Legacy api keys used even if disabled?
I have disabled legacy api keys and enabled the new keys. now I call an edge function and I get this error: Authentication error: Legacy API keys are disabled
could it be that the edge function secrets have not been updated? because I created the branch then disabled legacy keys
import { createClient } from 'npm:@supabase/supabase-js@2';
const corsHeaders = {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type'
};
const supabaseServiceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
if (!supabaseUrl || !supabaseAnonKey || !supabaseServiceRoleKey) {
console.error('Server configuration error: Missing Supabase environment variables.');
return new Response(JSON.stringify({
error: 'Server configuration error.'
}), {
status: 500,
headers: {
...corsHeaders,
'Content-Type': 'application/json'
}
});
}
const authHeader = req.headers.get('Authorization');
if (!authHeader) {
return new Response(JSON.stringify({
error: 'Missing Authorization header.'
}), {
status: 401,
headers: {
...corsHeaders,
'Content-Type': 'application/json'
}
});
}
const supabase = createClient(supabaseUrl, supabaseAnonKey, {
global: {
headers: {
Authorization: authHeader
}
}
});
const supabaseAdmin = createClient(supabaseUrl, supabaseServiceRoleKey, {
auth: {
autoRefreshToken: false,
persistSession: false,
detectSessionInUrl: false
}
});
console.log("Authenticating user...");
const { data: { user: authUser }, error: authError } = await supabase.auth.getUser();
if (authError || !authUser) {
console.error('Authentication error:', authError?.message || 'No user found.');
return new Response(JSON.stringify({
error: 'User not authenticated.'
36 Replies
where are you calling the edge function from and have you updated that with the new values and maybe restarted?
@ibrahim I dont think the issue is with my frontend tbh.
this is working in my main branch
The secrets only contain the legacy API keys.
Did you log out the service_role key?
If you look in the Edge Function UI you'll probably still see your old service_role secret there. Which won't work anymore when you call Supabase because you disabled it.
@garyaustin not sure what you mean with "edge function ui".
in the code there is this " const supabaseServiceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');" but shouldnt this be automatically the new key?
I have disabled "Verify JWT with legacy secret" and as you can see from my screenshots when making the call I use the new Publishable key as apikey
I have legacy API keys disabled. The secrets are still the old JWT keys.
hmm ok that is what I suspected. but why is this workign in main branch and how can I make it work with the new keys?
I've not seen an answer for passing in the SB style secrets automatically.
You could certainly add the secret to your own named secret and paste it in.
You could certainly add the secret to your own named secret and paste it in.
Similar question from another user.
Or not disable them for now.
sooo there's really no solution other than creating a secret with another name and replacing this in all edge functions? this is super strange because in a branch that I deleted and in the main branch they work perfectly
Do you have Legacy disabled in the main branch?
You can use the new keys and old keys together.
yep it is the completely same implementation
What does your Edge function UI show for the secrets?
So they will be pulled as the old secrets in that branch.
ok I understand but why was this working before and this basically works in the main branch? this is really sth strange...
I am pretty sure it was working with this configuration in my deleted branch and it works in my main branch which is basically the same as this new branch
Sorry.
Console.log the secret in your edge function.
I forgot those are encoded.
But I don't believe they change to the new secrets.
no I dont think they changed.
but they somehow did in main
I'm wrong. It is working now.
not sure I understood. what is working now?
The secret is updated to the SB... key in the edge function secrets. At least with Legacy Disabled.
sooo why is my old key still being used then?
Did you console.log in the function and for sure they are the old JWT keys?
Also you are setting the Authorization header to the incoming Authorization header. Is that a user JWT?
from the logs I can see that the service role and anon keys are the new keys (not the legacy ones)
That is your call to the Edge function headers?
yes
And by logs you mean you logged out the secrets in the Edge function?
I'd double check the authorization header coming in is not the old anon key.
What does the JWT decode to for auth? It looks like it should be a user JWT from the cookie. But if for some reason it is legacy anon/service that would probably cause the same error as the apikey header being wrong.
yes it is the access_token from the cookies it looks pretty much like the legacy anon key but the ending is different. so sthi like this with the ending obviously
eyJhbGciOiJFUzI1NiIsImtpZCI6IjQ2MjVkZjM1LTM3OGQtNDRmNy05MTA3LTk0OTE4OWZiOGFkYiIsInR5cCI6IkpXVCJ9
Dump it in jwt.io
If it is anon then that is your issue.
If it is much longer then probably a user jwt which should be fine.
{
"iss": "url/auth/v1",
"sub": "74688c29-778a-4272-b21e-b876a508b177",
"aud": "authenticated",
"exp": 1762290706,
"iat": 1762287106,
"email": "sb+real1@a.co",
"phone": "",
"app_metadata": {
"provider": "email",
"providers": [
"email"
]
},
"user_metadata": {
"email": "sb@a.co",
"email_verified": true,
"phone_verified": false,
"sub": "74688c29-778a-4272-b21e-b876a508b177"
},
"role": "authenticated",
"aal": "aal1",
"amr": [
{
"method": "password",
"timestamp": 1762276990
}
],
"session_id": "5f796c61-b2c4-4bf2-8e00-eb46697a9c9b",
"is_anonymous": false
}
oops it's working now. I'm pretty sure I changed nothing. all other edge functions working too. very strange
Well. At least I know now they fixed the SB_secret stuff.
Sorry for that digression.
many thanks 👍