Upcoming changes to Supabase API Keys (new & restored projects affected from 1st May 2025, no breaking changes for existing projects until 1st October 2025) #29260
Pinned
kangmingtay
announced in
Changelog
Replies: 2 comments 2 replies
-
Is this live? |
Beta Was this translation helpful? Give feedback.
2 replies
-
Dang. I was looking forward to an improved auth flow. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Introduction
We’re changing the way API keys work in Supabase to improve your project’s security and developer experience and plan to roll out these changes Q4 2024. Rest assured that the current API keys in your existing projects will continue to work for another year until 1st October 2025 during the transition.
We’ll contact you when we launch the new API keys, and when we do, no immediate action is required. However, we strongly recommend that you migrate your project’s existing API keys for the new set when they are introduced. Updating to use the new API keys is a quick and painless process and can be as simple as a change in environment variable and take just a few minutes.
Timeline
7th October 2024New projects will automatically generate both new API keys and legacy API keys to help ease the transition.
Existing projects can continue to use the legacy API keys and can opt in to use the new API keys by manually generating them.
New projects will be created with only new API keys.
Projects restored from 1st May 2025 will no longer be restored with the legacy API keys.
Why are we doing this?
Currently there is a tight coupling between API keys and the JWT secret which presents a few challenges:
Difficult to revoke the
service_role
oranon
key. Imagine if someone in your Supabase organization leaves the team, and you want to roll your project’s JWT secret to revoke their access? Or you accidentally commit theservice_role
key into your version control system and need to roll it?If either of these keys gets leaked, the developer’s only option is to roll the JWT secret by generating a new one. When the JWT secret is rolled, all authenticated users would be logged out, clients using the older anon and service keys would break. Realistically, there is no way to roll the JWT secret without downtime.
Sub-optimal developer experience to create an API key with a custom role. Developer needs to sign a JWT with a long expiry time and their custom role using the secret.
The introduction of new API keys solves the above problems by allowing the developer to:
API Key changes
These are the planned changes for the API keys:
anon
key will be renamed topublishable
key and theservice_role
key will be renamed tosecret
key.publishable
api keys are meant to be used along with Supabase Auth users andsecret
api keys are for use from the server side and bypasses all row level security policies. We chose to usepublishable
andsecret
to align with stripe’s terminology and preferred it to terms likepublic
andprivate
since those could be confused with public / private key cryptography when we introduce asymmetric JWTs to Supabase Auth.New API keys will look like regular strings instead of JWTs:
anon
key:eyJhbGciOiJIUzI1...FDsBGn0iqSmL28Zeg8f0
publishable
key:sb_publishable_123abc
service_role
key:eyJhbGciOiJIUzI1...SEVEyZQNhffCoSj4P5A
secret
key:sb_secret_123abc
With the new API keys, it will be possible to revoke individual API keys and without revoking the JWT secret. Once the legacy API key is revoked, it won’t be possible to restore them.
New projects will be created with both new and legacy API keys until 1st May 2025. New projects created after this date will only be created with new API keys.
Projects that are restored after 1st May 2025 will not be restored with legacy API keys.
Legacy API keys will no longer work for all projects after 1st October 2025.
Migration to the new API keys
anon
keypublishable
keyservice_role
keysecret
key.env
file to contain the new API keyFrequently Asked Questions
apikey
header, theAuthorization
header and the underlying Postgres role used?service_role
. When creating the new secret API keys, you can override this behavior and assign a customrole
. Downstream services like postgREST and storage assume this role when they are called with this API key.anon
role. When a user JWT is passed in via theAuthorization
header, the role claim in the JWT is used instead. You cannot map publishable keys to custom roles when creating the key, like you will be able to do with secret API keys.Beta Was this translation helpful? Give feedback.
All reactions