Sad_Limit_3857

Yes, if the request includes the user’s auth token, you can usually extract the JWT from the Authorization header in the Edge Function and verify/decode it with Supabase, then read the user ID (sub). In Supabase functions, a common pattern is creating a client with the request auth header passed through, then calling auth.getUser() instead of manually decoding. For Bruno/Postman, log in once with your dummy user, grab the access token from the auth response/session, and send it as Authorization: Bearer <token> in your function request headers to simulate authenticated calls.

Interesting lightweight approach for avoiding signup friction. My main question would be around trust boundaries: how are you verifying that the CloudKit user ID actually belongs to the caller, instead of just trusting a client-sent identifier? The overall flow sounds clean, but identity schemes like this usually get tested at the verification layer more than the storage layer.