Getting authenticator@postgres error permission denied

I’ve been stuck on this for 3 days now, please any comments will be useful. So basically I am using supabase auth and once a user signs up or logs in there is a custom access token that gets the tenant id and user id from my db and attaches it to the jwt app_metadata. When trying to access my tables (rls disabled) i get the failed to load 400 bad request. In the supabase logs i get authenticator@postgres error permission denied. From my understanding the authenticator should be switched to anon or authenticated I am on supabase cli
16 Replies
garyaustin
garyaustin2mo ago
You are using the auth hook to add that to app_metadata? Can you show a log entry? You are not changing the role claim in the JWT? authenticator role of PostgREST switches to the role in the role claim.
amirnks
amirnksOP2mo ago
declare claims jsonb := event->'claims'; v_tenant_id uuid; v_role text; begin /* Grab the first tenant membership for this user. If you support multiple tenants per user, swap the LIMIT 1 for an aggregate (e.g. jsonb_agg) or another rule of choice. */ select tenant_id, role into v_tenant_id, v_role from public.tenant_memberships where user_id = (event->>'user_id')::uuid limit 1; -- role → user_role claim if v_role is not null then claims := jsonb_set(claims, '{user_role}', to_jsonb(v_role)); else claims := jsonb_set(claims, '{user_role}', 'null'); end if; -- tenant_id → tenant_id claim if v_tenant_id is not null then claims := jsonb_set(claims, '{tenant_id}', to_jsonb(v_tenant_id::text)); else claims := jsonb_set(claims, '{tenant_id}', 'null'); end if; -- write back & return event := jsonb_set(event, '{claims}', claims); return event; end; here is my custom_access_token, defined as a security definer if not getting 172.18.0.6 2025-09-05 19:16:37.319 UTC [342] supabase_auth_admin@postgres ERROR: permission denied for table tenant_memberships error and not letting me log in
garyaustin
garyaustin2mo ago
That error seems to say you did not follow all steps of the hook guide. I don't recall if you have to give auth_admin a grant for the table or make the hook function security definer.
garyaustin
garyaustin2mo ago
No description
amirnks
amirnksOP2mo ago
172.18.0.9 2025-09-05 19:35:34.545 UTC [667] authenticator@postgres ERROR: permission denied for table still not working getting this in the log
garyaustin
garyaustin2mo ago
See if there is more info in the Postgres log What are you getting that error on?
amirnks
amirnksOP2mo ago
postgres log
amirnks
amirnksOP2mo ago
No description
garyaustin
garyaustin2mo ago
What call is getting that? What table? The API Gateway might show.
amirnks
amirnksOP2mo ago
No description
garyaustin
garyaustin2mo ago
Also you said you are modifying app metadata but your function seems to add two new claims user_role and tenant_id right to the JWT. Which should not be an issue.
amirnks
amirnksOP2mo ago
yep meant to add data, not modifying the content
garyaustin
garyaustin2mo ago
You are but not to app metadata. But probably not relevant. On one of those API Gateway log entries look at what role is accessing. Did you remove grants for anon/authenticated from tables you are accessing from the REST API? You also check the jwt being sent on DB requests with jwt.io to make sure it looks correct (role claim in particular being anon/authenticated).
amirnks
amirnksOP2mo ago
Thank you very much, some how anon and authenticated had lost access
garyaustin
garyaustin2mo ago
The guide showed removing them for the table the Guide was using, but then that means they would not have access. All depends on your implementation of the "roles" table.

Did you find this page helpful?