## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Clarified API key changes (new publishable/secret scheme, where to
obtain each, legacy keys valid through end of 2026) and updated many
getting-started tutorials with clearer setup, flow, and auth guidance.
* **New Features**
* Added/expanded profile photo/avatar upload and account integration
steps across multiple tutorials.
* **Guides**
* Added guidance on auth helper methods and when to use them.
* **Examples**
* Example app updated to use token claims for auth state.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Katerina Skroumpelou <mandarini@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Instructed granting least-privilege table permissions for anon,
authenticated, and service roles prior to enabling Row Level Security
across multiple guides and quickstarts.
* Clarified SQL examples and inline comments, added explicit GRANT steps
and RLS SELECT policies, rephrased policy guidance, and adjusted example
ordering and section numbering for clearer setup and testing.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Updates our documentation pages around the Data API to include
instructions on how to grant the necessary privileges across API roles
across tables and functions. Current behaviour means this is largely
unnecessary as privileges are granted by default on public schema, but
adding instructions will help cover scenarios where this isn't the case
and expose some of the underlying magic happening.
## To test:
- These updates refer to new settings that are added to the data api
that give more visibility and control over what tables and functions are
accessible via the api.
- To view these settings you'll need enable `tableEditorApiAccessToggle
` feature flag
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a new "Data API" guide and removed the old "Hardening the Data
API" page
* Updated navigation links to surface the new Data API guide
* Expanded quickstarts, SDK install pages, and security guides with
step‑by‑step Data API exposure, default‑privileges, RLS guidance, and
SQL GRANT examples (including function EXECUTE notes)
* Updated troubleshooting references and added redirects for legacy
documentation paths
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: SaxonF <1072756+SaxonF@users.noreply.github.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated API key guidance to recommend publishable keys in getting
started materials.
* Added new "Get API details" section with credential retrieval
instructions.
* Updated code examples to use publishable keys.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: fadymak <dev@fadymak.com>
With the upcoming deprecation of the anonymous and service role keys,
this PR updates the Auth guides to use the publishable key instead of
the soon-to-be-deprecated anonymous key.
It also standardizes the example strings to be:
`'https://your-project-id.supabase.co'` and `'sb_publishable_...'` for
consistency.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Standardized client initialization examples to use a consistent
publishable-key placeholder (`sb_publishable_...`) and full project URL
format.
* Replaced "anon key" wording with "publishable key" across auth and API
guides and examples.
* Minor formatting and import-order/whitespace improvements in code
samples for clarity and consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated all quickstart guides and tutorials to reference publishable
keys instead of anon keys for Supabase client initialization.
* Simplified environment variable setup instructions across multiple
framework guides by removing anon key configuration requirements.
* Clarified usage of publishable keys in step-by-step setup
documentation for various frameworks and platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: fadymak <dev@fadymak.com>
## What
Updates all `setAll` cookie handler implementations across docs and
examples to accept the new `headers` second argument introduced in
`@supabase/ssr` v0.10.0
([supabase/ssr#176](https://github.com/supabase/ssr/pull/176)).
## Why
`@supabase/ssr` v0.10.0 introduced a breaking change: `setAll` now
receives a required second argument `headers: Record<string, string>`
alongside the cookies array. When a token refresh occurs, the library
passes cache headers (`Cache-Control`, `Expires`, `Pragma`) that must be
applied to the HTTP response to prevent CDN caching of auth responses.
Because TypeScript allows functions with fewer parameters to satisfy a
type expecting more, existing `setAll` implementations do not produce a
type error when the second argument is omitted. Users who copy an
outdated snippet will silently miss the CDN protection.
Root cause and context:
[supabase/supabase-js#1682](https://github.com/supabase/supabase-js/issues/1682)
## Changes
**Proxy/middleware contexts** (where token refreshes happen) now apply
the cache headers to their response:
- Next.js proxy files: `supabaseResponse.headers.set(key, value)`
- SvelteKit hooks: `event.setHeaders(headers)`
- Hono middleware: `c.header(key, value)`
- Pages Router (Express-style): `ctx.res.setHeader(key, value)`
- Remix/React Router loaders and actions: applied to response headers
(outer `headers` variable renamed to `responseHeaders` to avoid naming
conflict with the new param)
**Server Component and API route contexts** (no response object
available) accept `_headers` without applying them.
## Files updated
- `apps/docs/content/guides/auth/server-side/creating-a-client.mdx`
(inline Astro, Remix, React Router, Express snippets)
- `apps/docs/content/_partials/oauth_pkce_flow.mdx`
- `apps/docs/content/guides/auth/oauth-server/getting-started.mdx`
- `apps/docs/content/guides/auth/passwords.mdx`
-
`apps/docs/content/troubleshooting/how-to-migrate-from-supabase-auth-helpers-to-ssr-package-5NRunM.mdx`
- `examples/auth/nextjs/`, `examples/auth/nextjs-full/` (proxy + server)
- `examples/auth/sveltekit/`, `examples/auth/sveltekit-full/`
- `examples/auth/hono/`, `examples/auth/hono-full/`
- `examples/user-management/nextjs-user-management/` (proxy + server)
- `examples/user-management/sveltekit-user-management/`
- `examples/realtime/nextjs-authorization-demo/` (proxy + server)
- `examples/realtime/nextjs-auth-presence/` (pages router)
- `examples/prompts/nextjs-supabase-auth.md`
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Add docs for the custom OAuth & OIDC providers
## Notes
- Pricing to be clarified. Until now, we allow 3 providers per project.
- Dashboard instructions will be updated after dashboard is finalized.
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
This PR fixes some prettier issues:
- Bump and unify all prettier versions to 3.7.3 across teh whole repo
- Bump the SQL prettier plugin
- When running `test:prettier`, check `mdx` files also
- Run the new prettier format on all files
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* docs(auth): clarify local OAuth callback URLs for Azure, Google, and LinkedIn
* docs: add local OAuth callback instructions to shared social provider setup
Pretty simple change, we are still referencing legacy service role API keys in the docs. This only updates to reference the current preferred solution with secret API keys
- Add validation for missing required variables
- Add validation for unexpected variables
- Provide detailed error messages showing expected vs provided variables
- Include partial path in error messages for better debugging
- Add comprehensive tests for new error scenarios
Error messages now clearly indicate:
- Which variables are missing
- Which variables are unexpected
- What variables were expected vs provided
Co-authored-by: Claude <noreply@anthropic.com>
* Delete
* Add redirect and remove menu items from the sidebar
* Remove more
* Tidy redirects
* Revert "Delete"
This reverts commit 4a2726a0a6.
* Redirect
* Reapply "Delete"
This reverts commit 9f92a111ef.
* docs: add instructions for hosting Apple App Site Association file for universal links
Add documentation for Universal Links on iOS/Apple platforms, including:
- Instructions for configuring Associated Domains in Xcode
- Requirements for hosting the AASA file on customer infrastructure
- Note that Supabase does not currently support hosting the AASA file
- Example AASA file format and reference to Apple's documentation
This addresses the need for customers to understand how to host the
apple-app-site-association file for Universal Links, which provides
a better user experience than custom URL schemes.
* Apply suggestions from code review
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* refactor: extract Universal Links section to partial for code reuse
Extract the duplicated Universal Links section into a reusable partial
following CONTRIBUTING.md guidelines. This ensures the content is
maintained in a single location and automatically updates in both
the Flutter iOS and Swift sections of the deep linking guide.
* Prettier
* Update apps/docs/content/_partials/universal_links_apple.mdx
* Update apps/docs/content/_partials/universal_links_apple.mdx
* Update apps/docs/content/_partials/universal_links_apple.mdx
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Update apps/docs/content/_partials/universal_links_apple.mdx
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Prettier again
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
* feat: MCP URL builder
- Creates an MCP URL builder component that allows a user to choose options via a UI, then automatically builds the URL and config needed for various MCP clients
- Adds this component to studio Config modal and docs MCP page
* fix(mcp url builder): mcp-remote options
mcp-remote handles OAuth, so no need to pass personal access token
* fix(docs): mcp
We are pushing the remote MCP server rather than the local one, so removing
references to the local server from documentation.
* fix(mcp url builder): ui messages
- Clarify read-only mode
- Storage is not enabled in the defautl configuration
* fix: mcp url builder
- Refactor unnecessary hook into a utility function
- Fix background color in dark mode
* feat: update remote MCP base URL
* docs: update MCP getting started
- Restores relevant content from prod
- Adds callout about authentication
- Adds next steps to remote MCP installation section
* Update apps/docs/content/guides/getting-started/mcp.mdx
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* feat: click selected project to unselect
This follows the unselect pattern from shadcn combobox example
https://ui.shadcn.com/docs/components/combobox
* Update apps/docs/content/guides/getting-started/mcp.mdx
Co-authored-by: Greg Richardson <greg.nmr@gmail.com>
* Update apps/docs/content/guides/getting-started/mcp.mdx
Co-authored-by: Greg Richardson <greg.nmr@gmail.com>
* Update apps/docs/content/guides/getting-started/mcp.mdx
Co-authored-by: Greg Richardson <greg.nmr@gmail.com>
* fix: light mode connection icons
* chore: format `mcp.mdx`
* fix: VS Code URL handler "name"
Based on docs the field is "name" instead of "id":
- https://code.visualstudio.com/docs/copilot/customization/mcp-servers#_commandline-configuration
- https://code.visualstudio.com/docs/copilot/customization/mcp-servers#_url-handler
* refactor: `NEXT_PUBLIC_MCP_URL` environment variable
* feat: move client selector below options
* feat: "Add to" buttons left aligned about config file
* feat: actionable login hint
* refactor: remote claude desktop client option
---------
Co-authored-by: Matt Rossman <22670878+mattrossman@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Greg Richardson <greg.nmr@gmail.com>
Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com>
* Clearup keys and connection instructions in web getting started guides
* Update apps/docs/content/_partials/project_setup.mdx
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Update apps/docs/content/_partials/project_setup.mdx
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* prettier
* second try
* Fix keys for getting started section
* Updated keys for auth section, SSR aside
* Remove mention of dropdowns for now
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* fix: rewrite relative URLs when syncing to GitHub discussion
Relative URLs back to supabse.com won't work in GitHub discussions, so
rewrite them back to absolute URLs starting with https://supabase.com
* fix: replace all supabase urls with relative urls
* chore: add linting for relative urls
* chore: bump linter version
* Prettier
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
* Draft
* Update text for guide
* Update text for guide
* Update code for newer next js versions
* Final small change
* Update apps/docs/content/_partials/project_setup.mdx
Co-authored-by: Charis <26616127+charislam@users.noreply.github.com>
* Changes from review
* Use project name in tutorial text
* Fix up inclusion
* Fix inclusion
* Prettier
---------
Co-authored-by: Charis <26616127+charislam@users.noreply.github.com>
* feat: move storage settings
* feat: redirect
* feat: database settings in service area
* feat: move data api settings
* fix: revert data API placement
* feat: minor UX touches
* fix: simplify configuration group
* feat: references to database settings
* feat: references to storage settings
* fix: redirects and formatting
* fix: Import StorageMenu dynamically to avoid SSR issues with useLocalStorage
* fix: move Data API closer to semantic siblings
* fix: revert smart comma
* Shift bucket sort logic into storage explorer store
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Chris Chinchilla
