Supabase Release Notes

Hey everyone, PostgREST v14 is now available for new projects on the ap-northeast-1 region. Please try it out and give us your feedback!

v14 will be available for other regions over the next week.

Notable Features

JWT cache

This increases throughput of all requests (~20% more RPS for GET requests according to our benchmarks). It's enabled by default.
This comes at the expense of a bit more memory usage, if you see any problems you can disable the JWT cache with:

ALTER ROLE authenticator SET pgrst.jwt_cache_max_entries TO 0; -- this is 1000 by default

Faster schema cache loading

For complex databases, we've improved the schema cache loading time (from 7 minutes to 2 seconds on a complex real-world database). No configuration knob needed for this, it's done by default.

Breaking Changes

No breaking changes expected for Supabase users.

Full Changelog

You can see the full changelog at https://github.com/PostgREST/postgrest/releases/tag/v14.0.

Original source Report a problem

Here’s everything that happened with Supabase in the last month. Be sure to keep reading for a special gift:

Supabase ETL

A change-data-capture pipeline that continuously replicates data from Supabase Postgres to external destinations, starting with Iceberg. Available in private alpha now.

Analytics Buckets

Specialized storage buckets built on Apache Iceberg and AWS S3 Tables that provide columnar storage for analytical workloads while maintaining compatibility with the Postgres interface. Available in public alpha now.

Vector Buckets

Vector Buckets are a specialized bucket type built on Amazon S3 Vectors. They are cold storage for your embeddings, with a query engine attached. Available in public alpha now.

iceberg-js

A minimal, vendor-agnostic JavaScript client for the Apache Iceberg REST Catalog API.

Supabase Platform

A white-label offering that lets platforms provision and manage fully managed backends on behalf of their users

New Auth Templates

We now include more email templates to handle security-sensitive changes to you app, including password changed, email changed, phone number changed, identity linked or unlinked, multi-factor authentication enrolled or unenrolled, and more.

Sign in with [Your App]

You can now turn your project into a full-fledged identity provider. You’ve heard about “Sign in With Google,” now you can build “Sign in With [Your App].” The immediate catalyst for this is that soon you can build MCP servers that use Supabase Auth in your app to authenticate the user.

Supabase power for Amazon Kiro

With these powers for Amazon’s Kiro IDE, you can build full-stack applications faster by giving Kiro deep knowledge of your Supabase project, best practices for database migrations, edge functions, and security policies.

Supabase in the AWS Marketplace

You can now purchase Supabase through the AWS Marketplace, which means that if your company has an AWS spend-commit you can use it to purchase Supabase.

Quick Product Announcements

• We’ve added asynchronous streaming to Postgres Foreign Data Wrappers.
• We now support deploying legacy NodeJS applications as Edge Functions.
• You can now download Edge Functions from the Supabase CLI without Docker.
• You can now bulk paste and edit individual secrets for Edge Functions.

Original source Report a problem

Why We Built This

You've used "Sign in with Google" and "Sign in with GitHub" countless times. But what if your Supabase project could be the identity provider? Today, we're adding OAuth 2.1 and OpenID Connect server capabilities to Supabase Auth, turning your project into a full-fledged identity provider.

This opens up powerful new possibilities: AI agents authenticating through your app via the Model Context Protocol (MCP), third-party developers building on your platform, partner integrations accessing your APIs securely, and enterprise single sign-on. All using the same battle-tested auth infrastructure you already rely on.

The immediate catalyst?

Model Context Protocol (MCP) authentication. As AI agents and LLM tools become ubiquitous, they need a standardized way to authenticate with services. MCP has emerged as that standard, and it's built on OAuth 2.1. Your Supabase project can now be the identity provider these AI tools authenticate against.

But the applications extend far beyond AI:

• Third-party developer ecosystems - Let partners build apps that integrate with your platform
• Partner API access - Grant secure access to external services
• "Powered by [Your App]" - Enable users to use their existing account on your platform to sign into partner applications
• Enterprise SSO - Full OpenID Connect support with ID tokens, UserInfo endpoint, and organizational single sign-on

If you're building a platform where other developers or services need secure access to user data, OAuth 2.1 server capabilities are now baked into your Supabase project.

What You Can Build

With Supabase Auth as an OAuth 2.1 provider, you can:

For AI and Automation:

• MCP servers that authenticate users through your Supabase project
• AI agents that securely access user data with proper authorization
• LLM tools integrated into your application ecosystem

For Developer Platforms:

• Third-party apps offering "Sign in with [Your App]"
• Partner integrations with granular access control
• Developer API access with OAuth tokens
• Marketplace apps built on your platform

For Enterprise:

• OpenID Connect single sign-on (SSO) with ID tokens and UserInfo endpoint
• Centralized identity management across services
• Standards-compliant enterprise authentication
• Compliance-friendly audit trails

How It Works: The Big Picture

Supabase Auth implements OAuth 2.1 with OpenID Connect (OIDC), the modern, secure standards for authentication and identity. At its core is the authorization code flow with PKCE (Proof Key for Code Exchange).

The implementation uses the authorization code flow, the most secure OAuth flow for server-side apps and native applications. PKCE protects against authorization code interception attacks. Access tokens are JWTs containing standard Supabase claims (user_id, role) plus OAuth-specific claims like client_id. For OpenID Connect flows, clients also receive ID tokens, standardized identity tokens with user profile information, and can access the UserInfo endpoint to retrieve user data. Refresh tokens enable long-lived sessions without re-authentication, while the JWKS endpoint provides public key infrastructure for third parties to validate tokens.

The best part? Your existing Supabase security model extends naturally to OAuth: Row Level Security (RLS) policies apply to OAuth access tokens just like they do to regular session tokens.

Works with Your Existing Auth Stack

One of the most powerful aspects of this implementation is how seamlessly it integrates with Supabase Auth features you're already using. When users authenticate through the OAuth flow, you can use all of Supabase Auth's existing methods: password authentication, magic links, social providers (Google, GitHub, etc.), multi-factor authentication (MFA), and phone authentication. Your third-party integrations get the benefit of your existing authentication security without you having to rebuild anything.

Already using Custom Access Token Hooks to add custom claims to user tokens? They work with OAuth tokens too. You can inject client-specific claims, add custom permissions, or implement any token customization logic you need. The flexibility you have with regular auth tokens extends to OAuth.

Your RLS policies automatically apply to OAuth access tokens. The tokens include the standard user_id and role claims you're used to, plus a client_id claim that identifies which OAuth client is making the request.

This means you can grant different OAuth clients access to different subsets of user data:

1 -- Grant your mobile app access to user profiles
CREATE POLICY "Mobile app can read profiles"
ON profiles FOR SELECT
USING (
(auth.uid() = user_id)
AND
((auth.jwt() ->> 'client_id') = 'mobile-app-client-id')
);

-- Grant a third-party analytics dashboard read-only access to metrics
CREATE POLICY "Analytics dashboard can read metrics"
ON user_metrics FOR SELECT
USING (
(auth.uid() = user_id)
AND
((auth.jwt() ->> 'client_id') = 'analytics-dashboard-client-id')
);

MCP Authentication

Supabase Auth fully complies with the Model Context Protocol's OAuth 2.1 authentication spec. Your Supabase project exposes standard OAuth authorization server metadata at /.well-known/oauth-authorization-server, enabling automatic discovery of your authorization endpoints, token endpoints, and capabilities. MCP clients can register themselves dynamically using OAuth 2.1 dynamic client registration (no manual configuration required).

Here's what this means in practice: point an MCP-compatible AI tool at your Supabase project's auth URL, and it handles the rest. The tool discovers your endpoints, registers itself as a client, initiates the OAuth flow, and obtains tokens. The AI agent authenticates as the user, with all your RLS policies enforced automatically. Users see your consent screen, approve access, and the AI tool operates on their behalf, with exactly the permissions you've defined. No passwords exposed, no custom API wrappers needed.

We're just getting started with MCP. We're working on making it even easier to build MCP servers directly in Supabase, bringing the same developer experience you love to AI agent integrations.

Getting Started

Setting up OAuth 2.1 in your Supabase project starts with registering OAuth clients through the Supabase dashboard or Management API. You'll configure their allowed redirect URIs and receive a client_id. Then you'll build your authorization flow, an endpoint that receives OAuth authorization requests, authenticates users (using existing Supabase Auth methods), presents a consent UI, and confirms approvals with Supabase Auth.

Update your Row Level Security policies to handle OAuth clients appropriately, deciding which data third-party apps can access and what remains user-only. Third-party apps validate tokens using your public JWKS endpoint, no shared secrets required. They can verify tokens asymmetrically using standard OAuth 2.1 libraries.

Complete documentation with code examples is available in our OAuth 2.1 guide.

OpenID Connect Support

Beyond OAuth 2.1, Supabase Auth now includes full OpenID Connect (OIDC) support, making it perfect for enterprise single sign-on and standardized identity integrations.

When authenticating with OIDC, clients receive an ID token alongside the access token. This standardized JWT contains user profile information and is signed by your Supabase project, allowing third parties to verify user identity without additional API calls. Your project also exposes the standard OIDC UserInfo endpoint, providing a secure way for clients to retrieve user profile information using their access token, enabling seamless integration with enterprise identity systems and standard OIDC libraries.

Your project automatically exposes an OIDC discovery endpoint at /.well-known/openid-configuration, making integration with enterprise tools and standard OIDC clients straightforward. Point an enterprise SSO system at your Supabase project, and it discovers everything it needs to integrate. This makes Supabase Auth a complete identity provider solution, compatible with any OIDC-compliant application or service.

What's Next

We're continuing to expand OAuth capabilities. Granular scopes are coming soon, allowing clients to request specific permissions rather than full user access (scope=read:profile read:metrics). We're making it even easier to build and deploy MCP servers directly in Supabase, bringing AI agent authentication into the same seamless developer experience you already know.

We're building this in the open. The GitHub discussion is active, share your use cases and help shape the roadmap.

Try It Today

OAuth 2.1 and OpenID Connect capabilities are now available in Supabase Auth. Get started:

• Read the documentation
• View the GitHub discussion
• Join the Discord to share what you're building

Whether you're building an MCP server for AI agents, implementing enterprise SSO with OpenID Connect, creating a developer platform, or just want to offer "Sign in with [Your App]", Supabase Auth now has you covered.

Original source Report a problem

We're rolling out management of Vector Buckets where you can store, index, and query your vector embeddings at scale!

Vector Buckets is currently in Public Alpha, hence expect rapid changes and possible breaking updates as we expand access to make this increasingly available to everyone.

Analytics Buckets is also currently in Public Alpha if that might interest you too!

What we'd like to know from you

• Any bugs / issues that you might run into when using Vector Buckets
• Any UX friction that you might run into when managing Vector Buckets through the dashboard
• Any use cases for Analytics Buckets, and how we might be able to improve the DX to support your development / workflow

Related Links

• Dashboard: https://supabase.com/dashboard/project/_/storage/vectors
• Documentation: https://supabase.com/docs/guides/storage/vector/introduction

Original source Report a problem

Another brief summary of changes that went into the dashboard over the past 2 weeks 🙂 🙏

Update to the Storage UI

This was mentioned in the previous changelog announcement but we've recently updated the UI of the storage section in the dashboard as we're expanding the product with 2 new types of buckets - Analytics and Vectors 🙂
We'll have more information regarding these 2 buckets in the near future, but if you might be interested in Analytics Buckets, we've got a separate discussion here where we're hoping to get some feedback once it becomes available! 🙏🙂 Watch this space!
PR: https://github.com/supabase/supabase/pull/40076
Link: https://supabase.com/dashboard/project/_/storage/files

Other bug fixes and improvements

Account

• Add settings to toggle Inline SQL Editor Panel via keyboard shortcut (PR)

Auth

• Support toggling security emails from respective templates page (Feature is behind a feature preview) (PR)
• Default users search to be on the emails column instead of user ID (PR)

Storage

• Virtualize rendering of buckets to support rendering a large number of buckets in UI (PR)
• Added search support to search on bucket names for bucket policies page (PR)

Database

• Adds a link from trigger list to the corresponding database function, and a link to the table in the Table Editor (PR)
• Fix code editor warnings overflowing issue (PR)

Table Editor

• Fix mobile menu closing when changing schema (PR)
• Hide row actions and separators for tables in protected schemas (PR)
• Fix empty state drag drop zone to handle non CSV file types (PR)
• Fix Table Editor not horizontally scrollable when there's no rows (PR)
• Link to policies page to use table name as search param instead of table ID (PR)
• Persist sort preferences within "Select foreign key record" sheet (PR)

Support Form

• Automatically select the organization in the support form if navigating to support form from an organization page (PR)

Original source Report a problem

Release notes

Letting users know about security-sensitive actions on their account is an increasingly common authentication feature.

We’re excited to announce an expansion of our email templates to handle these these types of events, beginning with:

• Password changed
• Email changed
• Phone number changed
• Identity linked or unlinked
• Multi-factor authentication enrolled or unenrolled

You can find documentation—including for our API— here . The list of templates will continue to grow as our feature-set changes, and as we gather feedback from our community.

[!NOTE] To enable the feature preview, click your profile avatar, click Feature previews and enable Security notification templates .

What we’d like to know from you

• Any bugs or issues you run into when using email templates
• Any friction you run into when managing email templates through the Supabase dashboard
• Any additional use cases for email templates, and how we might be able to better support your workflow

Related links

• Dashboard: https://supabase.com/dashboard/project/_/auth/templates
• Documentation:
  • Email templates: https://supabase.com/docs/guides/auth/auth-email-templates
  • Send email hook: https://supabase.com/docs/guides/auth/auth-hooks/send-email-hook
  • Local Dev / CLI: https://supabase.com/docs/guides/local-development/customizing-email-templates

Original source Report a problem

Letting users know about security-sensitive actions on their account is an increasingly common authentication feature.

We’re excited to announce an expansion of our email templates to handle these these types of events, beginning with:

• Password changed
• Email changed
• Phone number changed
• Identity linked or unlinked
• Multi-factor authentication enrolled or unenrolled

You can find documentation—including for our API— here . The list of templates will continue to grow as our feature-set changes, and as we gather feedback from our community.

[!NOTE] To enable the feature preview, click your profile avatar, click Feature previews and enable Security notification templates .

What we’d like to know from you

• Any bugs or issues you run into when using email templates
• Any friction you run into when managing email templates through the Supabase dashboard
• Any additional use cases for email templates, and how we might be able to better support your workflow

Rollout plan

• Changes are behind a feature preview in the dashboard
• Starting from 13th Nov 2025, we will roll out to the hosted platform first as incremental % rollout where users will be opted into the feature preview by default
• If you might want opt out of the changes, you may disable the changes via the feature previews which you can access through the user dropdown in the header here:

Related links

• Dashboard: https://supabase.com/dashboard/project/_/auth/templates
• Documentation:
  • Email templates: https://supabase.com/docs/guides/auth/auth-email-templates
  • Send email hook: https://supabase.com/docs/guides/auth/auth-hooks/send-email-hook
  • Local Dev / CLI: https://supabase.com/docs/guides/local-development/customizing-email-templates

Original source Report a problem

Manage Analytics Buckets from the dashboard

We previously announced Supabase Analytics Bucket in Launch Week 15 and we've made much progress since then! You can use these buckets to store large datasets for analytics and reporting 📊

Analytics Buckets is currently in Public Alpha, hence expect rapid changes and possible breaking updates as we expand access to make this increasingly available to everyone. 🙂🙏

Vector Buckets are also now in Public Alpha if you might be interested as well 😄

What we'd like to know from you

• Any bugs / issues that you might run into when using Analytics Buckets
• Any UX friction that you might run into when managing Analytics Buckets through the dashboard
• Any use cases for Analytics Buckets, and how we might be able to improve the DX to support your development / workflow

Related Links

• Dashboard: https://supabase.com/dashboard/project/_/storage/analytics
• Waitlist: https://forms.supabase.com/analytics-buckets
• Youtube: https://www.youtube.com/watch?v=8poJ0f3Ucik
• Blog: https://supabase.com/blog/analytics-buckets
• Documentation: https://supabase.com/docs/guides/storage/analytics/introduction

Original source Report a problem

Upcoming: Storage UI update

We'll be pushing out an update to our Storage UI within this week as part of revisiting the information architecture of the dashboard, given that Supabase Storage isn't only about file storage but also analytics and vectors! 😉🗂️. This sets up the necessary changes required to support the other storage types that will come soon to the dashboard some time this week (or next)! 🙏 There's no other changes besides this (the file explorer of your file buckets remains the same 🙂🙏)
PR: https://github.com/supabase/supabase/pull/40076
Link: https://supabase.com/dashboard/project/_/storage/buckets

Auth Reports improvements

We've shipped a number of updates to the Auth Reports, splitting reports into sections and making it easier to find the information that you need! 🙂🕵️ (Usage, Monitoring, Performance) These changes will allow you to see spikes in errors in the API and Auth servers, and you may also select a part of the chart to open them in the logs pages (Way more easier than combing through them in the Logs Explorer)
PR: https://github.com/supabase/supabase/pull/39013
Link: https://supabase.com/dashboard/project/_/reports/auth

Additional settings for Realtime

We've added the following 3 settings that can be configured for your project through the realtime settings page! ⚙️💨 Information regarding all configurable settings for Realtime can be found in our documentation here !
• Enable / Disable Realtime service

• If disabled, no clients will be able to connect and new connections will be rejected
  • Max presence events per second
• Maximum number of presence events per second that can be sent to your Realtime service
  • Max payload size in KB
• Maximum number of payload size in KB that can be sent to your Realtime service
  PR: https://github.com/supabase/supabase/pull/39566
  Link: https://supabase.com/dashboard/project/_/realtime/settings

Support for Sentry Log Drains

You can now send your project logs to Sentry as a third party destination! 🙂🪵 Read more about this in our documentation here !
PR: https://github.com/supabase/supabase/pull/39442
Link: https://supabase.com/dashboard/project/_/settings/log-drains

Other bug fixes and improvements

General

• Simplified UI for project while in a paused state (PR)

Auth

• Persist sort by search configuration, but only if number of users in database is < 10,000 (PR)

Database

• Add support for duplicating database functions (PR)
• Add support for duplicating database triggers (PR)
• Database functions link to triggers list if function has trigger return type (PR)
• Database triggers link to table editor and functions list if for the table and function of the trigger respectively (PR)

Edge Functions

• Added support for drag and drop to add files while editing an edge function (PR)

Storage

• Add virtualization for buckets to support rendering a large number of buckets (PR)

Table Editor

• Fix schema not persisting when creating a table outside of the public schema (PR)

Reports

• Fix database reports "Database Connections" charts (PR)

Realtime

• Improved error messages when channel fails to join (PR)
• Add warning when updating realtime settings that clients will be disconnected (PR)

Original source Report a problem

🔍 What’s new

• Functions returning SETOF or table types are now correctly inferred as embedded relationships (arrays) when used in .select() queries (computed relationships). Supported via SetofOptions from introspection. note: If you define a function in Postgres with RETURNS SETOF … ROWS 1, the tool-chain (introspection + type generation) will infer this as a single object instead of an array.
• TypeScript errors at call-site when you attempt to call a function with wrong or conflicting parameters. For example:
  1
  const res = await supabase.rpc('postgrest_unresolvable_function', { a: 'test' });
  // Error: Could not choose the best candidate function between: public.postgrest_unresolvable_function(a => integer), public.postgrest_unresolvable_function(a => text).
  This kind of error helps you catch ambiguous overloads that the introspection cannot decide between.
• Additional error cases like:
  1
  const res = await supabase.rpc('blurb_message', {});
  // Error: Searched for the function public.blurb_message with parameter or with a single unnamed json/jsonb parameter, but no matches were found in the schema cache.
  This corresponds to underlying PostgREST error codes PGRST202 / PGRST203.

Important caveats:

Nullable embed relationships by default: When you embed a function (computed relationship) in a .select() query, the generated type will treat the function result as possibly null, since it may not return any rows.
You can override the nullability globally using a DeepMerge override when generating types using the CLI. Example:

import { MergeDeep } from 'type-fest'
import { Database as DatabaseGenerated } from './database-generated.types'

export type Database = MergeDeep<
  DatabaseGenerated,
  {
    public: {
      Functions: {
        my_function: {
          SetofOptions: {
            isNotNullable: true
          }
        }
      }
    }
  }
>

This approach mimics defining custom JSON types via MergeDeep.

However, when a function has multiple overloads or multiple SetofOptions variants (for example one overload returns from someTable → someOtherTable, another returns someTable2 → someOtherTable), a global override may become ambiguous:

function_name:
  |
  {
    ...,
    SetofOptions: {
      from: 'someTable',
      to: 'someOtherTable'
    }
  }
  |
  {
    ...,
    SetofOptions: {
      from: 'someTable2',
      to: 'someOtherTable'
    }
  }

In such cases, the recommendation is to use the !inner hint in the query itself so the inference knows the result won’t be null:

client
.from('table')
.select('field1, computed_relationship!inner(id)')
// Inferred type:
// { field1: string, computed_relationship: { id: string } }
// rather than default:
// { field1: string, computed_relationship: { id: string } | null }

✅ What you should do

• Upgrade to @supabase/[email protected] (or higher)
• Ensure you are using the CLI at version > 2.53.1 so that SetofOptions metadata is correctly included in the generated types.
• Regenerate your types (e.g., npx supabase gen types typescript …) after introspection so that functions with SETOF return types are captured with the proper metadata.

🔗 References

• PostgREST docs — Computed Relationships
• supabase/supabase-js#1632
• supabase/postgres-meta#971
• Defining custom JSON types (type override docs)

Original source Report a problem