Temporary access

Your Supabase project supports connecting to the Postgres database using either your Supabase API token (Personal Access Token) or your current dashboard session token (JWT). This is called temporary access, as the authentication tokens can be short-lived and tied directly to a specific Supabase user. Temporary access is disabled by default.

Enabling temporary access only applies to connections to Postgres and Supavisor ("Connection Pooler"); all HTTP APIs offered by Supabase (e.g., PostgREST, Storage, Auth) require authentication tokens specific to the service and are independent of the Supabase platform user(s).

Projects need to be at least on Postgres 17.6.1.081 (or higher) to enable temporary access. You can find the Postgres version of your project on the infrastructure settings page. If your project is on an older version, you will need to upgrade to use this feature.

Manage temporary access via the dashboard#

The easiest way to manage temporary access is via the "Enable temporary access" settings section in Database Settings page of the dashboard.

Manage temporary access via the Management API#

You can also manage temporary access using the Management API:

1
# Get your access token from https://supabase.com/dashboard/account/tokens
2
export SUPABASE_MANAGEMENT_API_TOKEN="your-access-token"
3
export PROJECT_REF="your-project-ref"
4
5
# Get current temporary access status
6
curl -X GET "https://api.supabase.com/v1/projects/$PROJECT_REF/database/jit-access" \
7
  -H "Authorization: Bearer $SUPABASE_MANAGEMENT_API_TOKEN"
8
9
# Enable temporary access
10
curl -X PUT "https://api.supabase.com/v1/projects/$PROJECT_REF/database/jit-access" \
11
  -H "Authorization: Bearer $SUPABASE_MANAGEMENT_API_TOKEN" \
12
  -H "Content-Type: application/json" \
13
  -d '{
14
    "state":"enabled"
15
  }'
16
17
# Disable temporary access
18
curl -X PUT "https://api.supabase.com/v1/projects/$PROJECT_REF/database/jit-access" \
19
  -H "Authorization: Bearer $SUPABASE_MANAGEMENT_API_TOKEN" \
20
  -H "Content-Type: application/json" \
21
  -d '{
22
    "state":"disabled"
23
  }'

Configure user access#

Once temporary access has been enabled, project users must be authorized and mapped to Postgres roles they are allowed to access. Each user can be authorized to "assume" one or more Postgres roles using temporary access.

When a user is authorized to assume a Postgres role, the user's access token (Personal Access Token (PAT) or Scoped PAT) will be used as the password for the Postgres role.

Postgres roles can still be accessed using the password configured on the role. This allows long-lived service connections to continue using the existing credentials.

Temporary access authentication only applies for Supabase project users authenticating to the database, and assuming the given Postgres role. No new roles or users are created in the Postgres database and the assumed role's permissions will still apply.

Apply temporary access restrictions#

A user's temporary access can also be restricted to a validity period, after which their temporary access will expire and even though the access token is still valid, the database will reject the connection.

IP address restrictions can also be applied, ensuring that temporary access will only be authorized from allowed network ranges (IPv4 and/or IPv6).

Applying restrictions with the management API#

Restrictions can also be applied through the Management API.

1
# Get your access token from https://supabase.com/dashboard/account/tokens
2
export SUPABASE_MANAGEMENT_API_TOKEN="your-access-token"
3
export PROJECT_REF="your-project-ref"
4
5
# Restrict temporary access to IPv4 ranges and expiry date
6
# user_id is the gotrue_id of the user with access to the project
7
curl -X PUT "https://api.supabase.com/v1/projects/$PROJECT_REF/database/jit" \
8
  -H "Authorization: Bearer $SUPABASE_MANAGEMENT_API_TOKEN" \
9
  -H "Content-Type: application/json" \
10
  -d '{
11
    "user_id": "00000000-1111-2222-3333-444444444444",
12
    "user_roles": [
13
      {
14
        "role": "postgres",
15
        "allowed_networks": {
16
          "allowed_cidrs": [{ "cidr": "176.1.12.1/32" }]
17
        },
18
        "expires_at": 1758721065775
19
      }
20
    ]
21
  }'

Using temporary access#

To log in to the database using temporary access, existing connection strings can be used and only the password needs to be changed to the user's API or dashboard token.

For example, if a user has been authorized to assume the postgres role:

1
psql 'postgres://postgres:sbp_111222333aaabbbccc@db.{project-ref}.supabase.co/postgres'

Since Supabase API tokens can be used, it is also possible to generate API tokens for services you don't want to share your Postgres role password with (for example a GitHub Action). The API token can be configured with an expiry time and temporary access-specific restrictions can also be applied.

Connecting via the shared connection pooler requires the addition of a new connection option. This can be applied either directly in the connection URI or as conninfo (easier to read):

1
# directly in the URI
2
psql 'postgres://postgres.{project-ref}:sbp_111222333aaabbbccc@aws-1-us-west-1.pooler.supabase.com:5432/postgres?options=-c%20jit%3don'
3
4
# or as a connection info string
5
psql "host=aws-1-us-west-1.pooler.supabase.com user=postgres.{project-ref} options='-c jit=on'"