## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Instructed granting least-privilege table permissions for anon,
authenticated, and service roles prior to enabling Row Level Security
across multiple guides and quickstarts.
* Clarified SQL examples and inline comments, added explicit GRANT steps
and RLS SELECT policies, rephrased policy guidance, and adjusted example
ordering and section numbering for clearer setup and testing.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated SDK initialization examples to reflect current authentication
patterns across multiple Supabase integration guides
* Enhanced security documentation with expanded guidance on protecting
sensitive credentials like secrets and service role keys in frontend and
Edge Function environments
* Clarified Row-Level Security access patterns and data availability
considerations when using publishable keys
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: fadymak <dev@fadymak.com>
## What kind of change does this PR introduce?
Documentation fix
## What is the current behavior?
Several docs pages use "Javascript" and "Typescript" (lowercase 's')
instead of the official camelCase names:
1. **client-libs.mdx**: "Javascript/Typescript" in the official
libraries table
2. **creating-routes.mdx**: "Javascript" as a tab label
3. **page.tsx** (docs home): "Javascript" as a client library card title
4. **MainSkeleton.tsx**: "Javascript Reference v1.0" and "Javascript
Reference v2.0" in sidebar navigation
## What is the new behavior?
All corrected to "JavaScript" and "TypeScript" (capital S).
## Additional context
The official names are "JavaScript" and "TypeScript" per their
respective specifications and branding guidelines.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Corrected capitalization of language names in API guides, updating
"Javascript" to "JavaScript" and "Javascript/Typescript" to
"JavaScript/TypeScript" for consistency.
* **Style**
* Updated display labels for JavaScript in navigation menus and UI tabs
to use proper terminology and capitalization.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a curl command example in the API quickstart guide,
demonstrating how to query the todos endpoint with proper authentication
headers for quick API testing.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES/
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated API docs and quickstart examples to reference publishable API
keys in configuration snippets, cURL examples, and browser guidance.
* Adjusted quickstart cURL examples to simplify headers and align with
publishable-key usage.
* Clarified security guidance to recommend distributing publishable keys
where appropriate and updated related wording across guides.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: fadymak <dev@fadymak.com>
## Summary
- Split the API quickstart so enabling Data API access is its own step,
separated from table creation and from RLS policy setup.
- Renamed the RLS step from "Allow public access" to "Configure RLS" and
changed the `-- Turn on security` comment to `-- Turn on RLS`.
- Split RLS into two steps: one that enables RLS and creates policies,
and a follow-up that grants table access to the `authenticated` and
`service_role` roles.
- Added a link to [Expose specific tables and
functions](/docs/guides/database/data-api#expose-specific-tables-and-functions-recommended)
for users who want more than a `grant select`.
- Updated the Dashboard instructions to match the current **Integrations
> Data API > Settings** UI (Exposed schemas + Exposed tables) and
dropped the "Default privileges for new entities" callout to lean into
secure-by-default.
Updates our documentation pages around the Data API to include
instructions on how to grant the necessary privileges across API roles
across tables and functions. Current behaviour means this is largely
unnecessary as privileges are granted by default on public schema, but
adding instructions will help cover scenarios where this isn't the case
and expose some of the underlying magic happening.
## To test:
- These updates refer to new settings that are added to the data api
that give more visibility and control over what tables and functions are
accessible via the api.
- To view these settings you'll need enable `tableEditorApiAccessToggle
` feature flag
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a new "Data API" guide and removed the old "Hardening the Data
API" page
* Updated navigation links to surface the new Data API guide
* Expanded quickstarts, SDK install pages, and security guides with
step‑by‑step Data API exposure, default‑privileges, RLS guidance, and
SQL GRANT examples (including function EXECUTE notes)
* Updated troubleshooting references and added redirects for legacy
documentation paths
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: SaxonF <1072756+SaxonF@users.noreply.github.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Replaces "stored procedures" with "functions" for everything related to
the Data API.
## Additional context
It's not accurate to call database functions "stored procedures". It may
have been that way before Postgres 11, but now it causes confusion
because PostgREST allows functions and not stored procedures.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Standardized terminology across docs, SDK guides, CLI/config specs,
examples, UI, and config comments to use "database functions" instead of
"stored procedures".
* Updated API docs, CLI/config descriptions, Studio UI labels, help
text, empty-state and navigation copy, RPC documentation, and example
text for consistency.
* Adjusted explanatory text and error/help messages to reflect the
revised terminology.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
With the upcoming deprecation of the anonymous and service role keys,
this PR updates the Auth guides to use the publishable key instead of
the soon-to-be-deprecated anonymous key.
It also standardizes the example strings to be:
`'https://your-project-id.supabase.co'` and `'sb_publishable_...'` for
consistency.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Standardized client initialization examples to use a consistent
publishable-key placeholder (`sb_publishable_...`) and full project URL
format.
* Replaced "anon key" wording with "publishable key" across auth and API
guides and examples.
* Minor formatting and import-order/whitespace improvements in code
samples for clarity and consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Simplified guidance for handling leaked or compromised service_role
(JWT) keys: consolidated prior branching instructions into a single,
clear recommendation to replace the service_role key via the standard
secret-key rotation process to avoid downtime.
* Removed an obsolete "rotate service role key" further-reading link to
streamline troubleshooting and reduce duplication.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Cameron Blackwood <38852603+Reikon95@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update: `supabaseR` is a structured, planned approach by
@deepanshkhurana and @maciekbanas to support all Supabase functionality
through a package in R.
We're moving with a fully open-source approach. A public Project board
can be found
[here](https://github.com/users/DeepanshKhurana/projects/6). The goal is
to support all Supabase functionality and get the package on the
official R CRAN soon.
## What is the current behavior?
There is no Supabase package for R.
## What is the new behavior?
We are introducing a new package for R.
## Additional context
Add any other context or screenshots.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added new R language library entry to the community libraries table
with documentation link
* Enhanced table formatting and standardized column widths across all
community library entries for improved readability
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
*Summary*
- reorganize the navigation menu to highlight modules, consolidate API
security content, and move guide entries (auto-generated docs, type
generation, security topics) to the intended sections
- relocate the Data API hardening and custom claims RBAC guides into the
API subtree, updating internal references and redirects, and fixing
cross-links (including adjusting the Security reference order)
- adjust data API topic references (e.g., securing guide and role
management) to point to the new paths and ensure the helper link
ordering follows the requested layout
*Testing*
- Not run (not requested)
Change 1
<img width="1286" height="576" alt="image"
src="https://github.com/user-attachments/assets/d903e9b0-bbfc-403f-bcb9-eee540e466db"
/>
Change 2
<img width="1176" height="666" alt="image"
src="https://github.com/user-attachments/assets/82b3ea4c-b8d4-4cb9-ad90-6c39c8a1a997"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Reorganized API documentation structure, consolidating REST and
GraphQL API guides under a dedicated API section.
* Moved security-related guides to API documentation paths for better
organization.
* Implemented automatic redirects for old documentation links to new
locations.
* Updated navigation menu to reflect the restructured documentation
layout.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
Remove duplicate table assignment using undefined `supabase` variable
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the current behavior?
-
## What is the new behavior?
-
## Additional context
-
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Simplified the Python API client examples in the generating Python
types guide by removing redundant code assignments, making the
documentation clearer and easier to follow.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the current behavior?
Shows the old UI instructions and video
## What is the new behavior?
Updated with new UI instructions and video
## Additional context
Add any other context or screenshots.
## What kind of change does this PR introduce?
Grammar corrections across documentation and test descriptions.
## What is the current behavior?
Multiple docs and test files use "a" before acronyms that start with a
vowel sound when pronounced:
- "a HTTP" (pronounced "aitch-tee-tee-pee") should be "an HTTP"
- "a API" (pronounced "ay-pee-eye") should be "an API"
- "a RLS" (pronounced "arr-ell-ess") should be "an RLS"
- "the all users" is redundant (should be "all users")
## What is the new behavior?
All instances corrected to use proper English indefinite articles:
### Docs files (11 files):
- `firebase-auth.mdx` — "the all users" -> "all users" (2 occurrences)
- `log-drains.mdx` — "a HTTP drain" -> "an HTTP drain"
- `securing-your-api.mdx` — "a HTTP 402" and "a HTTP 420" -> "an HTTP"
- `scan-error-*.mdx` — "a HTTP 500" -> "an HTTP 500"
- `roboflow.mdx` — "a HTTP interface" -> "an HTTP interface"
- `auth-hooks.mdx` — "A HTTP Hook" -> "An HTTP Hook", "a HTTP hook" ->
"an HTTP hook", "a HTTP error" -> "an HTTP error"
- `auth-mfa.mdx` — "a HTTP 401" -> "an HTTP 401"
- `password-verification-hook.mdx` — "a HTTP request" -> "an HTTP
request"
- `before-user-created-hook.mdx` — "a HTTP implementation" -> "an HTTP
implementation"
- `pgtap-extended.mdx` — "a API exposed schema" -> "an API exposed
schema"
- `error-codes.mdx` — "a RLS policy" -> "an RLS policy"
- `broadcast.mdx` — "a RLS" -> "an RLS"
### Studio files (1 file):
- `CronJobs.utils.test.ts` — "a HTTP request" -> "an HTTP request" (9
test descriptions) + "notationa" typo -> "notation"
## Additional context
The rule: use "an" before acronyms pronounced with a leading vowel
sound. "HTTP" starts with "aitch" (vowel sound), "API" starts with "ay"
(vowel sound), and "RLS" starts with "arr" (vowel sound).
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the new behavior?
Adds PostgREST mirror codes
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a comprehensive PostgREST Error Codes guide covering database-
and API-level errors, HTTP status mappings, JSON examples, SQL query
samples, and log-analysis/debugging tips.
* Updated REST API Guides navigation to include the new Error Codes
documentation link.
* **Style**
* Expanded spelling allow-list to include "Grantor" (case variant) and
"SQL".
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
add elixir to client lib docs
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added Elixir to the API documentation's community client libraries
list, including a link to the Elixir client repository so Elixir
developers can discover and access the community-supported library.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
* chore(docs): add python type gen using CLI guide
* chore: use relative URL instead of absolute one
* chore: add python type gen to docs
* fix: change users to movies
* chore: change .ts to .py
* chore: fix syntax
* Prettier
* fix(docs): instantiate client in the example
* Update apps/docs/content/guides/api/rest/generating-python-types.mdx
---------
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
* fix: rewrite relative URLs when syncing to GitHub discussion
Relative URLs back to supabse.com won't work in GitHub discussions, so
rewrite them back to absolute URLs starting with https://supabase.com
* fix: replace all supabase urls with relative urls
* chore: add linting for relative urls
* chore: bump linter version
* Prettier
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
The example for checking additional API keys has a security flaw and bad code.
It checked current_role for anon to do security, but because it is a security definer function the role will never be anon.
Added to check for the role claim in the jwt.
Also the table used for keys is UUID and the type from the header is text for the key. Cast it to UUID.
Saxon Fletcher