Supabase•7mo ago•

3 replies

How to correctly use Service Role Client in Edge Functions with new JWT Signing Keys?

Hey Supabase community!

I'm migrating my project to the new JWT Signing Keys and have disabled the legacy

anon

anon

and

service_role

service_role

keys as recommended. However, I'm running into an issue authenticating my Edge Functions to use the service role client.

1. The Old (Working) Method:

Previously, we used the legacy keys:

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    ANON_KEY: Deno.env.get("SUPABASE_ANON_KEY")!,
    SERVICE_ROLE_KEY: Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!,
};

createClient(SUPABASE.URL, SUPABASE.SERVICE_ROLE_KEY, { ... });

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    ANON_KEY: Deno.env.get("SUPABASE_ANON_KEY")!,
    SERVICE_ROLE_KEY: Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!,
};

createClient(SUPABASE.URL, SUPABASE.SERVICE_ROLE_KEY, { ... });

We could invoke the function with the

anon-key

anon-key

and it worked perfectly.

2. The New (Not Working) Method:

Now, with the new API Keys enabled, we've updated our configuration:

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    PUBLISHABLE_KEY: Deno.env.get("SUPABASE_PUBLISHABLE_KEY")!,
    SECRET_KEY: Deno.env.get("SUPABASE_SECRET_KEY")!,
};

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    PUBLISHABLE_KEY: Deno.env.get("SUPABASE_PUBLISHABLE_KEY")!,
    SECRET_KEY: Deno.env.get("SUPABASE_SECRET_KEY")!,
};

We configured it to be invocable without JWT as a backend function triggered by a cron job:

# supabase/config.toml
[functions.my-ef]
verify_jwt = false

# supabase/config.toml
[functions.my-ef]
verify_jwt = false

We invoke it directly:

curl -X POST 'https://<project>.supabase.co/functions/v1/my-ef' -H 'Content-Type: application/json'

curl -X POST 'https://<project>.supabase.co/functions/v1/my-ef' -H 'Content-Type: application/json'

The Problem:
The function is invoked, but when

getServiceRoleClient()

getServiceRoleClient()

is called inside it, we get error, because the new

SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY

environment variable doesn't seem to be populated in the Edge Function runtime:

Error: Supabase configuration is missing for Service Role Client.

Error: Supabase configuration is missing for Service Role Client.

A test function confirmed that

SUPABASE_SERVICE_ROLE_KEY

SUPABASE_SERVICE_ROLE_KEY

is present in the runtime (though being disabled and invalid), but

SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY

is missing.

My Question:

After disabling legacy API keys, what is the correct way to configure and initialize the service role client (

createClient

createClient

) inside an Edge Function? How do we access the new

secret

secret

key from within the Deno runtime?

Thanks!

How to correctly use Service Role Client in Edge Functions with new JWT Signing Keys?

Hey Supabase community!

I'm migrating my project to the new JWT Signing Keys and have disabled the legacy

anon

anon

and

service_role

service_role

keys as recommended. However, I'm running into an issue authenticating my Edge Functions to use the service role client.

1. The Old (Working) Method:

Previously, we used the legacy keys:

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    ANON_KEY: Deno.env.get("SUPABASE_ANON_KEY")!,
    SERVICE_ROLE_KEY: Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!,
};

createClient(SUPABASE.URL, SUPABASE.SERVICE_ROLE_KEY, { ... });

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    ANON_KEY: Deno.env.get("SUPABASE_ANON_KEY")!,
    SERVICE_ROLE_KEY: Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!,
};

createClient(SUPABASE.URL, SUPABASE.SERVICE_ROLE_KEY, { ... });

We could invoke the function with the

anon-key

anon-key

and it worked perfectly.

2. The New (Not Working) Method:

Now, with the new API Keys enabled, we've updated our configuration:

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    PUBLISHABLE_KEY: Deno.env.get("SUPABASE_PUBLISHABLE_KEY")!,
    SECRET_KEY: Deno.env.get("SUPABASE_SECRET_KEY")!,
};

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    PUBLISHABLE_KEY: Deno.env.get("SUPABASE_PUBLISHABLE_KEY")!,
    SECRET_KEY: Deno.env.get("SUPABASE_SECRET_KEY")!,
};

We configured it to be invocable without JWT as a backend function triggered by a cron job:

# supabase/config.toml
[functions.my-ef]
verify_jwt = false

# supabase/config.toml
[functions.my-ef]
verify_jwt = false

We invoke it directly:

curl -X POST 'https://<project>.supabase.co/functions/v1/my-ef' -H 'Content-Type: application/json'

curl -X POST 'https://<project>.supabase.co/functions/v1/my-ef' -H 'Content-Type: application/json'

The Problem:
The function is invoked, but when

getServiceRoleClient()

getServiceRoleClient()

is called inside it, we get error, because the new

SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY

environment variable doesn't seem to be populated in the Edge Function runtime:

Error: Supabase configuration is missing for Service Role Client.

Error: Supabase configuration is missing for Service Role Client.

A test function confirmed that

SUPABASE_SERVICE_ROLE_KEY

SUPABASE_SERVICE_ROLE_KEY

is present in the runtime (though being disabled and invalid), but

SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY

is missing.

My Question:

After disabling legacy API keys, what is the correct way to configure and initialize the service role client (

createClient

createClient

) inside an Edge Function? How do we access the new

secret

secret

key from within the Deno runtime?

Thanks!

How to correctly use Service Role Client in Edge Functions with new JWT Signing Keys?

How to correctly use Service Role Client in Edge Functions with new JWT Signing Keys?

Similar Threads

Similar Threads

Similar Threads