Error updating user: { message: "Invalid API key", hint: "Double check your Supabase `anon` or `serv
Hi!
I am trying to update my user using user's auth token
It is working in local but when I deploy the edge function it is throwing 500 Error with message { message: "Invalid API key", hint: "Double check your Supabase
return createClient(supabaseUrl, authToken ?? ""); }; this is how I am using user's auth token in order to create a client
anon or service_role API key." }
// Function to create a Supabase client with the auth token - Private
export const createAuthClient = (req: Request) => {
const authToken = req.headers.get("Authorization")?.split(" ")[1];
const supabaseUrl = Deno.env.get("SUPABASE_URL") ?? "";
return createClient(supabaseUrl, authToken ?? ""); }; this is how I am using user's auth token in order to create a client
39 Replies
That is not proper format for createClient.
The apikey has to be anon or service_role and you add the user token in the Authorization header option.
In order to keep it secure
I am using two type of createClient
// Function to create a Supabase client with the Anon - Public
export const createAnonClient = () => {
const supabaseUrl = Deno.env.get("SUPABASE_URL") ?? "";
const supabaseAnonKey = Deno.env.get("SUPABASE_ANON_KEY") ?? "";
const supabase = createClient(supabaseUrl, supabaseAnonKey);
return createClient(supabaseUrl, supabaseAnonKey ?? ""); };
// Function to create a Supabase client with the auth token - Private export const createAuthClient = (req: Request) => { const authToken = req.headers.get("Authorization")?.split(" ")[1]; const supabaseUrl = Deno.env.get("SUPABASE_URL") ?? "";
return createClient(supabaseUrl, authToken ?? ""); }; As this makes my APIs more secure
return createClient(supabaseUrl, supabaseAnonKey ?? ""); };
// Function to create a Supabase client with the auth token - Private export const createAuthClient = (req: Request) => { const authToken = req.headers.get("Authorization")?.split(" ")[1]; const supabaseUrl = Deno.env.get("SUPABASE_URL") ?? "";
return createClient(supabaseUrl, authToken ?? ""); }; As this makes my APIs more secure
Can you use triple back ticks around your code it is not easy to read.
The apikey has to be the anon key not the user jwt.
You add the user jwt with the header option for createClient.
Integrating With Supabase Auth | Supabase Docs
Supabase Edge Functions and Auth.
But it is working in local
I am an Azure Developer
We have roles in our Auth Token
but in Supabase I am not able to assign roles to the user
It probably does not check the apikey at a gateway like Supabase hosted services.
Ahh I see
but the roles are always authenticated
There is the apikey header and the Authorization header (which defaults to apikey header in the client).
But the gateway at Supabase has to see the anon key or the service_role key in the apikey header.
The link shows the way to do it.
Yes I am doing that in my get APIs
but for my POST APIs I would want to check for role
and 'sub' which is my user uuid
That will be in the Authorization header as 'bearer JWT'.
Not apikey header
So the client I create is based upon the anon key right?
Did you look at the link?
// Get the session or user object
const authHeader = req.headers.get('Authorization')!;
const token = authHeader.replace('Bearer ', '');
const { data: userData } = await supabaseClient.auth.getUser(token);
const { data, error } = await supabaseClient.from('profiles').select('*');
Ahhh I see
with these I would get user's client right?
Also I have a question
I know Supabase has REST APIs
but instead can I use Edge functions for all the queries ?
As in Azure I would use Function Apps
PERFECTT
I will test it right now
You can also set global headers with `'Authorization':'bearer user_jwt'
That is actually the way I'm used to doing it. The new edge link has changed to do it with getUser()
The main thing is apikey is a key.
Then the session or you setting the Authorization header with a user token is what is used to get 'sub' and other claims.
Perfect!
I will try that
In addition
can I use Edge functions instead of Supabase Rest APIs?
Just like Azure Function Apps?
Really depends on what you are doing. Each has tradeoffs on latency and logic processing tradeoffs.
Edge will add alot of latency if you are just doing a db operation. If you are doing complex logic and multiple operations .. not so much.
I am an Azure Cloud Architect
And we always make microservies in our company
As Edge functions could easily talk to multiple databases and systems whereas Supabase REST APIs are locked down to one DB
I am new to Supabase
But trying to integrate that in our company
I'm not familiar with Azure. Edge functions have a startup time if cold and then run for a few minutes. They are located close to the user, but not near the database in the general case.
If you just want a row from the db the REST API will be much faster.
It also depends on browser or server calling. Browser has to do CORs so has 2 round trips.
for REST API it would be 2 round trips or for Edge functions?
I do have a meeting with Supabase's Customer Solutions Architect tomorrow
But it is good to know these things before
Edge is two trips from browser but hopefully the edge function is much closer than the db.
Oh I see
thank you for your prompt response!
Ah edge to db is not two trips as CORS is not involved.
Just browser calls
That is a good news!!
It is not working
do you know how can I create my own key?
with role
lets say we have 'anon' and we have SUPABASE_ANON_KEY
It has a role of anon
Can I create my own key with own role?
The apikey HAS to be anon or service_role
You need to set the Authorization header to 'bearer user_jwt'
I am setting that
But my client which is getting created is with anon key
but my RLS has policies
it should have apikey to anon
Yes it does have APIKEY to anon now
Show the way you are setting the authorization header.
I'm about out of time tonight also.
Sorry about that
In my edge function
The getUser method also works as that sets the session in the client which will then replace the apikey with your jwt in the Authorization header.
Does that return user data? You could also put the error in there.
You can console.log and see that in the dashboard functions log.
Could also be your call to the edge function is anon versus a user token.
so basically I can use 'data' to query my database right?
getUser if it works sets the session in the supabaseClient object.
Then you use that to call the db.
data should contain the user info if all is working correctly.
In your edge function you would make the DB calls and then return the result.
Okay!!
I will give it a try if not we can chat tomorrow
Yes!