Prepare for the PgBouncer and IPv4 deprecations on 26th January 2024

Home

Initializing

You can initialize a new Supabase client using the create_client() method.

The Supabase client is your entrypoint to the rest of the Supabase functionality and is the easiest way to interact with everything we offer within the Supabase ecosystem.


import os
from supabase import create_client, Client

url: str = os.environ.get("SUPABASE_URL")
key: str = os.environ.get("SUPABASE_KEY")
supabase: Client = create_client(url, key)

Fetch data

  • By default, Supabase projects return a maximum of 1,000 rows. This setting can be changed in your project's API settings. It's recommended that you keep it low to limit the payload size of accidental or malicious requests.
  • apikey is a reserved keyword if you're using the Supabase Platform and should be avoided as a column name.

response = supabase.table('countries').select("*").execute()

Insert data


data, count = supabase.table('countries')
  .insert({"id": 1, "name": "Denmark"})
  .execute()

Update data

  • update() should always be combined with Filters to target the item(s) you wish to update.

data, count = supabase.table('countries')
  .update({'name': 'Australia'})
  .eq('id', 1)
  .execute()

Upsert data

  • Primary keys must be included in the values dict to use upsert.

data, count = supabase.table('countries')
  .upsert({'id': 1, 'name': 'Australia'})
  .execute()

Delete data

  • delete() should always be combined with filters to target the item(s) you wish to delete.
  • If you use delete() with filters and you have RLS enabled, only rows visible through SELECT policies are deleted. Note that by default no rows are visible, so you need at least one SELECT/ALL policy that makes the rows visible.

data, count = supabase.table('countries')
  .delete()
  .eq('id', 1)
  .execute()

Using filters

Filters allow you to only return rows that match certain conditions.

Filters can be used on select(), update(), upsert(), and delete() queries.

If a Postgres function returns a table response, you can also apply filters.


# Correct
data, count = supabase.from('cities')
  .select('name, country_id')
  .eq('name', 'The Shire')
  .execute()

# Incorrect
data, count = supabase.table('cities')
  .eq('name', 'The Shire')
  .select('name, country_id')
  .execute()

Column is equal to a value


data, count = supabase.table('countries')
  .select('*')
  .eq('name', 'Albania')
  .execute()

Column is not equal to a value


  data, count = supabase.table('countries')
    .select('*')
    .neq('name', 'Albania')
    .execute()

Column is greater than a value


data, count = supabase.table('countries')
    .select('*')
    .gt('id', 2)
    .execute()

Column is greater than or equal to a value


data, count = supabase.table('countries')
  .select('*')
  .gte('id', 2)
  .execute()

Column is less than a value


data, count = supabase.table('countries')
  .select('*')
  .lt('id', 2)
  .execute()

Column is less than or equal to a value


data, count = supabase.table('countries')
  .select('*')
  .lte('id', 2)
  .execute()

Column matches a pattern


data, count = supabase.table('countries')
  .select('*')
  .like('name', '%Alba%')
  .execute()

Column matches a case-insensitive pattern


data, count = supabase.table('countries')
    .select('*')
    .ilike('name', '%alba%')
    .execute()

Column is a value


data, count = supabase.table('countries')
  .select('*')
  .is_('name', 'null')
  .execute()

Column is in an array


data, count = supabase.table('countries')
    .select('*')
    .in_('name', ['Albania', 'Algeria'])
    .execute()

Column contains every element in a value


  data, count = supabase.table('issues')
    .select('*')
    .contains('tags', ['is:open', 'priority:low'])
    .execute()

Contained by value


data, count = supabase.table('classes')
  .select('name')
  .contained_by('days', ['monday', 'tuesday', 'wednesday', 'friday'])
  .execute()

Match an associated value


data, count = supabase.table('countries')
    .select('*')
    .match({'id': 2, 'name': 'Albania'})
    .execute()

Don't match the filter


data, count = supabase.table('countries')
    .select('*')
    .not_.is_('name', 'null')
    .execute()

Match the filter

filter() expects you to use the raw PostgREST syntax for the filter values.


data, count = supabase.table('countries')
    .select('*')
    .filter('name', 'in', '("Algeria","Japan")')
    .execute()

Using modifiers

Filters work on the row level—they allow you to return rows that only match certain conditions without changing the shape of the rows. Modifiers are everything that don't fit that definition—allowing you to change the format of the response (e.g., returning a CSV string).

Modifiers must be specified after filters. Some modifiers only apply for queries that return rows (e.g., select() or rpc() on a function that returns a table response).

Order the results


data, count = supabase.table('countries')
  .select('*')
  .order('name', desc=True)
  .execute()

Limit the number of rows returned


data, count = supabase.table('countries')
  .select('*')
  .limit(1)
  .execute()

Retrieve one row of data


data, count = supabase.table('countries')
  .select('name')
  .limit(1)
  .single()
  .execute()

Retrieve zero or one row of data


data, count = supabase.table('countries')
  .select('*')
  .eq('name', 'Albania')
  .maybe_single()
  .execute()

Create a new user

  • By default, the user needs to verify their email address before logging in. To turn this off, disable Confirm email in your project.
  • Confirm email determines if users need to confirm their email address after signing up.
    • If Confirm email is enabled, a user is returned but session is null.
    • If Confirm email is disabled, both a user and a session are returned.
  • By default, when the user confirms their email address, they are redirected to the SITE_URL. You can modify your SITE_URL or add additional redirect URLs in your project.
  • If sign_up() is called for an existing confirmed user:
    • When both Confirm email and Confirm phone (even when phone provider is disabled) are enabled in your project, an obfuscated/fake user object is returned.
    • When either Confirm email or Confirm phone (even when phone provider is disabled) is disabled, the error message, User already registered is returned.
  • To fetch the currently logged-in user, refer to getUser().

res = supabase.auth.sign_up({
  "email": 'example@email.com',
  "password": 'example-password',
})

Sign in a user

  • Requires either an email and password or a phone number and password.

data = supabase.auth.sign_in_with_password({"email": "j0@supabase.io", "password": "testsupabasenow"})

Sign in a user through OTP

  • Requires either an email or phone number.
  • This method is used for passwordless sign-ins where a OTP is sent to the user's email or phone number.
  • If the user doesn't exist, sign_in_with_otp() will signup the user instead. To restrict this behavior, you can set should_create_user in SignInWithPasswordlessCredentials.options to false.
  • If you're using an email, you can configure whether you want the user to receive a magiclink or a OTP.
  • If you're using phone, you can configure whether you want the user to receive a OTP.
  • The magic link's destination URL is determined by the SITE_URL.
  • See redirect URLs and wildcards to add additional redirect URLs to your project.
  • Magic links and OTPs share the same implementation. To send users a one-time code instead of a magic link, modify the magic link email template to include {{ .Token }} instead of {{ .ConfirmationURL }}.

data = supabase.auth.sign_in_with_otp({
  "email": 'example@email.com',
  "options": {
    "email_redirect_to": 'https://example.com/welcome'
  }
})

Sign in a user through OAuth

  • This method is used for signing in using a third-party provider.
  • Supabase supports many different third-party providers.

data = supabase.auth.sign_in_with_oauth({
  "provider": 'github'
})

Sign out a user

  • In order to use the signOut() method, the user needs to be signed in first.

res = supabase.auth.sign_out()

Verify and log in through OTP

  • The verify_otp method takes in different verification types. If a phone number is used, the type can either be sms or phone_change. If an email address is used, the type can be one of the following: signup, magiclink, recovery, invite or email_change.
  • The verification type used should be determined based on the corresponding auth method called before verify_otp to sign up / sign-in a user.

res = supabase.auth.verify_otp(phone, token)

Retrieve a session


res = supabase.auth.get_session()

Retrieve a new session

  • This method will refresh the session whether the current one is expired or not.
  • Both examples destructure user and session from data. This is not required; so const { data, error } = is also valid.

res = supabase.auth.refresh_session()

Retrieve a user

  • This method gets the user object from the current session.
  • Fetches the user object from the database instead of local session.

data = supabase.auth.get_user()

Set the session data

  • setSession() takes in a refresh token and uses it to get a new session.
  • The refresh token can only be used once to obtain a new session.
  • Refresh token rotation is enabled by default on all projects to guard against replay attacks.
  • You can configure the REFRESH_TOKEN_REUSE_INTERVAL which provides a short window in which the same refresh token can be used multiple times in the event of concurrency or offline issues.
  • If you are using React Native, you will need to install a Buffer polyfill via a library such as rn-nodeify to properly use the library.

res = supabase.auth.set_session(access_token, refresh_token)

Auth MFA

This section contains methods commonly used for Multi-Factor Authentication (MFA) and are invoked behind the supabase.auth.mfa namespace.

Currently, we only support time-based one-time password (TOTP) as the 2nd factor. We don't support recovery codes but we allow users to enroll more than 1 TOTP factor, with an upper limit of 10.

Having a 2nd TOTP factor for recovery frees the user of the burden of having to store their recovery codes somewhere. It also reduces the attack surface since multiple recovery codes are usually generated compared to just having 1 backup TOTP factor.

Enroll a factor

  • Currently, totp is the only supported factor_type. The returned id should be used to create a challenge.
  • To create a challenge, see mfa.challenge().
  • To verify a challenge, see mfa.verify().
  • To create and verify a challenge in a single step, see mfa.challenge_and_verify().

res = await supabase.auth.mfa.enroll({
  "factor_type": "totp",
  "friendly_name": "your_friendly_name"
})

Create a challenge


res = await supabase.auth.mfa.challenge({
  "factor_id": '34e770dd-9ff9-416c-87fa-43b31d7ef225'
})

Verify a challenge


res = await supabase.auth.mfa.verify({
  "factor_id": '34e770dd-9ff9-416c-87fa-43b31d7ef225',
  "challenge_id": '4034ae6f-a8ce-4fb5-8ee5-69a5863a7c15',
  "code": '123456'
})

Create and verify a challenge


res = await supabase.auth.mfa.challenge_and_verify({
  "factor_id": '34e770dd-9ff9-416c-87fa-43b31d7ef225',
  "code": '123456'
})

Unenroll a factor


res = await supabase.auth.mfa.unenroll({
  "factor_id": '34e770dd-9ff9-416c-87fa-43b31d7ef225',
})

Get Authenticator Assurance Level

  • Authenticator Assurance Level (AAL) is the measure of the strength of an authentication mechanism.
  • In Supabase, having an AAL of aal1 refers to having the 1st factor of authentication such as an email and password or OAuth sign-in while aal2 refers to the 2nd factor of authentication such as a time-based, one-time-password (TOTP).
  • If the user has a verified factor, the next_level field will return aal2, else, it will return aal1.

res = await supabase.auth.mfa.get_authenticator_assurance_level()

Invokes a Supabase Edge Function.

Invoke a Supabase Function.

  • Requires an Authorization header.
  • When you pass in a body to your function, we automatically attach the Content-Type header for Blob, ArrayBuffer, File, FormData and String. If it doesn't match any of these types we assume the payload is json, serialise it and attach the Content-Type header as application/json. You can override this behaviour by passing in a Content-Type header of your own.

resp = supabase.functions.invoke(
  "hello-world",
  invoke_options={
    "body": { "foo": "bar" }
  },
)

Create a bucket

  • RLS policy permissions required:
    • buckets table permissions: insert
    • objects table permissions: none
  • Refer to the Storage guide on how access control works

res = supabase.storage.create_bucket(name)

Retrieve a bucket

  • RLS policy permissions required:
    • buckets table permissions: select
    • objects table permissions: none
  • Refer to the Storage guide on how access control works

res = supabase.storage.get_bucket(name)

List all buckets

  • RLS policy permissions required:
    • buckets table permissions: select
    • objects table permissions: none
  • Refer to the Storage guide on how access control works

res = supabase.storage.list_buckets()

Delete a bucket

  • RLS policy permissions required:
    • buckets table permissions: select and delete
    • objects table permissions: none
  • Refer to the Storage guide on how access control works

res = supabase.storage.delete_bucket(name)

Empty a bucket

  • RLS policy permissions required:
    • buckets table permissions: select
    • objects table permissions: select and delete
  • Refer to the Storage guide on how access control works

res = supabase.storage.empty_bucket(name)

Upload a file

  • RLS policy permissions required:
    • buckets table permissions: none
    • objects table permissions: insert
  • Refer to the Storage guide on how access control works
  • Please specify the appropriate content MIME type if you are uploading images or audio. If no file_options are specified, the MIME type defaults to text/html.

with open(filepath, 'rb') as f:
    supabase.storage.from_("testbucket").upload(file=f,path=path_on_supastorage, file_options={"content-type": "audio/mpeg"})

Download a file

  • RLS policy permissions required:
    • buckets table permissions: none
    • objects table permissions: select
  • Refer to the Storage guide on how access control works

with open(destination, 'wb+') as f:
  res = supabase.storage.from_('bucket_name').download(source)
  f.write(res)

List all files in a bucket

  • RLS policy permissions required:
    • buckets table permissions: none
    • objects table permissions: select
  • Refer to the Storage guide on how access control works

res = supabase.storage.from_('bucket_name').list()

Replace an existing file

  • RLS policy permissions required:
    • buckets table permissions: none
    • objects table permissions: update and select
  • Refer to the Storage guide on how access control works

with open(filepath, 'rb') as f:
  supabase.storage.from_("bucket_name").update(file=f, path=path_on_supastorage, file_options={"cache-control": "3600", "upsert": "true"})

Move an existing file

  • RLS policy permissions required:
    • buckets table permissions: none
    • objects table permissions: update and select
  • Refer to the Storage guide on how access control works

res = supabase.storage.from_('bucket_name').move('public/avatar1.png', 'private/avatar2.png')

Delete files in a bucket

  • RLS policy permissions required:
    • buckets table permissions: none
    • objects table permissions: delete and select
  • Refer to the Storage guide on how access control works

res = supabase.storage.from_('bucket_name').remove('test.jpg')

Create a signed URL

  • RLS policy permissions required:
    • buckets table permissions: none
    • objects table permissions: select
  • Refer to the Storage guide on how access control works

res = supabase.storage.from_('bucket_name').create_signed_url(filepath, expiry_duration)

Retrieve public URL

  • The bucket needs to be set to public, either via updateBucket() or by going to Storage on supabase.com/dashboard, clicking the overflow menu on a bucket and choosing "Make public"
  • RLS policy permissions required:
    • buckets table permissions: none
    • objects table permissions: none
  • Refer to the Storage guide on how access control works

res = supabase.storage.from_('bucket_name').get_public_url('test/avatar1.jpg')