Impact of changes to Data API access on new Supabase projects

Hi Kevin,

Starting May 30, new Supabase projects will not expose tables in the "public" schema to the Data API by default. Any table you create in "public" after that date requires an explicit GRANT before supabase-js, PostgREST, or GraphQL can access it.

How to tell if you’re affected

We detected 1 project(s) in your account that use the Data API.

You are affected if:

Your app uses the Data API (supabase-js, client libraries, or direct HTTP to "/rest/v1/" or "/graphql/v1/") Your migrations or provisioning scripts create tables in "public" without explicit grants

You are not affected if:

Your app connects to Postgres only via a direct connection string (psql, ORMs, or an app server) Existing tables keep their current grants. This change applies to new tables in new projects from May 30, and all existing projects from October 30.

What to do

For new tables you want to expose via the Data API, make explicit grants part of your table-creation flow. Without an explicit GRANT, a role will not have access to the created table.

-- Grant access per role grant select on public.your_table to anon;

grant select, insert, update, delete on public.your_table to authenticated;

grant select, insert, update, delete on public.your_table to service_role;

-- Enable RLS alter table public.your_table enable row level security;

-- Add policies create policy "users can read their own rows" on public.your_table for select to authenticated using (auth.uid() = user_id); If a grant is missing, PostgREST returns a "42501" error with the exact GRANT statement to fix it.

Rollout dates

May 30, 2026: Default for all new projects October 30, 2026: Enforced on all existing projects

Learn more about this change

Use the Security Advisor in your dashboard to review any existing tables.

If you have any questions, please reach out via our support portal.

The team at Supabase