chore: docs for ephemeral access (#44702)

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

- Adds docs for the feature preview of `ephemeral token database access`
- Resolves SEC-542


## Additional context

- https://github.com/supabase/supabase/pull/44161 adds the Docs button
in Studio



<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a "Temporary Access" entry in Platform Configuration for quick
access to the new guide.

* **Documentation**
* Added a Temporary Access guide detailing dashboard and Management API
setup, role-to-database mapping, optional per-role restrictions (expiry
and allowed IPs), Postgres prerequisites, and connection examples for
direct and pooler usage.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/44702?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts

@@ -2681,6 +2681,10 @@ export const platform: NavMenuConstant = {
           name: 'Network Restrictions',
           url: '/guides/platform/network-restrictions' as `/${string}`,
         },
+        {
+          name: 'Temporary Access',
+          url: '/guides/platform/temporary-access' as `/${string}`,
+        },
         { name: 'Performance Tuning', url: '/guides/platform/performance' as `/${string}` },
         { name: 'SSL Enforcement', url: '/guides/platform/ssl-enforcement' as `/${string}` },
         {

apps/docs/content/guides/platform/temporary-access.mdx

@@ -0,0 +1,118 @@
+---
+title: 'Temporary access'
+description: 'Enable temporary access for short-lived database connections tied to a Supabase user.'
+---
+
+Your Supabase project supports connecting to the Postgres database using either your Supabase API token (Personal Access Token) or your current dashboard session token (JWT). This is called temporary access, as the authentication tokens can be short-lived and tied directly to a specific Supabase user. Temporary access is disabled by default.
+
+Enabling temporary access only applies to connections to Postgres and Supavisor ("Connection Pooler"); all HTTP APIs offered by Supabase (e.g., PostgREST, Storage, Auth) require authentication tokens specific to the service and are independent of the Supabase platform user(s).
+
+<Admonition type="note">
+
+Projects need to be at least on Postgres 17.6.1.081 (or higher) to enable temporary access. You can find the Postgres version of your project on the [infrastructure settings](/dashboard/project/_/settings/infrastructure) page. If your project is on an older version, you will need to [upgrade](/docs/guides/platform/upgrading) to use this feature.
+
+</Admonition>
+
+## Manage temporary access via the dashboard
+
+The easiest way to manage temporary access is via the "Enable temporary access" settings section in [Database Settings page](/dashboard/project/_/database/settings) of the dashboard.
+
+## Manage temporary access via the Management API
+
+You can also manage temporary access using the Management API:
+
+```bash
+# Get your access token from https://supabase.com/dashboard/account/tokens
+export SUPABASE_MANAGEMENT_API_TOKEN="your-access-token"
+export PROJECT_REF="your-project-ref"
+
+# Get current temporary access status
+curl -X GET "https://api.supabase.com/v1/projects/$PROJECT_REF/database/jit-access" \
+  -H "Authorization: Bearer $SUPABASE_MANAGEMENT_API_TOKEN"
+
+# Enable temporary access
+curl -X PUT "https://api.supabase.com/v1/projects/$PROJECT_REF/database/jit-access" \
+  -H "Authorization: Bearer $SUPABASE_MANAGEMENT_API_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "state":"enabled"
+  }'
+
+# Disable temporary access
+curl -X PUT "https://api.supabase.com/v1/projects/$PROJECT_REF/database/jit-access" \
+  -H "Authorization: Bearer $SUPABASE_MANAGEMENT_API_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "state":"disabled"
+  }'
+```
+
+## Configure user access
+
+Once temporary access has been enabled, project users must be authorized and mapped to Postgres roles they are allowed to access. Each user can be authorized to "assume" one or more Postgres roles using temporary access.
+
+When a user is authorized to assume a Postgres role, the user's access token (Personal Access Token (PAT) or Scoped PAT) will be used as the password for the Postgres role.
+
+<Admonition type="note">
+
+Postgres roles can still be accessed using the password configured on the role. This allows long-lived service connections to continue using the existing credentials.
+
+Temporary access authentication only applies for Supabase project users authenticating to the database, and assuming the given Postgres role. No new roles or users are created in the Postgres database and the assumed role's permissions will still apply.
+
+</Admonition>
+
+### Apply temporary access restrictions
+
+A user's temporary access can also be restricted to a validity period, after which their temporary access will expire and even though the access token is still valid, the database will reject the connection.
+
+IP address restrictions can also be applied, ensuring that temporary access will only be authorized from allowed network ranges (IPv4 and/or IPv6).
+
+#### Applying restrictions with the management API
+
+Restrictions can also be applied through the Management API.
+
+```bash
+# Get your access token from https://supabase.com/dashboard/account/tokens
+export SUPABASE_MANAGEMENT_API_TOKEN="your-access-token"
+export PROJECT_REF="your-project-ref"
+
+# Restrict temporary access to IPv4 ranges and expiry date
+# user_id is the gotrue_id of the user with access to the project
+curl -X PUT "https://api.supabase.com/v1/projects/$PROJECT_REF/database/jit" \
+  -H "Authorization: Bearer $SUPABASE_MANAGEMENT_API_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "user_id": "00000000-1111-2222-3333-444444444444",
+    "user_roles": [
+      {
+        "role": "postgres",
+        "allowed_networks": {
+          "allowed_cidrs": [{ "cidr": "176.1.12.1/32" }]
+        },
+        "expires_at": 1758721065775
+      }
+    ]
+  }'
+```
+
+## Using temporary access
+
+To log in to the database using temporary access, existing connection strings can be used and only the password needs to be changed to the user's API or dashboard token.
+
+For example, if a user has been authorized to assume the `postgres` role:
+
+```
+psql 'postgres://postgres:sbp_111222333aaabbbccc@db.{project-ref}.supabase.co/postgres'
+```
+
+Since Supabase API tokens can be used, it is also possible to generate API tokens for services you don't want to share your Postgres role password with (for example a GitHub Action). The API token can be configured with an expiry time and temporary access-specific restrictions can also be applied.
+
+Connecting via the shared connection pooler requires the addition of a new connection option. This can be applied either directly in the connection URI or as `conninfo` (easier to read):
+
+```
+# directly in the URI
+psql 'postgres://postgres.{project-ref}:sbp_111222333aaabbbccc@aws-1-us-west-1.pooler.supabase.com:5432/postgres?options=-c%20jit%3don'
+
+# or as a connection info string
+psql "host=aws-1-us-west-1.pooler.supabase.com user=postgres.{project-ref} options='-c jit=on'"
+```