app to production-ready insight with Supabase + Hex Agent. July 8 at 9:00am PT. [Register]
• Hangout with the Supabase team during Casual Wednesdays on Discord at 10:00 am PT. [Join]
• DASH by Datadog, June 9-10, New York [Register]
• Figma Config 2026, June 23-25, San Francisco [Register]
• Vercel Ship 26, June 30, New York [Register]

Made with Supabase#

Join our Discord, showcase your app, and maybe you’ll get featured.

• Gather is a simple way to stay connected with your family, friends, and activity groups. [Download]
• 021 helps you make better product decisions with clarity, context, and conviction. [Sign up]
• Nover is the unified visual generation suite that gives designers pixel-perfect precision over every render [Sign up]

Community Highlights#

• supabase-py has crossed 1 million downloads per day on PyPI. [Twitter]
• A developer replaced two years of custom Okta token exchange logic with Supabase's custom OAuth/OIDC provider in 40 minutes. [Reddit]
• The Multigres team used TLA+ to find a silent data-loss bug in pg_rewind that can leave a standby carrying phantom writes after two rapid failovers. The proposed fix embeds a UUIDv7 in each timeline history entry to distinguish independent promotions. [Blog]