Custom JWT (ES256) works with Realtime but fails on Storage API
I'm minting my own JWTs using ES256 (elliptic curve) with a private key for my Supabase project.
The tokens work perfectly with:
- ✅ PostgREST/Database queries
- ✅ Realtime subscriptions
- ✅ RLS policies using auth.jwt()
But Storage API fails with:
Key for the ES256 algorithm must be one of type CryptoKey,
KeyObject, or JSON Web Key. Received an instance of
Uint8Array
Same JWT, different services. Seems like Storage has a bug
with asymmetric JWT validation. Anyone else experiencing
this?
2 Replies
Certainly possible. The supabase auth JWTs are RS256 so that would be widely tested and supported. Probably should file an issue (or check) in supabase/storage github issues.
GitHub
Custom JWT (ES256) works with Realtime but fails on Storage API · ...
The Supabase Storage API fails to validate JWTs signed with ES256 (Elliptic Curve) algorithm, while the same JWTs work perfectly with PostgREST (database) and Realtime APIs. This appears to be a bu...