Getting authenticator@postgres error permission denied
I’ve been stuck on this for 3 days now, please any comments will be useful. So basically I am using supabase auth and once a user signs up or logs in there is a custom access token that gets the tenant id and user id from my db and attaches it to the jwt app_metadata. When trying to access my tables (rls disabled) i get the failed to load 400 bad request. In the supabase logs i get authenticator@postgres error permission denied.
From my understanding the authenticator should be switched to anon or authenticated
I am on supabase cli
16 Replies
You are using the auth hook to add that to app_metadata?
Can you show a log entry?
You are not changing the role claim in the JWT?
authenticator role of PostgREST switches to the role in the role claim.
declare
claims jsonb := event->'claims';
v_tenant_id uuid;
v_role text;
begin
/* Grab the first tenant membership for this user.
If you support multiple tenants per user, swap the LIMIT 1
for an aggregate (e.g. jsonb_agg) or another rule of choice. */
select tenant_id, role
into v_tenant_id, v_role
from public.tenant_memberships
where user_id = (event->>'user_id')::uuid
limit 1;
-- role → user_role claim
if v_role is not null then
claims := jsonb_set(claims, '{user_role}', to_jsonb(v_role));
else
claims := jsonb_set(claims, '{user_role}', 'null');
end if;
-- tenant_id → tenant_id claim
if v_tenant_id is not null then
claims := jsonb_set(claims, '{tenant_id}', to_jsonb(v_tenant_id::text));
else
claims := jsonb_set(claims, '{tenant_id}', 'null');
end if;
-- write back & return
event := jsonb_set(event, '{claims}', claims);
return event;
end;
here is my custom_access_token, defined as a security definer if not getting 172.18.0.6 2025-09-05 19:16:37.319 UTC [342] supabase_auth_admin@postgres ERROR: permission denied for table tenant_memberships error and not letting me log in
That error seems to say you did not follow all steps of the hook guide. I don't recall if you have to give auth_admin a grant for the table or make the hook function security definer.

https://supabase.com/docs/guides/auth/auth-hooks/custom-access-token-hook add admin role example
172.18.0.9 2025-09-05 19:35:34.545 UTC [667] authenticator@postgres ERROR: permission denied for table
still not working getting this in the log
See if there is more info in the Postgres log
What are you getting that error on?
postgres log

What call is getting that? What table?
The API Gateway might show.

Also you said you are modifying app metadata but your function seems to add two new claims user_role and tenant_id right to the JWT. Which should not be an issue.
yep meant to add data, not modifying the content
You are but not to app metadata. But probably not relevant.
On one of those API Gateway log entries look at what role is accessing.
Did you remove grants for anon/authenticated from tables you are accessing from the REST API?
You also check the jwt being sent on DB requests with jwt.io to make sure it looks correct (role claim in particular being anon/authenticated).
Thank you very much, some how anon and authenticated had lost access
The guide showed removing them for the table the Guide was using, but then that means they would not have access. All depends on your implementation of the "roles" table.