Recommended Pattern for Cron Job -> Edge Function Auth (Post-`pgjwt`/`pgsodium`)
Hey everyone,
I'm trying to find the officially recommended pattern for a Postgres cron job to securely authenticate and call an Edge Function, and I've hit a few walls with deprecated methods.
What I’m trying to achieve:
I have a background job scheduled with
pg_cron. The job needs to call one of my Edge Functions using pg_net to kick off a process. This is a purely server-to-server interaction.
What’s going wrong:
My main challenge has been programmatically creating a service_role JWT within Postgres. My journey to find a solution has felt like a process of elimination:
1. The Supabase CLI no longer provides a static, long-lived service_role_key.
2. The pgjwt extension is deprecated and not available in my Postgres 17 environment.
3. The documentation now discourages direct use of pgsodium and recommends using the Vault.
4. The supabase/vault extension doesn't appear to have a high-level function like vault.sign() to create JWTs.
This has led me to a workaround: manually generating a long-lived JWT on a site like jwt.io, then storing that static token in the Vault for my cron job to retrieve.
My Question:
While the "generate-once-store" pattern might work (haven't tested it yet, but it seems like it should), it feels like a sub-optimal, manual setup step. I'm wondering if I've missed a more integrated, programmatic solution.
What is the official, future-proof Supabase pattern for a Postgres function to authenticate itself to call an Edge Function? Is the intended solution to use an Edge Function as a utility to sign tokens for Postgres, or is the manual "generate-once-store" pattern the recommended approach for this use case?
Thanks for any guidance!
Environment:
Supabase CLI: 2.48.3
Postgres Version: 17.6 (from local dev environment)
Platform: Local development on macOS (Apple Silicon)1 Reply
Not seen how edge functions are going to sort out with new API keys. But right now the auto JWT check has to be off. In that case might as well just check your own header and key value for now. Store it in Vault for easier changes.