Signed upload URL expiry?
Hey, is there any way to modify signed upload URL expiry?
I know supabase docs say they are 2 hours but im experiencing really weird behaviour with them which i absolutely cannot explain. Google gemini gives me this explanation but i am not sure if it is right or making things up..
My serverless worker received a signed PUT URL that resulted in a 400 Client Error: Bad Request during a cold start. The root cause appears to be a 60-second expiration time, which contradicts the expected 2-hour lifetime for signed upload URLs. The log contains:
2025-10-28T22:31:13.021994421Z worker-comfyui - PUT to signed URL failed (attempt 1/3). Retrying in 1.00s...: 400 Client Error: Bad Request for url: PUT [.....redactedURL....]/storage/v1/object/upload/sign/user-assets/[...]/ai-generated-assets/baseline-close-front.png?token=[FULL_TOKEN]
Where FULL_TOKEN =
eyJhbGciOiJIUzI1NiJ9.eyJvd25lciI6Ijg2YWI0OWY5LTY2ZjgtNGU5ZC04ZWIzLWIyZjQ4MTIzZTE1ZSIsInVybCI6InVzZXItYXNzZXRzL2VkN2I2NDk0LTEwN2ItNDBjOS04ZDVkLWE0NDI2ODk3OGY2My9jaGFyYWN0ZXJzL2VmNzA1ZWIwLTk4ZTctNDk5Zi04ZTNjLTYzYjE4YjNmZDJlNC9haS1nZW5lcmF0ZWQtYXNzZXRzL2Jhc2VsaW5lLWNsb3NlLWZyb250LnBuZyIsInVwc2VydCI6ZmFsc2UsImlhdCI6MTc2MTY5MDU2MywiZXhwIjoxNzYxNjkwNjIzfQ.gBSct2fnKf7Ms8EhF-GE5_ZpXq6JMDMpYkci8akzN3Y
When i decode that token I get:
{
"owner": "86ab49f9-66f8-4e9d-8eb3-b2f48123e15e",
"url": "user-assets/[....]/baseline-close-front.png",
"upsert": false,
"iat": 1761690563,
"exp": 1761690623
}
Issued At (iat): 1761690563 (2025-10-28 22:29:23 UTC)
Expires At (exp): 1761690623 (2025-10-28 22:30:23 UTC)
Calculated TTL: 60 seconds
How can this be the case if docs suggest 2 hour default and I am in no way explicitly setting it to 60 seconds anywhere in my code
21 Replies
eyJhbGciOiJIUzI1NiJ9.eyJ1cmwiOiJ1c2VyLWFzc2V0cy93b3JrZXItdGVzdHMvY2hhcmFjdGVyLXNoZWV0LXRlc3QucG5nIiwidXBzZXJ0IjpmYWxzZSwiaWF0IjoxNzYxNjg1NDQ1LCJleHAiOjE3NjE2ODU1MDV9.xioIKP9T19PFSi-E6o7CUXlG2GnQo-xpvWvwjaT9g8c
Another upload url token generated with the same issue
What does the code you are using to generate the signed URL looks like?
Sorry it will be vibe coded crap.. but ill send it 🙂
and the call to that is:
upload_meta = supabase_user_role.create_signed_upload_url(
jwt_token,
bucket="user-assets",
object_path=object_path,
)
Ok you are using the Python client. There is currently a bug with that function that you are using, I'm working on a fix, just haven't created a pull request for it as yet. You currently can't set the expiry time and I think it defaults to 60 seconds, I'm adding some changes to allow you to set that time.
ahhhhhhhhhhhhh awesomeeeeeeeeeeeeeeeeeeeeee okay!!!
Im just learning to code so i wasnt sure if i was being dumb or not
thank you!
Actually wait, I might be confusing the functions. Give me a minute
So do I just have to wait ?
okay cool! Tbh - the docs still say its 2 hours by default which is the weird thing, 2 hours would be more than enough
Can you point me to that page in the docs please?
Don't worry I found where it says the 2 hours
Python: Create signed upload URL | Supabase Docs
Supabase API reference for Python: Create signed upload URL
Looking at the code for the token generation it would seem the default fallback time is actually 60 seconds
I will try and test it out tomorrow and if it's not 2 hours I will ask the Supabase team if this is correct behavior.
okay awesome - and like you say - as of now there is no way to manually specify it right?
im just thinking if i need to rework the logic I have - i pass in a signed URL to my serverless endpoint so I can upload assets direct to my bucket, but cold start times mean sometimes the URL expires 😄
Yes correct, you can't manually specify it.
hey @silentworks, do you know how long fixes or updates like this typically take to make and deploy?
Would it be a few days or weeks or months do you reckon?
Im just trying to decide whether or not I need to consider an alternate strategy to allow my custom api endpoint to upload things to the s3 buckets - app isnt live atm so its not a big issue but it just impacts my development / testing i guess
I just tested this on my machine and the token gave the correct 2 hours default time. So maybe there is a misconfiguration on your Supabase instance, in which case I'd ask you to contact Supabase support to look into it.
My token:
I'm running it locally! Did you try it locally? I can try push the project to free tier supabase and give it another go there
Mine is fully local, it's using the Supabase CLI version 2.54.11
Okay thanks so much - I just made a new repo from scratch and atested it too and it also gives me 7200 seconds, so somewhere i AM DOIng something wrong in my old repo
really weird one considering it shouldnt even let me change the timings of the upload signed url hahahahhahha
ill keep trying but its defo a me thing
The only suggestion I can make is that you compare the
supabase/config.toml file between both projects to see what's different.