TUS Resumable Uploads + Clerk JWT returning 403 RLS error

Need help: TUS resumable uploads with Clerk JWT getting 403 RLS error
Running into a persistent issue with resumable uploads using Clerk third-party auth. Would appreciate any guidance.

Setup:

Next.js 15 + Clerk for authentication
Supabase Storage with TUS protocol for resumable uploads
Clerk configured as third-party provider (Dashboard → Auth → Third-Party)
Using direct storage endpoint:
```
https://<project-id>.storage.supabase.co/storage/v1/upload/resumable
```
https://<project-id>.storage.supabase.co/storage/v1/upload/resumable
```
https://<project-id>.storage.supabase.co/storage/v1/upload/resumable
```
https://<project-id>.storage.supabase.co/storage/v1/upload/resumable

TUS request headers:

Authorization: Bearer <Clerk session token>  // from await Clerk.session.getToken()
apikey: <SUPABASE_ANON_KEY>
x-upsert: false
Tus-Resumable: 1.0.0
Upload-Length: <file-size>

Authorization: Bearer <Clerk session token>  // from await Clerk.session.getToken()
apikey: <SUPABASE_ANON_KEY>
x-upsert: false
Tus-Resumable: 1.0.0
Upload-Length: <file-size>

Authorization: Bearer <Clerk session token>  // from await Clerk.session.getToken()
apikey: <SUPABASE_ANON_KEY>
x-upsert: false
Tus-Resumable: 1.0.0
Upload-Length: <file-size>

Authorization: Bearer <Clerk session token>  // from await Clerk.session.getToken()
apikey: <SUPABASE_ANON_KEY>
x-upsert: false
Tus-Resumable: 1.0.0
Upload-Length: <file-size>

Problem:

TUS POST returns
```
403 new row violates row-level security policy
```
403 new row violates row-level security policy
```
403 new row violates row-level security policy
```
403 new row violates row-level security policy
Storage auth test works (can list buckets with same Bearer token → returns 200)
Small file uploads via service_role work fine
Storage policies use
```
requesting_user_id()
```
requesting_user_id()
```
requesting_user_id()
```
requesting_user_id()
which calls
```
convert_to_uuid(auth.jwt()->>'sub')
```
convert_to_uuid(auth.jwt()->>'sub')
```
convert_to_uuid(auth.jwt()->>'sub')
```
convert_to_uuid(auth.jwt()->>'sub')

RLS Policy (simplified):

CREATE POLICY "project_files_insert"
ON storage.objects FOR INSERT TO authenticated
WITH CHECK (
  bucket_id = 'project-files' AND
  EXISTS (
    SELECT 1 FROM projects p
    WHERE p.id::text = (storage.foldername(name))[1]
      AND p.created_by = requesting_user_id()
  )
);

CREATE POLICY "project_files_insert"
ON storage.objects FOR INSERT TO authenticated
WITH CHECK (
  bucket_id = 'project-files' AND
  EXISTS (
    SELECT 1 FROM projects p
    WHERE p.id::text = (storage.foldername(name))[1]
      AND p.created_by = requesting_user_id()
  )
);

CREATE POLICY "project_files_insert"
ON storage.objects FOR INSERT TO authenticated
WITH CHECK (
  bucket_id = 'project-files' AND
  EXISTS (
    SELECT 1 FROM projects p
    WHERE p.id::text = (storage.foldername(name))[1]
      AND p.created_by = requesting_user_id()
  )
);

CREATE POLICY "project_files_insert"
ON storage.objects FOR INSERT TO authenticated
WITH CHECK (
  bucket_id = 'project-files' AND
  EXISTS (
    SELECT 1 FROM projects p
    WHERE p.id::text = (storage.foldername(name))[1]
      AND p.created_by = requesting_user_id()
  )
);

Questions:

Does the Bearer token from
```
Clerk.session.getToken()
```
Clerk.session.getToken()
```
Clerk.session.getToken()
```
Clerk.session.getToken()
have the right format for Supabase Storage RLS?
Should I be using a different Clerk token method or template?
Is there a way to debug what
```
requesting_user_id()
```
requesting_user_id()
```
requesting_user_id()
```
requesting_user_id()
returns during the Storage RLS evaluation?

What works:

JWKS endpoint is accessible
Storage auth test passes (listBuckets returns 200)
JWT has
```
sub
```
sub
```
sub
```
sub
,
```
iss
```
iss
```
iss
```
iss
,
```
role: "authenticated"
```
role: "authenticated"
```
role: "authenticated"
```
role: "authenticated"
,
```
exp
```
exp
```
exp
```
exp
User exists in project_members with proper role

What fails:

TUS POST to
```
/storage/v1/upload/resumable
```
/storage/v1/upload/resumable
```
/storage/v1/upload/resumable
```
/storage/v1/upload/resumable
→ 403 RLS

TUS Resumable Uploads + Clerk JWT returning 403 RLS error

Similar Threads

Similar Threads

Similar Threads