Supabase Edge Function returning 401
edge functionsHello, I’m new to Supabase and I’m stuck.
I have an Expo React Native app calling a deployed Supabase Edge Function (
What’s confusing
In the Edge Function logs (
* an apikey/anon token (role =
* and an authorization user token (role =
So it seems like the real user JWT is reaching the function, but I still get 401.
What my function does
*
* reads the bearer token from
* checks auth with
What I tried already
* Initially I manually set headers on the client:
*
* plus
* Then I removed all manual headers and switched to:
*
(so supabase-js should attach auth automatically)
* Confirmed in the logs that the
* I also checked RLS — but I’m not even getting to insert errors, it fails at auth (401) first
* Read up on the new
What I’m wondering
* Do I need to pass the token explicitly like
* Any “known good” Edge Function auth snippet you recommend to avoid accidentally validating the anon/apikey token?
I have an Expo React Native app calling a deployed Supabase Edge Function (
report_submitWhat’s confusing
In the Edge Function logs (
sb.jwt* an apikey/anon token (role =
anonnull* and an authorization user token (role =
authenticatedSo it seems like the real user JWT is reaching the function, but I still get 401.
What my function does
*
createClient(SUPABASE_URL, SUPABASE_ANON_KEY)serve()* reads the bearer token from
Authorization* checks auth with
supabase.auth.getUser()What I tried already
* Initially I manually set headers on the client:
*
Authorization: Bearer <session.access_token>* plus
apikey: <anon key>* Then I removed all manual headers and switched to:
*
supabase.functions.invoke("report_submit", { body: payload })(so supabase-js should attach auth automatically)
* Confirmed in the logs that the
authorizationrole: authenticatedsubject* I also checked RLS — but I’m not even getting to insert errors, it fails at auth (401) first
* Read up on the new
sb_publishable_sb_secret_What I’m wondering
* Do I need to pass the token explicitly like
supabase.auth.getUser(token)getUser()* Any “known good” Edge Function auth snippet you recommend to avoid accidentally validating the anon/apikey token?
