S
Supabase2mo ago
john

How to correctly use Service Role Client in Edge Functions with new JWT Signing Keys?

Hey Supabase community! I'm migrating my project to the new JWT Signing Keys and have disabled the legacy anon and service_role keys as recommended. However, I'm running into an issue authenticating my Edge Functions to use the service role client. 1. The Old (Working) Method: Previously, we used the legacy keys: 
export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    ANON_KEY: Deno.env.get("SUPABASE_ANON_KEY")!,
    SERVICE_ROLE_KEY: Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!,
};

createClient(SUPABASE.URL, SUPABASE.SERVICE_ROLE_KEY, { ... });
export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    ANON_KEY: Deno.env.get("SUPABASE_ANON_KEY")!,
    SERVICE_ROLE_KEY: Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!,
};

createClient(SUPABASE.URL, SUPABASE.SERVICE_ROLE_KEY, { ... });
We could invoke the function with the anon-key and it worked perfectly. 2. The New (Not Working) Method: Now, with the new API Keys enabled, we've updated our configuration: 
export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    PUBLISHABLE_KEY: Deno.env.get("SUPABASE_PUBLISHABLE_KEY")!,
    SECRET_KEY: Deno.env.get("SUPABASE_SECRET_KEY")!,
};
export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    PUBLISHABLE_KEY: Deno.env.get("SUPABASE_PUBLISHABLE_KEY")!,
    SECRET_KEY: Deno.env.get("SUPABASE_SECRET_KEY")!,
};
We configured it to be invocable without JWT as a backend function triggered by a cron job: 
# supabase/config.toml
[functions.my-ef]
verify_jwt = false
# supabase/config.toml
[functions.my-ef]
verify_jwt = false
We invoke it directly: 
curl -X POST 'https://<project>.supabase.co/functions/v1/my-ef' -H 'Content-Type: application/json'
curl -X POST 'https://<project>.supabase.co/functions/v1/my-ef' -H 'Content-Type: application/json'
The Problem: The function is invoked, but when getServiceRoleClient() is called inside it, we get error, because the new SUPABASE_SECRET_KEY environment variable doesn't seem to be populated in the Edge Function runtime: 
Error: Supabase configuration is missing for Service Role Client.
Error: Supabase configuration is missing for Service Role Client.
A test function confirmed that SUPABASE_SERVICE_ROLE_KEY is present in the runtime (though being disabled and invalid), but SUPABASE_SECRET_KEY is missing. My Question: After disabling legacy API keys, what is the correct way to configure and initialize the service role client (createClient) inside an Edge Function? How do we access the new secret key from within the Deno runtime? Thanks!
3 Replies
garyaustin
garyaustin2mo ago
You'll have to wade thru until they show better examples or other users get thru it... https://supabase.com/docs/guides/api/api-keys#known-limitations-and-compatibility-differences Also see mentions of differences here: https://github.com/orgs/supabase/discussions/29260#discussion-7173511
john
johnOP2mo ago
Thank you Gary for the prompt reply. Guess we'll just have to revert to the legacy keys and wait for the updates...
so
so2mo ago
commenting here to follow. similar issue except i'm attempting to create server/client-side clients for the frontend rather than deno. the error i see is: 
Error: Your project's URL and Key are required to create a Supabase client!

Check your Supabase project's API settings to find these values
Error: Your project's URL and Key are required to create a Supabase client!

Check your Supabase project's API settings to find these values
but the documentation says there should be no issues if i simply swap the anon key with the publishable api key :BABA_IS_THINK:

Did you find this page helpful?