Authorization headers in Database Webhooks
I have a database webhook used to send emails on database changes. Locally I was able to add the correct authorisation header but in my staging and production projects whenever I add the authorization header it gets immediately removed on save or edit of the hook. I have seen some talk about this online but has anyone found a solution?
12 Replies
Yeah that's the issue I'm having however locally the Authorization header persists and when in my live supabase project it doesn't. I don't believe the header is being stored either because the edge function fails which it doesn't locally
Sort of surprised how few complaints there are of this if the dashboard is broken. I don't see it saving either. Have not tested if really there but the issue generator says no.
The other headers seem to work.
So you could temporarily hard code it...
Yeah I was surprised there wasn't more about it. Locally I couldn't add it if I was editing but it did successfully add if I created a new webhook and added the header when creating the webhook however if I edit it at all it removes the header again. In staging and prod I can't add the header at all.
That could work, do you have anywhere you can point me in the direction of to find the code for it?
Are you using the new API keys? Wonder if that is involved somehow.
code for what?
How do I know if I'm using the new API keys? I'm just using my service key in the Authorization header
Code to hard code the header. What did you mean by hard code it?
There is an option to set custom headers in the webhook UI.
BUT it is something to do with the header name... Authorization does not save for custom either. BUT authorization does. Very odd.
Oh yeah, that's interesting. It sounds like some security feature that has a bug or something. Using lower case authorization works for me for now, I don't know why I hadn't thought to try that
What I don't know is if that will do automatic updates (they may look for Authorization). Also have not checked edge to see if lower case works. The headers are supposed to be case insensitive.
I see, would you advise against using lower case header then even temporarily until the fix is live? My webhook is calling an edge function and it works as expected with lower case authorization
I would use and have a note to fix when the bug gets fixed. It has already been 2 weeks and nothing from SB on that issue.
Note that using the new API keys you can't use verify JWT on the edge function so it is not that useful.
Okay cool thank you for your help!