Changelog

We’re changing the way API keys work in Supabase to improve your project’s security and developer experience. Refer to the timetable below for key dates and info on actions you may need to take in the future.

This change starts out as early preview and is opt-in. No action necessary until at least 1st November 2025. We strongly encourage you to give the new API keys a try!

What's the change?#

These are the planned changes for the API keys:

• anon and service_role keys remain available for use.
• A single publishable key with the form sb_publishable_... can be used to replace the anon key.
• You can create multiple secret keys with the form sb_secret_.... You can also choose not to have a secret key if you don’t need one. Secret keys replace the service_role key.
• You can disable and re-enable the anon and service_role keys, as needed during the migration period.

Summarized, there are 4 types of API keys that can now be used with Supabase. This chart should illustrate it better:

Timetable#

Why are we doing this?#

Since the start of Supabase, the JWT-based anon and service_role keys were the right trade-off between simplicity and relative security for your project. Unfortunately they pose some real challenges in live applications, especially around rotation and security best practices.

The main reasons for making this change are:

• Tight coupling between the JWT secret (which itself can be compromised, if you mint your own JWTs) and the anon (low privilege), service_role (high privilege), and authenticated (issued by Supabase Auth) Postgres roles.
• Inability to independently rotate each aspect of the keys, without downtime.
• Inability to roll-back an unnecessary or problematic JWT secret rotation.
• Publishing new versions of mobile applications can take days and often weeks in the app review phase with Apple's App Store and Google's Play Store. A forced rotation can cause weeks of downtime for mobile app users.
• Users may continue using desktop, CLI and mobile apps with very old versions, making rotation impossible without a forced version upgrade.
• JWTs had 10-year expiry duration, giving malicious actors more to work with.
• JWTs were self-referential and full of redundant information not necessary for achieving their primary purpose.
• JWTs are large, hard to parse, verify, and manipulate -- leading to insecure logging or bad security practices.
• They were signed with a symmetric JWT secret, preventing future development of Auth features.

Start using the new API keys#

It’s easy to start using the new API keys. You can opt in in the Supabase dashboard. This will create the default publishable key and a single secret API key.

For the most part, you can substitute the sb_publishable_... and sb_secret_... values anywhere you used the anon and service_role keys respectively. They work roughly the same in terms of permissions and data access.

You can initialize any version of the Supabase Client libraries with the new values without any additional changes, and we don't expect any backward compatibility issues.

Key differences to be aware of#

We've redesigned how the Supabase hosted platform deals with API keys with a few key goals:

• Advanced and enterprise-ready security features
• Zero-downtime rotation
• Solid foundations for the introduction of asymmetric JWT support and other Auth features requiring this

To achieve these, the new API keys have some subtle differences from anon and publishable:

• Permission and access control. Secret keys are hidden by default and need to be individually "revealed." Each event appears in your organization's Audit Log.
• Instant revocation. By deleting a secret key it is instantly revoked.
• Forbidden use in a browser. Using a secret key in a browser is no longer possible and will always fail with HTTP 401 Unauthorized.
• Limitation with Realtime: Connections last 24 hours when there’s no signed in user, or when using a secret key. Sign users in to extend connections indefinitely.
• Limitation with Edge Functions: Edge Functions provide the option --no-verify-jwt which means they can be called without knowing any API key. You will need to apply this option to functions you are protecting without it.
• Use of the Authorization header. It is no longer possible to use a publishable or secret key inside the Authorization header — because they are not a JWT. Instead pass in the user’s JWT, or leave the header empty. For backward compatibility, it is only allowed if the value in the header exactly matches the value in the apikey header.

We believe these limitations are minor and not likely to impact even a single-digit percentage of existing customers. Should you find any additional limitation do not hesitate to bring it up in this discussion or via Supabase Support.

Schema Visualizer nodes are now persisted#

This was yet another request that we've commonly heard from everyone and we're taking a first step to making this happen 😄 Position of the nodes will now be stored within local storage so that you won't have to re-position them each time you land on this page. We've also added a button to help arrange the nodes automatically if that might be preferred!

Note that if you add new tables to the schema however, the node positions will be defaulted to a certain position that may overlap with other nodes - we're definitely looking into how we can make that better so that new nodes can be easily identified (and then shifted around to your liking 🙂)

PR: https://github.com/supabase/supabase/pull/29136

Link: https://supabase.com/dashboard/project/_/schemas

Other improvements and bug fixes#

General

• Minor improvements to layouts and buttons to ensure their visibility on smaller screens (PR)
• Fix project status filter on home page to only show active projects if only the active checkbox is checked (PR)

Table Editor

• Fix client crash when creating an empty table with no columns (PR)
• Fix handling of of large JSON / text fields in the side panel text editor (PR)

SQL Editor

• Add client side validation for query size (max 1MB) (PR)
• Couple of fixes around adding a new folder with the same name as an existing one (PR)

Database

• Update Stripe Wrapper with more tables (PR)
• Remove docs button for database extensions that have no documentation yet (PR)

Supabase Edge Runtime version 1.57 is compatible with Deno 1.45.

Supabase's hosted platform was upgraded to use this release when serving Edge Functions starting last week.

If you're using Supabase CLI for local development latest stable release 1.192.5, it adds compatibility for Deno 1.45.

How do I find which version of Edge Runtime I'm running?#

Supabase CLI (local)#

When you run supabase functions serve, it should show the current version of Edge Runtime used (and its Deno compatibility)

Hosted Platform#

You can check the served_by field in log events to see which Edge Runtime version was used to serve your function.

We try our best to maintain backward compatibility in these upgrades. If you're experiencing any issues, please feel free to make a support request

Upgrade your organization directly from our pricing page#

https://github.com/user-attachments/assets/2262d816-0c69-4c58-a6e2-1ce4868122f2

Users who are logged in will now be able to select and upgrade their organization from the pricing page itself when clicking on the Upgrade to Pro / Team plan buttons. This is mainly to help streamline this process so that users can upgrade their existing organizations, and prevent confusions where users end up creating new paid organizations instead.

PR: https://github.com/supabase/supabase/pull/28942

Link: https://supabase.com/pricing

UI improvements around credit card billing information#

The selected payment method on the billing page is easily missed as you'll need to scroll down before finding it. In particular with outstanding invoices, it may not be obvious that the wrong card (or even expired card) might have been selected as the default. As such we now will

• Indicate which cards are about to expire (within the current month)
• Indicate which cards have expired
• Show the selected payment method, along with a quick link to change it on the invoices page

PR: https://github.com/supabase/supabase/pull/28971

Link: https://supabase.com/dashboard/org/_/billing

Set payment method as default when adding a new payment method#

When adding a new payment method, we have now added a checkbox to set the card as default which is toggled on by default. This should resolve a UX issue whereby customers needed to explicitly set the card as default in a separate manual step after adding it.

PR: https://github.com/supabase/supabase/pull/28921

Link: https://supabase.com/dashboard/org/_/billing

Choose which schemas to share with OpenAI#

This mainly applies to wherever the Supabase AI assistant is present in the dashboard (SQL Editor + RLS policies). You can now choose which schemas to share with OpenAI as opposed to sending information from all schemas in hopes to improve the output quality of the assistant by only sharing relevant information for your prompts to the assistant.

Do keep in mind that you'll need to opt in to sending anonymous data to OpenAI prior to doing this 🙂 You may also verify exactly what data is being sent here as well under "Important information regarding opting in"!

PR: https://github.com/supabase/supabase/pull/28594

Link: https://supabase.com/dashboard/project/_/sql/new

Other improvements and bug fixes#

General

• Show which is the last sign in method used on login page (PR)
• Added 3 new regions to spin up projects from: Ohio, Stockholm, Paris, and Zurich (PR)
• Commands added for cmd+k to search and open snippets in the SQL Editor (PR)
• Support pasting image (via Cmd/Ctrl + v) in the feedback widget (PR)
• Use expanding text area for RLS AI assistant for multi line prompts (PR)

Table Editor

• Save last selected schema, no longer defaults to public schema (PR)
• Set the correct schema in the schema selector when opening a table via URL directly (PR)
• Support exporting table data as SQL seed file (PR)
• Couple of fixes for bugs around composite foreign keys (PR)
• Improve display of estimated row count for the table if the table has > 50k rows, to emphasize that it's an estimated count (PR)
• Spreadsheet import now checks column types from imported spreadsheet (PR)

SQL Editor

• Fix folder name editing where clicking on the input field toggles the folder (PR)
• Support opening cell value via right click into a side panel for a more detailed view (PR)

Auth

• "With check" checkbox is toggled on by default for commands that involve a with check expression (PR)

Storage

• Support searching and sorting buckets (PR)

Logs Explorer

• Support copying cell content via context menu (PR)

The SQL Editor got an upgrade this week, finally letting you organize snippets into folders!

• Favourites and Shared snippets are in folders now
• Organize Private snippets in folders as you like
• Share snippets with your team as you could before

Link: https://supabase.com/dashboard/project/_/sql/new PR: https://github.com/supabase/supabase/pull/27881

Other bug fixes and improvements#

Project compute size badge

• See project compute details and upgrade right from the home screen (PR)

SQL Editor

• Update the SQL Editor AI Assistant model to the latest from OpenAI (PR)

tldr:

• No changes for Free Plan users
• Billing for paid plan organizations will be based on provisioned disk rather than used database space:
  • Each project starts with 8 GB disk provisioned by default.
  • The first 8 GB of provisioned disk per project is free, then $0.125 per additional GB.
  • Charges are prorated down to the hour, which is advantageous for short-lived projects and branches.
  • Provisioned disk from Read Replicas will also be included in billing.
  • Enables upcoming features for enhanced control over disk and Postgres parameters.

Timeline

This change will be rolled out to new customers on August 26th, 2024 and will be gradually rolled out to existing customers shortly after.

Changes

We are adjusting our pricing to offer more flexibility and self-serve for developers wanting to tune their disk and Postgres configuration. For example:

• Some developers want disks with higher throughput
• Some developers want to store more than 1GB of WAL (for tools like Airbyte/PeerDB, or adding more read replicas)

To make this available we will start billing for provisioned disk size (rather than database space used). Previously, costs associated with WAL files were not directly billed but also users could not control change max_wal_size (default is 1GB).

There is no action needed on your end. You will automatically be transitioned to the new billing model throughout the next couple of weeks. In case there is any change in your monthly bill, we will reach out to you proactively with additional information and give you a grace period to decrease your usage.

For customers on the Free Plan, there will be no changes; the total database space remains capped at 500MB. These adjustments only apply to customers on paid plans. The database disk will continue to autoscale when nearing capacity for paid plan customers.

Example 1: Pro plan org, active for whole month#

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

Billing

Example 2: Pro plan org, active for part of the month#

In this scenario, an Organization is on the Pro Plan with 3 active projects.

Usage

Billing

Where do I see my disk size?#

You can see your project’s disk size in your database settings (Project Settings > Database).

How can I resize my disk down?#

Your disk size is based on your database space usage. As a first step, you need to identify current database space usage and reduce it. To see your current database space usage, head over to the built-in “Database” project report. Once you have reduced your database space and want to reduce your provisioned disk, you can upgrade your Postgres version through your project settings to automatically rightsize your disk. For further information around disk management and reducing database space, please refer to our docs.

Is this going to affect my monthly bill?#

If your current disk size is >8GB, this is likely going to impact you. Note that this will be gradually rolled out and you will be notified about the concrete impact on your organization and given a 3-month grace period, which gives you time to right-size your disk and minimize the impact of this change.

Further to earlier discussions, the threshold for transitioning large databases to use physical backups for their daily backups is being lowered to 15GB in the next few days.

Physical backups are more performant, have lower impact on the db, and avoid holding locks for long periods of time. Restores continue to work as expected, but backups taken using this method can no longer be downloaded from the dashboard.

Over the next few months, we'll be introducing functionality to restore to a separate, new database, allowing for the perusal of the backed up data without disruption to the original project.

Please refer to supabase.com/docs/guides/platform/backups#daily-backups-process for additional details.

Claim your ticket for Launch Week 12 kicking off August 12 and read on to learn about a number of new features we have to share with you for the month.

Launch Week 12#

Join us August 12-16 for our next Launch Week event. We will be announcing a number of new features and giving away some great swag!

Claim Your Ticket

Disable Data API for Your Project#

You can now disable the Data API when creating a new project with a setting under "Advanced Options". This option bolsters the security of your data by preventing unintentional access from clients. You can change this behavior on an existing project via the project's API Settings.

Custom Schema for Data API#

Your project's Data API exposes the public schema by default, the most commonly used schema, and can lead to unintentional access to your data. Now, you can dictate which custom schema to expose via the Data API for better security and granular control.

Save Money With Hourly Storage Billing#

On August 20, 2024, Supabase is changing billing for Storage from daily to hourly for new customers and gradually rolling it out for existing customers shortly thereafter. There are no billing changes for projects who continue to use Storage for the entire month while projects using Branching or Storage for partial months will see a reduction in their bill.

Deploy More Functions at No Extra Cost#

We have increased the number of Edge Functions across all plans at no extra cost and removed usage-based billing to simplify your bill.

Quick product announcements#

• [Database] Postgres 13 Deprecation Notice [Github Discussion]
• [Auth] Migrate from Auth0 to Supabase Auth [Docs]
• [Branching] You can customize the public environment variable prefix to use any framework [Pull Request]
• [Docs] Supabase docs now feature global navigation bar [Docs]

Made with Supabase#

• Krea - Realtime and interactive image generation in the browser, the easiest way to generate with AI [Website]
• Cheat Layer - The most powerful no-code agent editor on the planet. Learn new RPA concepts to build future-proof agents that are impossible in other RPA tools [Website]
• Udio - Generative music, you can even edit segments of the tracks using AI [Website]
• Pika - The idea-to-video AI platform that sets your creativity in motion. [Website]
• MakePodcast - Effortlessly craft professional podcasts in minutes using AI [Website]

Community Highlights#

• Using Pre-commit Hook to Upload Local Media to Supabase Bucket [blog]
• Build Library Management System Using React, Shadcn/ui, Supabase and React Query From Scratch [Youtube]
• Instagram Clone in React Native: Video, Backend with Supabase & Push Notifications [YouTube]
• It all starts with Postgres (Interview to Paul Copplestone) [YouTube]
• GraphQL Quickstart with Supabase [YouTube]
• 13min High Intensity Postgres Workout (NO REPEATS) [YouTube]

Some Custom Domain project endpoints are currently signed by Let's Encrypt's cross-signed chain.

These endpoints will start being signed by Let's Encrypt self-signed chain starting the 9th of September, 2024. For additional details, please refer to Cloudflare's documentation for this change.

The primary impact of this will be to disrupt traffic from extremely old systems (e.g. Android =< 7.0) that trust the cross-signed chain, but not the self-signed one.

If you are impacted by this, please reach out to https://supabase.help and we can help you migrate to an alternative CA.

Currently, usage data on the invoice breakdown and organization usage page has a 24-hour delay. Starting from August 26th, the usage data will have no more of 1 hour delay for new customers. Afterwards, the changes will be rolled out to existing customer gradually. We're also working on additional improvements to provide better usage insights.

Additionally, we are revamping invoices to provide more detailed breakdowns of usage for enhanced transparency. Due to our new proration of project add-ons and storage down to the hour, you may notice slight variances in your monthly bill. For the majority of line items, you’ll see the project reference and usage on the invoice, which should make it clearer which project allocated the usage/costs.

A few examples:

Compute Hours is broken down per project and the compute credits ($10) is displayed as discount for the compute line item.

Egress is broken down to each project and displays included quota (250GB) and over-age pricing ($0.09/GB)

Realtime Messages line item shows package-based pricing with $2.50 per million.