## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Instructed granting least-privilege table permissions for anon,
authenticated, and service roles prior to enabling Row Level Security
across multiple guides and quickstarts.
* Clarified SQL examples and inline comments, added explicit GRANT steps
and RLS SELECT policies, rephrased policy guidance, and adjusted example
ordering and section numbering for clearer setup and testing.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES/
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated API docs and quickstart examples to reference publishable API
keys in configuration snippets, cURL examples, and browser guidance.
* Adjusted quickstart cURL examples to simplify headers and align with
publishable-key usage.
* Clarified security guidance to recommend distributing publishable keys
where appropriate and updated related wording across guides.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: fadymak <dev@fadymak.com>
Updates our documentation pages around the Data API to include
instructions on how to grant the necessary privileges across API roles
across tables and functions. Current behaviour means this is largely
unnecessary as privileges are granted by default on public schema, but
adding instructions will help cover scenarios where this isn't the case
and expose some of the underlying magic happening.
## To test:
- These updates refer to new settings that are added to the data api
that give more visibility and control over what tables and functions are
accessible via the api.
- To view these settings you'll need enable `tableEditorApiAccessToggle
` feature flag
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a new "Data API" guide and removed the old "Hardening the Data
API" page
* Updated navigation links to surface the new Data API guide
* Expanded quickstarts, SDK install pages, and security guides with
step‑by‑step Data API exposure, default‑privileges, RLS guidance, and
SQL GRANT examples (including function EXECUTE notes)
* Updated troubleshooting references and added redirects for legacy
documentation paths
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: SaxonF <1072756+SaxonF@users.noreply.github.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
*Summary*
- reorganize the navigation menu to highlight modules, consolidate API
security content, and move guide entries (auto-generated docs, type
generation, security topics) to the intended sections
- relocate the Data API hardening and custom claims RBAC guides into the
API subtree, updating internal references and redirects, and fixing
cross-links (including adjusting the Security reference order)
- adjust data API topic references (e.g., securing guide and role
management) to point to the new paths and ensure the helper link
ordering follows the requested layout
*Testing*
- Not run (not requested)
Change 1
<img width="1286" height="576" alt="image"
src="https://github.com/user-attachments/assets/d903e9b0-bbfc-403f-bcb9-eee540e466db"
/>
Change 2
<img width="1176" height="666" alt="image"
src="https://github.com/user-attachments/assets/82b3ea4c-b8d4-4cb9-ad90-6c39c8a1a997"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Reorganized API documentation structure, consolidating REST and
GraphQL API guides under a dedicated API section.
* Moved security-related guides to API documentation paths for better
organization.
* Implemented automatic redirects for old documentation links to new
locations.
* Updated navigation menu to reflect the restructured documentation
layout.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
## What kind of change does this PR introduce?
Grammar corrections across documentation and test descriptions.
## What is the current behavior?
Multiple docs and test files use "a" before acronyms that start with a
vowel sound when pronounced:
- "a HTTP" (pronounced "aitch-tee-tee-pee") should be "an HTTP"
- "a API" (pronounced "ay-pee-eye") should be "an API"
- "a RLS" (pronounced "arr-ell-ess") should be "an RLS"
- "the all users" is redundant (should be "all users")
## What is the new behavior?
All instances corrected to use proper English indefinite articles:
### Docs files (11 files):
- `firebase-auth.mdx` — "the all users" -> "all users" (2 occurrences)
- `log-drains.mdx` — "a HTTP drain" -> "an HTTP drain"
- `securing-your-api.mdx` — "a HTTP 402" and "a HTTP 420" -> "an HTTP"
- `scan-error-*.mdx` — "a HTTP 500" -> "an HTTP 500"
- `roboflow.mdx` — "a HTTP interface" -> "an HTTP interface"
- `auth-hooks.mdx` — "A HTTP Hook" -> "An HTTP Hook", "a HTTP hook" ->
"an HTTP hook", "a HTTP error" -> "an HTTP error"
- `auth-mfa.mdx` — "a HTTP 401" -> "an HTTP 401"
- `password-verification-hook.mdx` — "a HTTP request" -> "an HTTP
request"
- `before-user-created-hook.mdx` — "a HTTP implementation" -> "an HTTP
implementation"
- `pgtap-extended.mdx` — "a API exposed schema" -> "an API exposed
schema"
- `error-codes.mdx` — "a RLS policy" -> "an RLS policy"
- `broadcast.mdx` — "a RLS" -> "an RLS"
### Studio files (1 file):
- `CronJobs.utils.test.ts` — "a HTTP request" -> "an HTTP request" (9
test descriptions) + "notationa" typo -> "notation"
## Additional context
The rule: use "an" before acronyms pronounced with a leading vowel
sound. "HTTP" starts with "aitch" (vowel sound), "API" starts with "ay"
(vowel sound), and "RLS" starts with "arr" (vowel sound).
The example for checking additional API keys has a security flaw and bad code.
It checked current_role for anon to do security, but because it is a security definer function the role will never be anon.
Added to check for the role claim in the jwt.
Also the table used for keys is UUID and the type from the header is text for the key. Cast it to UUID.
