Supabase Release Notes

What’s Changing?

The Data API returns the full OpenAPI spec for any schema exposed to the Data API at the root path:
https://[projectref].supabase.co/rest/v1/

Starting March 11, we will begin deprecating support for accessing this endpoint via the anon key. You will get the following error message if this endpoint is accessed via the anon key

{"message":"Access to schema is forbidden","hint":"Accessing the schema via the Data API is only allowed using a secret API key."}

The endpoint remains accessible and the behaviour doesn't change if you are using the service role keys or the new secret API keys.

This does not affect normal Data API usage. Accessing data via
/rest/v1/your_table
or any client library will continue to work exactly as they do today.

Why?

Today, the endpoint returns schema details (tables, columns, and types of an exposed schema) to anyone with the anon key. While this does not expose actual row data, it provides more information about your schema than most production applications need.

As part of an ongoing effort to tighten default security across Supabase, we are removing this exposure. In practice, the schema spec is mostly useful during development, where you can use the service_role key. There are few cases where you would need it client-side in production (less than 0.1% of our projects have made a request to this endpoint using the anon key in the last 24 hours), and we do not think supporting those use cases is worth the security tradeoff.

Am I Affected?

You are affected if your app currently uses the anon key to fetch the Swagger spec.
You can check by reviewing requests to the /rest/v1/ endpoint via this log query.
If you see requests:

• Click into the event.
• Check whether the request is coming from the anon role.

What Should I Do?

• Check your logs. Use the log query above to see if any of your application traffic relies on this endpoint with the anon key.
• Move affected calls server-side If your application fetches the schema spec, move that call to a server-side context like Edge Functions where you can safely use the service_role or the new secret API keys.

Rollout and Communications Timeline

Date Change

• 17 Feb Changelog published
• 4 March Change announced in monthly newsletter
• 6 March Email notification to customers observed using this endpoint
• 11 March Newly created projects cannot access endpoint with anon key
• 24 March Final email notification to customers observed using this endpoint
• 8 April All existing projects cannot access endpoint with anon key

We may push these dates back based on customer feedback, but we will not move them forward.

What’s Next?

This is the first in a series of changes we are making to tighten default security settings across Supabase. Stay tuned for improvements to RLS usability, default table grants, and additional security features.

Original source Report a problem

Here’s everything that happened with Supabase in the last month:

Supabase PrivateLink is now available

Connect your database to AWS resources over private networks. No public internet exposure. Traffic stays within AWS infrastructure using VPC Lattice.
Blog Post

Postgres Best Practices for AI Agents

30 rules across 8 categories teaching AI agents to write correct Postgres code. Works with Claude Code, Cursor, GitHub Copilot, and other tools.
Blog Post

Query Ethereum directly from Postgres

Use SQL to query real-time Ethereum blockchain data with the Infura wrapper.
View docs

Supabase is now an official Claude connector

Connect your Supabase projects to Claude and manage your database by telling Claude what you need.
Blog Post

Vibe coding, done right

Join us for a 45 minute online workshop with Bolt where we’ll walk through several success stories and best practices for introducing vibe coding safely into your company
Register now

Free eBook: Using Postgres to its full extent

Manning Publications and Supabase created a free eBook on using Postgres to its full extent—contemporary SQL techniques, full-text search, data types, and avoiding design mistakes that cost performance.
Download

Quick Product Announcements

• Action Required: pg_graphql disabled by default on new projects. Ships mid-February. New projects won't have pg_graphql enabled automatically. Existing projects with zero GraphQL requests will also have it disabled. If you use GraphQL, manually enable the extension. GitHub
• TRAE SOLO integration with Supabase. Manage your database, storage, and auth inside ByteDance's AI IDE. Blog Post
• Edge Functions now support drag-and-drop zip files. Upload entire function bundles to migrate between projects. Docs
• SQL snippets save locally in Studio. Share queries via git with your team in supabase/snippets folder. GitHub
• Supabase Assistant helps with database query performance. Get optimization suggestions directly in the dashboard. Twitter
• postgrest-js hits 9M weekly downloads. Twitter

Made with Supabase

• Fanakin - Organize movies, shows, books, games, and more in one place. Create lists, share your profile, and get AI-powered recommendations based on your taste. Website
• PolicyCheck - Free client-side security analysis for your Supabase project. See what's exposed through your public API with just your anon key or user authenticated mode. Website
• Renamify - AI-powered bulk file renaming with 99% accuracy. Rename hundreds of photos instantly with intelligent, descriptive names. Built to make the web more accessible. Website

Community Highlights

• Supabase becomes a Tailwind partner. Announcement
• New contributor site launched at supabase.com/contribute. Search issues across GitHub, Reddit, and Discord filtered by technology. Visit Site
• SupaSquad community program now open. Join as a Contributor, Content Creator, Trusted Host, or Event Speaker. Get early access to features, partner deals, and direct team access. Apply Now

Original source Report a problem

In a forthcoming release within approximately 3 weeks, pg_graphql will be disabled by default on new Supabase projects.
This change aligns pg_graphql with our security-first approach of minimizing exposed API surface area by default. Services and extensions that expose schema metadata are now opt-in rather than opt-out, reducing the default attack surface for new projects.

Who is affected

• New projects will no longer have pg_graphql enabled automatically
• Existing projects older than 30 days with zero graphql requests will also have the extension disabled (where previously it was enabled by default). Existing projects with requests will be unaffected.

Action required

• If your application relies on GraphQL, you can enable pg_graphql manually via the Database Extensions page in your dashboard. You can also add create extension pg_graphql to your migrations as well if you wish to keep using pg_graphql.

We continue to fully support pg_graphql for projects that need it. This change simply ensures it's an intentional choice rather than a default.

We'll follow up on this thread with links to relevant documents for actions required.

Original source Report a problem

Saving SQL snippets in local Studio

Saving SQL snippets now works in the local Studio! This has been a top community request for a long time, and we’re happy to finally release it.

You can save SQL snippets directly while working in the local Studio via the CLI. Snippets are stored in

supabase/snippets

making them easy to commit to Git and share with your team working in the same repo—or ignore entirely with .gitignore if you prefer.

Your saved snippets automatically appear in Studio, just like they do in the hosted Dashboard.

This feature is available since CLI v2.72.7. You can check the version by running

supabase -v

Original source Report a problem

Here’s everything that happened with Supabase in the last month:

Update on security progress and roadmap

Learn about all the security features we added last year and our 2026 roadmap.

• [Blog Post]

• Stripe Sync Engine in the Supabase Dashboard
  One-click integration for the Stripe Sync Engine directly in the Supabase dashboard. Query your customers, subscriptions, invoices, and payments using standard SQL.

• [Blog Post]

• Enhanced docs for the Metrics API
  Better guidance on how to stream Supabase database telemetry into any Prometheus-compatible observability stack.

• [Blog Post]

• Build ChatGPT apps with Supabase and mcp-use
  Learn how to build ChatGPT apps that connect to your Supabase database. Use mcp-use, an open source SDK that makes it easy to deploy MCP Servers on Supabase Edge Functions.

• [Blog Post]

• Index Advisor in Table Editor
  It’s now much easier to detect missing indexes in your database.

• [Twitter]

Quick Product Announcements

• Supabase is now in the top-100 repos on GitHub. [Twitter]
• Data API upgraded to PostgREST v14. [GitHub]
• Python Type Generation in the CLI. [Twitter]
• Three new quick starts in docs for Expo React Native, TanStack Start, and Flask. [Twitter]
• Explain/Analyze diagrams are now available in the Supabase Dashboard. [Twitter]

Original source Report a problem

Hey everyone, PostgREST v14 is now available for new projects on the ap-northeast-1 region. Please try it out and give us your feedback!

v14 will be available for other regions over the next week.

Notable Features

JWT cache

This increases throughput of all requests (~20% more RPS for GET requests according to our benchmarks). It's enabled by default.
This comes at the expense of a bit more memory usage, if you see any problems you can disable the JWT cache with:

ALTER ROLE authenticator SET pgrst.jwt_cache_max_entries TO 0; -- this is 1000 by default

Faster schema cache loading

For complex databases, we've improved the schema cache loading time (from 7 minutes to 2 seconds on a complex real-world database). No configuration knob needed for this, it's done by default.

Breaking Changes

No breaking changes expected for Supabase users.

Full Changelog

You can see the full changelog at https://github.com/PostgREST/postgrest/releases/tag/v14.0.

Original source Report a problem

Here’s everything that happened with Supabase in the last month. Be sure to keep reading for a special gift:

Supabase ETL

A change-data-capture pipeline that continuously replicates data from Supabase Postgres to external destinations, starting with Iceberg. Available in private alpha now.

Analytics Buckets

Specialized storage buckets built on Apache Iceberg and AWS S3 Tables that provide columnar storage for analytical workloads while maintaining compatibility with the Postgres interface. Available in public alpha now.

Vector Buckets

Vector Buckets are a specialized bucket type built on Amazon S3 Vectors. They are cold storage for your embeddings, with a query engine attached. Available in public alpha now.

iceberg-js

A minimal, vendor-agnostic JavaScript client for the Apache Iceberg REST Catalog API.

Supabase Platform

A white-label offering that lets platforms provision and manage fully managed backends on behalf of their users

New Auth Templates

We now include more email templates to handle security-sensitive changes to you app, including password changed, email changed, phone number changed, identity linked or unlinked, multi-factor authentication enrolled or unenrolled, and more.

Sign in with [Your App]

You can now turn your project into a full-fledged identity provider. You’ve heard about “Sign in With Google,” now you can build “Sign in With [Your App].” The immediate catalyst for this is that soon you can build MCP servers that use Supabase Auth in your app to authenticate the user.

Supabase power for Amazon Kiro

With these powers for Amazon’s Kiro IDE, you can build full-stack applications faster by giving Kiro deep knowledge of your Supabase project, best practices for database migrations, edge functions, and security policies.

Supabase in the AWS Marketplace

You can now purchase Supabase through the AWS Marketplace, which means that if your company has an AWS spend-commit you can use it to purchase Supabase.

Quick Product Announcements

• We’ve added asynchronous streaming to Postgres Foreign Data Wrappers.
• We now support deploying legacy NodeJS applications as Edge Functions.
• You can now download Edge Functions from the Supabase CLI without Docker.
• You can now bulk paste and edit individual secrets for Edge Functions.

Original source Report a problem

Why We Built This

You've used "Sign in with Google" and "Sign in with GitHub" countless times. But what if your Supabase project could be the identity provider? Today, we're adding OAuth 2.1 and OpenID Connect server capabilities to Supabase Auth, turning your project into a full-fledged identity provider.

This opens up powerful new possibilities: AI agents authenticating through your app via the Model Context Protocol (MCP), third-party developers building on your platform, partner integrations accessing your APIs securely, and enterprise single sign-on. All using the same battle-tested auth infrastructure you already rely on.

The immediate catalyst?

Model Context Protocol (MCP) authentication. As AI agents and LLM tools become ubiquitous, they need a standardized way to authenticate with services. MCP has emerged as that standard, and it's built on OAuth 2.1. Your Supabase project can now be the identity provider these AI tools authenticate against.

But the applications extend far beyond AI:

• Third-party developer ecosystems - Let partners build apps that integrate with your platform
• Partner API access - Grant secure access to external services
• "Powered by [Your App]" - Enable users to use their existing account on your platform to sign into partner applications
• Enterprise SSO - Full OpenID Connect support with ID tokens, UserInfo endpoint, and organizational single sign-on

If you're building a platform where other developers or services need secure access to user data, OAuth 2.1 server capabilities are now baked into your Supabase project.

What You Can Build

With Supabase Auth as an OAuth 2.1 provider, you can:

For AI and Automation:

• MCP servers that authenticate users through your Supabase project
• AI agents that securely access user data with proper authorization
• LLM tools integrated into your application ecosystem

For Developer Platforms:

• Third-party apps offering "Sign in with [Your App]"
• Partner integrations with granular access control
• Developer API access with OAuth tokens
• Marketplace apps built on your platform

For Enterprise:

• OpenID Connect single sign-on (SSO) with ID tokens and UserInfo endpoint
• Centralized identity management across services
• Standards-compliant enterprise authentication
• Compliance-friendly audit trails

How It Works: The Big Picture

Supabase Auth implements OAuth 2.1 with OpenID Connect (OIDC), the modern, secure standards for authentication and identity. At its core is the authorization code flow with PKCE (Proof Key for Code Exchange).

The implementation uses the authorization code flow, the most secure OAuth flow for server-side apps and native applications. PKCE protects against authorization code interception attacks. Access tokens are JWTs containing standard Supabase claims (user_id, role) plus OAuth-specific claims like client_id. For OpenID Connect flows, clients also receive ID tokens, standardized identity tokens with user profile information, and can access the UserInfo endpoint to retrieve user data. Refresh tokens enable long-lived sessions without re-authentication, while the JWKS endpoint provides public key infrastructure for third parties to validate tokens.

The best part? Your existing Supabase security model extends naturally to OAuth: Row Level Security (RLS) policies apply to OAuth access tokens just like they do to regular session tokens.

Works with Your Existing Auth Stack

One of the most powerful aspects of this implementation is how seamlessly it integrates with Supabase Auth features you're already using. When users authenticate through the OAuth flow, you can use all of Supabase Auth's existing methods: password authentication, magic links, social providers (Google, GitHub, etc.), multi-factor authentication (MFA), and phone authentication. Your third-party integrations get the benefit of your existing authentication security without you having to rebuild anything.

Already using Custom Access Token Hooks to add custom claims to user tokens? They work with OAuth tokens too. You can inject client-specific claims, add custom permissions, or implement any token customization logic you need. The flexibility you have with regular auth tokens extends to OAuth.

Your RLS policies automatically apply to OAuth access tokens. The tokens include the standard user_id and role claims you're used to, plus a client_id claim that identifies which OAuth client is making the request.

This means you can grant different OAuth clients access to different subsets of user data:

1 -- Grant your mobile app access to user profiles
CREATE POLICY "Mobile app can read profiles"
ON profiles FOR SELECT
USING (
(auth.uid() = user_id)
AND
((auth.jwt() ->> 'client_id') = 'mobile-app-client-id')
);

-- Grant a third-party analytics dashboard read-only access to metrics
CREATE POLICY "Analytics dashboard can read metrics"
ON user_metrics FOR SELECT
USING (
(auth.uid() = user_id)
AND
((auth.jwt() ->> 'client_id') = 'analytics-dashboard-client-id')
);

MCP Authentication

Supabase Auth fully complies with the Model Context Protocol's OAuth 2.1 authentication spec. Your Supabase project exposes standard OAuth authorization server metadata at /.well-known/oauth-authorization-server, enabling automatic discovery of your authorization endpoints, token endpoints, and capabilities. MCP clients can register themselves dynamically using OAuth 2.1 dynamic client registration (no manual configuration required).

Here's what this means in practice: point an MCP-compatible AI tool at your Supabase project's auth URL, and it handles the rest. The tool discovers your endpoints, registers itself as a client, initiates the OAuth flow, and obtains tokens. The AI agent authenticates as the user, with all your RLS policies enforced automatically. Users see your consent screen, approve access, and the AI tool operates on their behalf, with exactly the permissions you've defined. No passwords exposed, no custom API wrappers needed.

We're just getting started with MCP. We're working on making it even easier to build MCP servers directly in Supabase, bringing the same developer experience you love to AI agent integrations.

Getting Started

Setting up OAuth 2.1 in your Supabase project starts with registering OAuth clients through the Supabase dashboard or Management API. You'll configure their allowed redirect URIs and receive a client_id. Then you'll build your authorization flow, an endpoint that receives OAuth authorization requests, authenticates users (using existing Supabase Auth methods), presents a consent UI, and confirms approvals with Supabase Auth.

Update your Row Level Security policies to handle OAuth clients appropriately, deciding which data third-party apps can access and what remains user-only. Third-party apps validate tokens using your public JWKS endpoint, no shared secrets required. They can verify tokens asymmetrically using standard OAuth 2.1 libraries.

Complete documentation with code examples is available in our OAuth 2.1 guide.

OpenID Connect Support

Beyond OAuth 2.1, Supabase Auth now includes full OpenID Connect (OIDC) support, making it perfect for enterprise single sign-on and standardized identity integrations.

When authenticating with OIDC, clients receive an ID token alongside the access token. This standardized JWT contains user profile information and is signed by your Supabase project, allowing third parties to verify user identity without additional API calls. Your project also exposes the standard OIDC UserInfo endpoint, providing a secure way for clients to retrieve user profile information using their access token, enabling seamless integration with enterprise identity systems and standard OIDC libraries.

Your project automatically exposes an OIDC discovery endpoint at /.well-known/openid-configuration, making integration with enterprise tools and standard OIDC clients straightforward. Point an enterprise SSO system at your Supabase project, and it discovers everything it needs to integrate. This makes Supabase Auth a complete identity provider solution, compatible with any OIDC-compliant application or service.

What's Next

We're continuing to expand OAuth capabilities. Granular scopes are coming soon, allowing clients to request specific permissions rather than full user access (scope=read:profile read:metrics). We're making it even easier to build and deploy MCP servers directly in Supabase, bringing AI agent authentication into the same seamless developer experience you already know.

We're building this in the open. The GitHub discussion is active, share your use cases and help shape the roadmap.

Try It Today

OAuth 2.1 and OpenID Connect capabilities are now available in Supabase Auth. Get started:

• Read the documentation
• View the GitHub discussion
• Join the Discord to share what you're building

Whether you're building an MCP server for AI agents, implementing enterprise SSO with OpenID Connect, creating a developer platform, or just want to offer "Sign in with [Your App]", Supabase Auth now has you covered.

Original source Report a problem

We're rolling out management of Vector Buckets where you can store, index, and query your vector embeddings at scale!

Vector Buckets is currently in Public Alpha, hence expect rapid changes and possible breaking updates as we expand access to make this increasingly available to everyone.

Analytics Buckets is also currently in Public Alpha if that might interest you too!

What we'd like to know from you

• Any bugs / issues that you might run into when using Vector Buckets
• Any UX friction that you might run into when managing Vector Buckets through the dashboard
• Any use cases for Analytics Buckets, and how we might be able to improve the DX to support your development / workflow

Related Links

• Dashboard: https://supabase.com/dashboard/project/_/storage/vectors
• Documentation: https://supabase.com/docs/guides/storage/vector/introduction

Original source Report a problem

Another brief summary of changes that went into the dashboard over the past 2 weeks 🙂 🙏

Update to the Storage UI

This was mentioned in the previous changelog announcement but we've recently updated the UI of the storage section in the dashboard as we're expanding the product with 2 new types of buckets - Analytics and Vectors 🙂
We'll have more information regarding these 2 buckets in the near future, but if you might be interested in Analytics Buckets, we've got a separate discussion here where we're hoping to get some feedback once it becomes available! 🙏🙂 Watch this space!
PR: https://github.com/supabase/supabase/pull/40076
Link: https://supabase.com/dashboard/project/_/storage/files

Other bug fixes and improvements

Account

• Add settings to toggle Inline SQL Editor Panel via keyboard shortcut (PR)

Auth

• Support toggling security emails from respective templates page (Feature is behind a feature preview) (PR)
• Default users search to be on the emails column instead of user ID (PR)

Storage

• Virtualize rendering of buckets to support rendering a large number of buckets in UI (PR)
• Added search support to search on bucket names for bucket policies page (PR)

Database

• Adds a link from trigger list to the corresponding database function, and a link to the table in the Table Editor (PR)
• Fix code editor warnings overflowing issue (PR)

Table Editor

• Fix mobile menu closing when changing schema (PR)
• Hide row actions and separators for tables in protected schemas (PR)
• Fix empty state drag drop zone to handle non CSV file types (PR)
• Fix Table Editor not horizontally scrollable when there's no rows (PR)
• Link to policies page to use table name as search param instead of table ID (PR)
• Persist sort preferences within "Select foreign key record" sheet (PR)

Support Form

• Automatically select the organization in the support form if navigating to support form from an organization page (PR)

Original source Report a problem