Signed upload URL expiry?
Hey, is there any way to modify signed upload URL expiry?
I know supabase docs say they are 2 hours but im experiencing really weird behaviour with them which i absolutely cannot explain. Google gemini gives me this explanation but i am not sure if it is right or making things up..
My serverless worker received a signed PUT URL that resulted in a 400 Client Error: Bad Request during a cold start. The root cause appears to be a 60-second expiration time, which contradicts the expected 2-hour lifetime for signed upload URLs. The log contains:
2025-10-28T22:31:13.021994421Z worker-comfyui - PUT to signed URL failed (attempt 1/3). Retrying in 1.00s...: 400 Client Error: Bad Request for url: PUT [.....redactedURL....]/storage/v1/object/upload/sign/user-assets/[...]/ai-generated-assets/baseline-close-front.png?token=[FULL_TOKEN]
Where FULL_TOKEN =
eyJhbGciOiJIUzI1NiJ9.eyJvd25lciI6Ijg2YWI0OWY5LTY2ZjgtNGU5ZC04ZWIzLWIyZjQ4MTIzZTE1ZSIsInVybCI6InVzZXItYXNzZXRzL2VkN2I2NDk0LTEwN2ItNDBjOS04ZDVkLWE0NDI2ODk3OGY2My9jaGFyYWN0ZXJzL2VmNzA1ZWIwLTk4ZTctNDk5Zi04ZTNjLTYzYjE4YjNmZDJlNC9haS1nZW5lcmF0ZWQtYXNzZXRzL2Jhc2VsaW5lLWNsb3NlLWZyb250LnBuZyIsInVwc2VydCI6ZmFsc2UsImlhdCI6MTc2MTY5MDU2MywiZXhwIjoxNzYxNjkwNjIzfQ.gBSct2fnKf7Ms8EhF-GE5_ZpXq6JMDMpYkci8akzN3Y
When i decode that token I get:
{
"owner": "86ab49f9-66f8-4e9d-8eb3-b2f48123e15e",
"url": "user-assets/[....]/baseline-close-front.png",
"upsert": false,
"iat": 1761690563,
"exp": 1761690623
}
Issued At (iat): 1761690563 (2025-10-28 22:29:23 UTC)
Expires At (exp): 1761690623 (2025-10-28 22:30:23 UTC)
Calculated TTL: 60 seconds
How can this be the case if docs suggest 2 hour default and I am in no way explicitly setting it to 60 seconds anywhere in my code
15 Replies
eyJhbGciOiJIUzI1NiJ9.eyJ1cmwiOiJ1c2VyLWFzc2V0cy93b3JrZXItdGVzdHMvY2hhcmFjdGVyLXNoZWV0LXRlc3QucG5nIiwidXBzZXJ0IjpmYWxzZSwiaWF0IjoxNzYxNjg1NDQ1LCJleHAiOjE3NjE2ODU1MDV9.xioIKP9T19PFSi-E6o7CUXlG2GnQo-xpvWvwjaT9g8c
Another upload url token generated with the same issue
What does the code you are using to generate the signed URL looks like?
Sorry it will be vibe coded crap.. but ill send it 🙂
and the call to that is:
upload_meta = supabase_user_role.create_signed_upload_url(
jwt_token,
bucket="user-assets",
object_path=object_path,
)
Ok you are using the Python client. There is currently a bug with that function that you are using, I'm working on a fix, just haven't created a pull request for it as yet. You currently can't set the expiry time and I think it defaults to 60 seconds, I'm adding some changes to allow you to set that time.
ahhhhhhhhhhhhh awesomeeeeeeeeeeeeeeeeeeeeee okay!!!
Im just learning to code so i wasnt sure if i was being dumb or not
thank you!
Actually wait, I might be confusing the functions. Give me a minute
So do I just have to wait ?
okay cool! Tbh - the docs still say its 2 hours by default which is the weird thing, 2 hours would be more than enough
Can you point me to that page in the docs please?
Don't worry I found where it says the 2 hours
Python: Create signed upload URL | Supabase Docs
Supabase API reference for Python: Create signed upload URL
Looking at the code for the token generation it would seem the default fallback time is actually 60 seconds
I will try and test it out tomorrow and if it's not 2 hours I will ask the Supabase team if this is correct behavior.
okay awesome - and like you say - as of now there is no way to manually specify it right?
im just thinking if i need to rework the logic I have - i pass in a signed URL to my serverless endpoint so I can upload assets direct to my bucket, but cold start times mean sometimes the URL expires 😄
Yes correct, you can't manually specify it.