How to correctly use Service Role Client in Edge Functions with new JWT Signing Keys?

Hey Supabase community!

I'm migrating my project to the new JWT Signing Keys and have disabled the legacy

anon

anon

anon

anon and

service_role

service_role

keys as recommended. However, I'm running into an issue authenticating my Edge Functions to use the service role client.

The Old (Working) Method:

Previously, we used the legacy keys:

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    ANON_KEY: Deno.env.get("SUPABASE_ANON_KEY")!,
    SERVICE_ROLE_KEY: Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!,
};

createClient(SUPABASE.URL, SUPABASE.SERVICE_ROLE_KEY, { ... });

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    ANON_KEY: Deno.env.get("SUPABASE_ANON_KEY")!,
    SERVICE_ROLE_KEY: Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!,
};

createClient(SUPABASE.URL, SUPABASE.SERVICE_ROLE_KEY, { ... });

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    ANON_KEY: Deno.env.get("SUPABASE_ANON_KEY")!,
    SERVICE_ROLE_KEY: Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!,
};

createClient(SUPABASE.URL, SUPABASE.SERVICE_ROLE_KEY, { ... });

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    ANON_KEY: Deno.env.get("SUPABASE_ANON_KEY")!,
    SERVICE_ROLE_KEY: Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!,
};

createClient(SUPABASE.URL, SUPABASE.SERVICE_ROLE_KEY, { ... });

We could invoke the function with the

anon-key

anon-key

anon-key

anon-key and it worked perfectly.

The New (Not Working) Method:

Now, with the new API Keys enabled, we've updated our configuration:

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    PUBLISHABLE_KEY: Deno.env.get("SUPABASE_PUBLISHABLE_KEY")!,
    SECRET_KEY: Deno.env.get("SUPABASE_SECRET_KEY")!,
};

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    PUBLISHABLE_KEY: Deno.env.get("SUPABASE_PUBLISHABLE_KEY")!,
    SECRET_KEY: Deno.env.get("SUPABASE_SECRET_KEY")!,
};

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    PUBLISHABLE_KEY: Deno.env.get("SUPABASE_PUBLISHABLE_KEY")!,
    SECRET_KEY: Deno.env.get("SUPABASE_SECRET_KEY")!,
};

export const SUPABASE = {
    URL: Deno.env.get("SUPABASE_URL")!,
    PUBLISHABLE_KEY: Deno.env.get("SUPABASE_PUBLISHABLE_KEY")!,
    SECRET_KEY: Deno.env.get("SUPABASE_SECRET_KEY")!,
};

We configured it to be invocable without JWT as a backend function triggered by a cron job:

# supabase/config.toml
[functions.my-ef]
verify_jwt = false

# supabase/config.toml
[functions.my-ef]
verify_jwt = false

# supabase/config.toml
[functions.my-ef]
verify_jwt = false

# supabase/config.toml
[functions.my-ef]
verify_jwt = false

We invoke it directly:

curl -X POST 'https://<project>.supabase.co/functions/v1/my-ef' -H 'Content-Type: application/json'

curl -X POST 'https://<project>.supabase.co/functions/v1/my-ef' -H 'Content-Type: application/json'

curl -X POST 'https://<project>.supabase.co/functions/v1/my-ef' -H 'Content-Type: application/json'

curl -X POST 'https://<project>.supabase.co/functions/v1/my-ef' -H 'Content-Type: application/json'

The Problem:
The function is invoked, but when

getServiceRoleClient()

getServiceRoleClient()

getServiceRoleClient()

getServiceRoleClient() is called inside it, we get error, because the new

SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY environment variable doesn't seem to be populated in the Edge Function runtime:

Error: Supabase configuration is missing for Service Role Client.

Error: Supabase configuration is missing for Service Role Client.

Error: Supabase configuration is missing for Service Role Client.

Error: Supabase configuration is missing for Service Role Client.

A test function confirmed that

SUPABASE_SERVICE_ROLE_KEY

SUPABASE_SERVICE_ROLE_KEY

is present in the runtime (though being disabled and invalid), but

SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY is missing.

My Question:

After disabling legacy API keys, what is the correct way to configure and initialize the service role client (

createClient

createClient

) inside an Edge Function? How do we access the new

secret

secret

secret

secret key from within the Deno runtime?

Thanks!

garyaustin•7/22/25, 6:10 PM

You'll have to wade thru until they show better examples or other users get thru it...
https://supabase.com/docs/guides/api/api-keys#known-limitations-and-compatibility-differences
Also see mentions of differences here:
https://github.com/orgs/supabase/discussions/29260#discussion-7173511

johnOP•7/22/25, 6:29 PM

Thank you Gary for the prompt reply. Guess we'll just have to revert to the legacy keys and wait for the updates...

so•7/26/25, 12:58 AM

commenting here to follow.

similar issue except i'm attempting to create server/client-side clients for the frontend rather than deno. the error i see is:

Error: Your project's URL and Key are required to create a Supabase client!

Check your Supabase project's API settings to find these values

Error: Your project's URL and Key are required to create a Supabase client!

Check your Supabase project's API settings to find these values

but the documentation says there should be no issues if i simply swap the anon key with the publishable api key :BABA_IS_THINK:

How to correctly use Service Role Client in Edge Functions with new JWT Signing Keys?

Similar Threads

Similar Threads

Similar Threads