Recommended Pattern for Cron Job -> Edge Function Auth (Post-`pgjwt`/`pgsodium`)
Hey everyone,
I'm trying to find the officially recommended pattern for a Postgres cron job to securely authenticate and call an Edge Function, and I've hit a few walls with deprecated methods.
What I’m trying to achieve:
I have a background job scheduled with
What’s going wrong:
My main challenge has been programmatically creating a service_role JWT within Postgres. My journey to find a solution has felt like a process of elimination:
My Question:
While the "generate-once-store" pattern might work (haven't tested it yet, but it seems like it should), it feels like a sub-optimal, manual setup step. I'm wondering if I've missed a more integrated, programmatic solution.
What is the official, future-proof Supabase pattern for a Postgres function to authenticate itself to call an Edge Function? Is the intended solution to use an Edge Function as a utility to sign tokens for Postgres, or is the manual "generate-once-store" pattern the recommended approach for this use case?
Thanks for any guidance!
Environment:
Supabase CLI:
Postgres Version:
Platform: Local development on macOS (Apple Silicon)
I'm trying to find the officially recommended pattern for a Postgres cron job to securely authenticate and call an Edge Function, and I've hit a few walls with deprecated methods.
What I’m trying to achieve:
I have a background job scheduled with
pg_cron. The job needs to call one of my Edge Functions using pg_net to kick off a process. This is a purely server-to-server interaction.What’s going wrong:
My main challenge has been programmatically creating a service_role JWT within Postgres. My journey to find a solution has felt like a process of elimination:
- The Supabase CLI no longer provides a static, long-lived
service_role_key. - The
pgjwtextension is deprecated and not available in my Postgres 17 environment. - The documentation now discourages direct use of
pgsodiumand recommends using the Vault. - The
supabase/vaultextension doesn't appear to have a high-level function likevault.sign()to create JWTs.
My Question:
While the "generate-once-store" pattern might work (haven't tested it yet, but it seems like it should), it feels like a sub-optimal, manual setup step. I'm wondering if I've missed a more integrated, programmatic solution.
What is the official, future-proof Supabase pattern for a Postgres function to authenticate itself to call an Edge Function? Is the intended solution to use an Edge Function as a utility to sign tokens for Postgres, or is the manual "generate-once-store" pattern the recommended approach for this use case?
Thanks for any guidance!
Environment:
Supabase CLI:
2.48.3Postgres Version:
17.6 (from local dev environment)Platform: Local development on macOS (Apple Silicon)
