Contributes to DOCS-1052
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Resolves MDX linting errors related to "simple" where it applies.
There was a couple cases that did not apply. For example, a product with
"Simple" in the name.
These changes are made in context, either by removing or using a more
descriptive synonym like "minimal" or "basic".
## Tophatting
1. Read each of the diffs.
2. See that the text still makes sense in context.
For extra due diligence, you can run `pnpm lint:mdx` locally and see the
'simple' errors that remain and whether they are worth addressing.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Summary by CodeRabbit
* **Documentation**
* Updated many guide, tutorial, and troubleshooting pages with clearer
“basic”/“minimal” wording across setup steps, local testing
instructions, security cautions, and RLS guidance.
* Refined headings, example descriptions, and inline comments for
consistency (including deployment, MCP, metrics API, and search/function
phrasing).
* Improved readability with small snippet formatting tweaks (whitespace
plus import/comment ordering) and added a self-hosting debugging note
for Envoy admin endpoints via a short-lived `curl` container.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Nik Richers <nrichers@gmail.com>
A handful of code samples in the guides either don't run or contradict
the surrounding text. I found these reading through the docs.
- `database/debugging-performance`: `insert into books` targets a table
that's never created. The table made just above is `instruments`.
- `database/drizzle`: the `db.ts` snippet references an undefined
`host`. The variable in scope is `connectionString`.
- `database/postgres/column-level-security`: the `create table` is
missing a comma after `created_at ... now()`, so it won't parse.
- `database/postgres/first-row-in-group`: `distinct on (team)` with
`order by id, ...` is rejected by Postgres (the DISTINCT ON column has
to lead the ORDER BY). Ordered by `team, points desc` so it returns one
row per team.
- `database/postgres/data-deletion`: reversed markdown link
`(text)[url]`, plus "parititioning" misspelled.
- `database/extensions/pg_plan_filter`: prose says
`statement_cost_filter`, but the real parameter (used everywhere else in
the file) is `statement_cost_limit`.
- `auth/auth-hooks/mfa-verification-hook`: the insert and on-conflict
update use `last_refreshed_at`, but the table column is
`last_failed_at`.
- `telemetry/advanced-log-filtering`: the "ends with" example writes
`'$port=12345'`. The `$` anchor needs to come after the literal:
`'port=12345$'`.
- `ai/examples/headless-vector-search`: uses `${projectURL}` but the
const is `projectUrl`.
- `getting-started/quickstarts/redwoodjs`: prose says
`scripts/seeds.ts`, but the code block and Redwood use
`scripts/seed.ts`.
- `getting-started/tutorials/with-flutter`: two code-fence headers have
a stray trailing `"`.
- `local-development/cli/testing-and-linting`: stray backtick in "Edge`
Functions".
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Corrected code examples across multiple guides including vector
search, authentication hooks, database guides, and quickstarts
* Fixed SQL syntax errors, variable names, and table references in
example snippets
* Resolved typos, broken links, and formatting inconsistencies in guide
text
* Clarified parameter names and script references in documentation
* Updated code fence syntax in tutorials for proper rendering
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Reading through the guides and troubleshooting docs I found a set of
code examples that don't parse or run as written. Each is a small,
self-contained fix:
- **troubleshooting/postgres-logs**: the `regexp_contains(...)` call was
missing its closing parenthesis.
- **troubleshooting/rls-performance**: the PL/pgSQL `return` statement
was missing its terminating semicolon.
- **troubleshooting/supavisor-faq**: the `CREATE USER ... WITH PASSWORD`
string literal was unterminated (missing closing quote).
- **troubleshooting/google-auth-fails**: missing comma between
`provider` and `options` in the `signInWithOAuth` object literal.
- **integrations/supabase-for-platforms**,
**database/extensions/pg_graphql**,
**deployment/branching/working-with-branches**: missing commas between
JSON properties.
- **database/extensions/pgjwt**: the default algorithm was written
`'HSA256'`; the real default is `'HS256'` (used in both `sign` and
`verify`).
- **auth/auth-email-passwordless** (Dart): `signinwithotp` should be
`signInWithOtp`.
- **auth/third-party/firebase-auth**: `async function
setRoleCustomClaim() => {` mixed a function declaration with arrow
syntax.
- **storage/management/copy-move-objects**: the storage helper is
`storage.foldername(name)`, not `storage.folder(name)`.
- **troubleshooting/hsnw-index**: prose referred to
`maintance_work_mem`; the setting is `maintenance_work_mem` (the SQL in
the same file spells it correctly).
- **troubleshooting/pgcron-debugging**: a stray double quote inside the
`cron.job_run_details` code span.
13 files, all one-line fixes. Happy to split if you'd prefer.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Corrected code examples across authentication, database, storage, and
troubleshooting guides
* Fixed method naming and syntax errors in code snippets (Dart auth,
Node.js Firebase, SQL functions)
* Updated API signatures and variable names for accuracy
* Improved JSON formatting in example payloads
* Corrected typos in documentation text
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES/
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Documentation
* Updated project variables guidance to include publishable and secret
keys alongside existing options.
* Updated code examples across multiple frameworks to use publishable
keys instead of anon keys.
* Updated tool descriptions to reflect publishable key terminology.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update
## What is the current behavior?
Auth hooks documentation doesn't explicitly state that the hook name
configured in `config.toml` must correspond to available hooks to
prevent errors, which has caused confusion for some users.
## What is the new behavior?
Doc includes mention that hook name must correspond to available hooks.
## Additional context
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added clarification note regarding authentication hook configuration
requirements, specifying that hook names in configuration files must
correspond to available hook types.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Consolidated API key deprecation guidance into a reusable notice for
consistent messaging across docs. Announces deprecation of legacy
anon/service_role JWT-secret keys by end of 2026, instructs switching to
sb_publishable_xxx / sb_secret_xxx, and provides steps to locate and
copy both new and legacy keys. Applied across auth, getting-started,
API, and realtime guides.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: fadymak <dev@fadymak.com>
## What kind of change does this PR introduce?
Feature / abuse-prevention update. Resolves DEPR-198.
## What is the current behaviour?
Free projects using Supabase's built-in email service can edit raw Auth
email template subjects and HTML in Studio. That is the risky cohort
this project is trying to constrain.
## What is the new behaviour?
### Template editing restrictions
For free projects using Supabase's built-in email service, Studio keeps
Auth email templates viewable and previewable but disables subject/body
editing and saving. Editing is unlocked by setting up Custom SMTP,
configuring a send-email hook, or upgrading to a paid plan.
**Grandfathering:** projects created before `2026-06-01T00:00:00Z` (the
platform enforcement cutoff) are exempt; their editing UI stays
unlocked. This mirrors `FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE` in the
platform PR exactly.
| After |
| --- |
| <img width="1024" height="759" alt="Emails Authentication Fizz Test
Supabase-173BB09B-0FB9-4133-8202-9E310DDB347A"
src="https://github.com/user-attachments/assets/c966212d-ed0c-443b-8197-440cc2937ef6"
/> |
| <img width="1024" height="759" alt="Emails Authentication Fizz Test
Supabase-CD5845EB-0E45-4779-8989-44E775B2411A"
src="https://github.com/user-attachments/assets/055a64d6-b5e8-4d37-a261-6e280f04536a"
/> |
### Warning dialogs on transitions that reset templates
Two flows now surface a warning before the user commits to a state
change that resets their custom email templates to defaults:
1. **Disabling custom SMTP** (SMTP settings page): a confirmation dialog
warns that templates will be reset to defaults and the email rate limit
reduced to 2 per hour. On confirm, Studio resets all 13 templates via
the existing per-template reset endpoint (`Promise.allSettled`). The
"won't be able to edit" sentence is shown only for post-cutoff projects;
grandfathered projects skip it. The corresponding server-side
enforcement is in the Platform PR:
https://github.com/supabase/platform/pull/33129
2. **Downgrading to the Free plan** (billing settings): an admonition in
the existing downgrade confirmation modal warns that custom templates
will be reset to defaults and won't be editable without custom SMTP. The
admonition is shown only when the org has at least one post-cutoff
project; orgs whose projects are all grandfathered skip it.
| Custom SMTP | Downgrading |
| --- | --- |
| <img width="862" height="586" alt="66764"
src="https://github.com/user-attachments/assets/6470c8a6-2f79-40a5-ad3b-bfe5b0ba9c54"
/> | <img width="1268" height="1552" alt="CleanShot 2026-05-22 at 17 28
37@2x-FEB1901E-38E6-42DF-8C27-0A036D8A1B94"
src="https://github.com/user-attachments/assets/e8caa9e6-c3ed-4787-b771-af77a43eb854"
/> |
### Informational admonition when enabling SMTP
When a user enables custom SMTP for the first time, a sandwiched
admonition above the save footer informs them that the email rate limit
will be increased to 30 per hour and can be adjusted.
_This is just a minor cosmetic change, unrelated to the email template
disabling. Sorry._
| Before | After |
| --- | --- |
| <img width="1024" height="759" alt="Emails Authentication Chisel
Toolshed Supabase-54317D18-803C-4A58-8211-2359355D083B"
src="https://github.com/user-attachments/assets/29eff649-02dc-40f3-a379-0b4d484a76c7"
/> | <img width="1024" height="759" alt="Emails Authentication Chisel
Toolshed Supabase-9E12399E-E9FB-4F9A-B029-A08008EA4B50"
src="https://github.com/user-attachments/assets/e542ed86-4da6-407e-8293-0f4c0f071e18"
/> |
## How to test
All existing projects pre-date the enforcement cutoff
(`2026-06-01T00:00:00Z`) and are grandfathered, so the restriction UI
won't appear by default. To force the restricted state locally,
back-date the cutoff in one file:
In
`apps/studio/components/interfaces/Auth/EmailTemplates/EmailTemplates.utils.ts`,
temporarily change:
```ts
export const FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE = '2026-06-01T00:00:00Z'
```
to:
```ts
export const FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE = '2025-01-01T00:00:00Z'
```
Revert before committing. With the cutoff back-dated, use a free-plan
project and:
- **Template restriction + admonition:** navigate to Authentication >
Emails with no custom SMTP configured. Subject/body fields should be
read-only and the "Set up SMTP" admonition should appear, with its
dropdown offering upgrade and send-email hook options.
- **SMTP disable warning:** enable custom SMTP on a project, then
disable it via Authentication > SMTP Settings. The confirmation dialog
should warn that templates will reset to defaults and that editing will
be restricted after disabling.
- **Downgrade warning:** in billing settings, initiate a downgrade to
the Free plan. The downgrade modal should include an admonition warning
about template reset and restricted editing (only if the org has at
least one post-cutoff project).
## Additional context
The default Auth email template copy was also improved across docs,
examples, and UI library snippets (separate prior commits).
The per-template reset button (`ResetTemplateDialog`) was migrated to
the async `AlertDialogAction` pattern introduced in #45960; the dialog
stays open and shows a loading state while the reset is in-flight,
closes on success, and stays open on error.
Closes PRODSEC-183
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Stephen Morgan <stephen@doublethink.co.nz>
## What kind of change does this PR introduce?
Docs update. Part of DEPR-198.
## What is the current behaviour?
Auth email template examples and Studio template labels still reflect
older default copy in a few places.
## What is the new behaviour?
Updates Auth docs, local development docs, related snippets, Studio
template labels, and UI Library examples to [match the updated default
Auth email
copy](https://linear.app/supabase/document/email-template-copywriting-updates-04bba460fd2a).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated authentication email template names and descriptions across
guides, replacing "Magic link" with "Sign-in link or code" terminology
* Revised security notification email naming from "Identity
linked/unlinked" to "Sign-in method linked/removed" and "MFA method" to
"Verification method"
* Updated email template example content with improved wording (e.g.,
"Confirm your email address" instead of "Confirm your signup")
* **UI Updates**
* Refined authentication-related UI text labels and descriptions in the
dashboard
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45706)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## What kind of change does this PR introduce?
Documentation update.
## What is the current behavior?
The server-side auth client guide currently includes framework examples
for Next.js, SvelteKit, Astro, Remix, React Router, Express, and Hono,
but not Nuxt.
## What is the new behavior?
- Adds a Nuxt env var tab in the setup section.
- Adds a Nuxt framework section in the create-client guide with:
- A server route example using `createServerClient` with cookie
adapters.
- A browser plugin example using `createBrowserClient`.
## Additional context
Closes#34283
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Documentation**
* Added comprehensive Nuxt server-side rendering guide for creating
Supabase clients with cookie support, including environment variable
configuration setup and implementation examples for both server and
browser environments.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/43944?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
## What kind of change does this PR introduce?
Docs update. Related to DEPR-551.
## What is the current behavior?
Docs MDX still uses the legacy `label` prop for Admonitions, even though
#45618 added `title` and kept `label` only as a backwards-compatible
alias after #45302 was reverted in #45535.
## What is the new behavior?
Migrates Docs-owned Admonitions from `label=` to `title=` without
changing rendered copy, component APIs, Studio callsites, design-system
examples, or the legacy `label` alias.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Standardized admonition headings across the docs by switching how
admonition headings are provided (preserving all visible guidance and
examples). Content and instructions remain unchanged; this ensures
consistent rendering of callouts and improves uniformity across guides
and reference pages.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46053?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## What kind of change does this PR introduce?
Feature. Resolves AUTH-879.
## What is the current behavior?
Studio does not provide a way to reset an Auth email template back to
the default subject and body once it has been customised.
## What is the new behavior?
Studio shows a `Reset template` action when Platform reports that the
selected Auth email template subject or body has been customised. The
action opens a confirmation dialog, calls the dedicated Platform reset
endpoint, and refreshes the editor with the default subject and body
returned by the API.
The Auth config save/reset mutations now run their user-facing success
handling before refreshing Auth lint data, so the success toast and
local editor cleanup are not delayed by lint refetches.
## Additional context
Depends on supabase/platform#32417.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Reset email templates to defaults via a confirmation dialog; button
appears when custom content is detected and respects update permissions.
* Typed email-template definitions and improved template variable
display and descriptions.
* **Tests**
* Added tests covering template reset visibility, confirmation flow,
state updates, permission handling, and toast notifications.
* **Documentation**
* Example email template placeholders updated for internationalization
and provider snippets.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45572)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated authentication guide for Kotlin Compose Multiplatform with
revised dependency configuration.
* Enhanced user-management example README with improved project
structure, deployment steps, and resources.
* **Chores**
* Refactored example applications to use custom authentication forms
instead of pre-built Auth UI components.
* Removed unused authentication UI dependencies from multiple example
projects.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45931)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Cemal Kılıç <cemalkilic@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated authentication guide for Turnstile CAPTCHA setup with
simplified, more direct instructions for configuring the widget and
obtaining keys.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated the Figma OAuth social login setup guide with corrected links
to the Figma Developers portal for accurate authentication
configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Clarified anonymous-account linking guide: example now explicitly
checks that the current session is anonymous and exits early if not,
preventing unintended linking steps.
* Enhanced resumable uploads guide: added a note explaining why the
example reads the local session token to forward it for server-side
validation when interacting with direct storage endpoints.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated custom OAuth provider quota documentation to clarify
plan-based limitations. Free plan projects can add up to 3 custom
providers, while Pro plan and above have unlimited providers.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated Flutter authentication guides (Auth0, AWS Cognito, Clerk, and
Firebase Auth) with corrected Supabase client initialization parameters
in code examples.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR migrates the whole monorepo to use Tailwind v4:
- Removed `@tailwindcss/container-queries` plugin since it's included by
default in v4,
- Bump all instances of Tailwind to v4. Made minimal changes to the
shared config to remove non-supported features (`alpha` mentions),
- Migrate all apps to be compatible with v4 configs,
- Fix the `typography.css` import in 3 apps,
- Add missing rules which were included by default in v3,
- Run `pnpm dlx @tailwindcss/upgrade` on all apps, which renames a lot
of classes
- Rename all misnamed classes according to
https://tailwindcss.com/docs/upgrade-guide#renamed-utilities in all
apps.
---------
Co-authored-by: Jordi Enric <jordi.err@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Instructed granting least-privilege table permissions for anon,
authenticated, and service roles prior to enabling Row Level Security
across multiple guides and quickstarts.
* Clarified SQL examples and inline comments, added explicit GRANT steps
and RLS SELECT policies, rephrased policy guidance, and adjusted example
ordering and section numbering for clearer setup and testing.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Updates the Auth Signing Keys and JWTs pages to align on the new keys
while still leaving the relevant information about the legacy keys until
post-deprecation.
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Fixes the same duplicate-word typo ("support support") in two quickstart
guides:
- `apps/docs/content/guides/auth/quickstarts/react.mdx`
- `apps/docs/content/guides/getting-started/tutorials/with-nextjs.mdx`
Both occurrences are in the "Customize email template" / "Email
template" sections:
> Before proceeding, change the email template to support ~~support~~ a
server-side authentication flow that sends a token hash:
Pure docs typo fix — no functional changes.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Corrected typographical errors in authentication guides to improve
clarity and readability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Corrected internal documentation links across auth guides (Custom
Access Token Hooks), database hit-rate guides (Disk IO / compute
anchors), functions deployment (Dashboard quickstart), and product
security (Realtime authorization) for proper targets and path
formatting.
* Updated Storage page doc links for analytics and vector introductions.
* Updated Database page “Supabase ETL” docs link to the replication
guide.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Updates social guides (only Apple remains) to use the publishable key
instead of anon
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated Swift code example in the Apple social login guide to use a
concrete Supabase project URL format, providing clearer guidance for
developers implementing authentication.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Adds an Astro auth guide
## What is the current behavior?
No such guide
## What is the new behavior?
Adds the guide
<img width="1491" height="485" alt="Screenshot 2026-04-02 at 18 30 07"
src="https://github.com/user-attachments/assets/c76f926d-02b1-4a89-9595-700cf4fcb4e7"
/>
## Additional context
N/A
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added an Astro authentication quickstart covering Supabase setup, SSR
configuration, required env vars, server-side auth flows, email
confirmation handling, and testing the dev flow; includes end-to-end
examples for sign-up, sign-in, sign-out, protected pages, and a
dashboard walkthrough
* **Navigation**
* Added Astro to the Auth "Getting Started" navigation section
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
With the upcoming deprecation of anon and service role keys, this PR
updates the OAuth server examples to use the secret and publishable keys
instead.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated OAuth server authentication guides with revised client
initialization examples
* Improved environment variable references in code samples for server
client setup
* Enhanced troubleshooting sections with corrected terminology for
debugging Row-Level Security policy issues
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
With the upcoming deprecation of the anonymous and service role keys,
this PR updates the Auth guides to use the publishable key instead of
the soon-to-be-deprecated anonymous key.
It also standardizes the example strings to be:
`'https://your-project-id.supabase.co'` and `'sb_publishable_...'` for
consistency.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Standardized client initialization examples to use a consistent
publishable-key placeholder (`sb_publishable_...`) and full project URL
format.
* Replaced "anon key" wording with "publishable key" across auth and API
guides and examples.
* Minor formatting and import-order/whitespace improvements in code
samples for clarity and consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Updates verbiage throughout docs to use postgres over postgresql.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated terminology throughout documentation, guides, and resources
for consistent product naming across all user-facing materials,
including page titles, descriptions, and reference documentation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Update TypeScript example to use createAuth0Client factory function and
ID tokens as the primary approach. Add warning about Auth0 silently
stripping non-namespaced custom claims from access tokens.
Ref: supabase/supabase-js#1770
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated Auth0 integration to a newer client initialization pattern.
* Switched examples to use the ID token instead of access tokens for
Supabase and added explicit failure behavior when the ID token is
missing.
* Updated Auth0 Action guidance to set the claim on the ID token.
* Added a caution that Supabase requires the literal "role" claim and
that non-namespaced custom claims are stripped from access tokens.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Jeremias Menichelli <jmenichelli@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update
## What is the new behavior?
- Added docs for analytics and vector buckets
- Added missing docs for some storage bucket methods
- Improved OAuth / OTP guide
- Small fixes
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Documentation
- Updated Kotlin authentication guides with improved examples, API
naming consistency, and comprehensive Kotlin Multiplatform support
- Added documentation for identity linking with ID tokens
- Expanded Storage API documentation with new file operation methods
(`exists()` and `info()`)
- Added extensive vector storage bucket operations and management
documentation
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
This PR adds support for configuring end-user IP address forwarding to
Supabase Auth, as well as docs explaining the feature.
## What is the current behavior?
These settings don't exist in Studio. Users that wish to enable IP
address forwarding must do so through the management API.
## What is the new behavior?
Users can enable IP address forwarding in Studio directly without
needing to use the management API.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added an "IP Address Forwarding" toggle in Auth rate limit settings as
a separate section with its own Save/Cancel behavior.
* **Documentation**
* Added a guide detailing when/how to forward end-user IPs, how to
enable the setting, required key types, Management API examples, and an
SDK/SSR snippet.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Cemal Kılıç <cemalkilic@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Feature and docs.
## What is the new feature?
Adds a toggle to enforce current password checks for updating a user's
password (auth)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added configurable option to require the current password when
changing passwords.
* Added configurable option to require recent reauthentication before
allowing password changes.
* **Documentation**
* Added "Password security" guide sections documenting current-password
verification and reauthentication safeguards, with usage examples.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
Co-authored-by: Gildas Garcia <1122076+djhi@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated all quickstart guides and tutorials to reference publishable
keys instead of anon keys for Supabase client initialization.
* Simplified environment variable setup instructions across multiple
framework guides by removing anon key configuration requirements.
* Clarified usage of publishable keys in step-by-step setup
documentation for various frameworks and platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: fadymak <dev@fadymak.com>
## What
Updates all `setAll` cookie handler implementations across docs and
examples to accept the new `headers` second argument introduced in
`@supabase/ssr` v0.10.0
([supabase/ssr#176](https://github.com/supabase/ssr/pull/176)).
## Why
`@supabase/ssr` v0.10.0 introduced a breaking change: `setAll` now
receives a required second argument `headers: Record<string, string>`
alongside the cookies array. When a token refresh occurs, the library
passes cache headers (`Cache-Control`, `Expires`, `Pragma`) that must be
applied to the HTTP response to prevent CDN caching of auth responses.
Because TypeScript allows functions with fewer parameters to satisfy a
type expecting more, existing `setAll` implementations do not produce a
type error when the second argument is omitted. Users who copy an
outdated snippet will silently miss the CDN protection.
Root cause and context:
[supabase/supabase-js#1682](https://github.com/supabase/supabase-js/issues/1682)
## Changes
**Proxy/middleware contexts** (where token refreshes happen) now apply
the cache headers to their response:
- Next.js proxy files: `supabaseResponse.headers.set(key, value)`
- SvelteKit hooks: `event.setHeaders(headers)`
- Hono middleware: `c.header(key, value)`
- Pages Router (Express-style): `ctx.res.setHeader(key, value)`
- Remix/React Router loaders and actions: applied to response headers
(outer `headers` variable renamed to `responseHeaders` to avoid naming
conflict with the new param)
**Server Component and API route contexts** (no response object
available) accept `_headers` without applying them.
## Files updated
- `apps/docs/content/guides/auth/server-side/creating-a-client.mdx`
(inline Astro, Remix, React Router, Express snippets)
- `apps/docs/content/_partials/oauth_pkce_flow.mdx`
- `apps/docs/content/guides/auth/oauth-server/getting-started.mdx`
- `apps/docs/content/guides/auth/passwords.mdx`
-
`apps/docs/content/troubleshooting/how-to-migrate-from-supabase-auth-helpers-to-ssr-package-5NRunM.mdx`
- `examples/auth/nextjs/`, `examples/auth/nextjs-full/` (proxy + server)
- `examples/auth/sveltekit/`, `examples/auth/sveltekit-full/`
- `examples/auth/hono/`, `examples/auth/hono-full/`
- `examples/user-management/nextjs-user-management/` (proxy + server)
- `examples/user-management/sveltekit-user-management/`
- `examples/realtime/nextjs-authorization-demo/` (proxy + server)
- `examples/realtime/nextjs-auth-presence/` (pages router)
- `examples/prompts/nextjs-supabase-auth.md`
"Linking.useURL()" has been deprecated in Expo. This updates the example
to use the recommended "useLinkingURL()" hook, which provides the same
functionality for handling initial and subsequent deep links.
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the current behavior?
The Expo example code uses "Linking.useURL()", which is now marked as
deprecated in Expo SDK 50+ and produces a TypeScript warning.
## What is the new behavior?
The example now uses the recommended "useLinkingURL()" hook from
"expo-linking". This prevents deprecation warnings for developers
adopting this example. The functionality (handling initial and
subsequent deep links) remains exactly the same.
## Additional context
Expo Linking documentation:
https://docs.expo.dev/versions/latest/sdk/linking/
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Add docs for the custom OAuth & OIDC providers
## Notes
- Pricing to be clarified. Until now, we allow 3 providers per project.
- Dashboard instructions will be updated after dashboard is finalized.
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## Problem
1. Users attempting to install the Supabase CLI globally via `npm
install -g supabase`
2. The Send Email Hook documentation incorrectly references
`user.email_new` instead of the correct field name `user.new_email`
## Solution
1. Added a clear note in the CLI getting started guide warning users
that npm global installation is not supported, directing them to use the
recommended installation methods instead
2. Corrected all three instances of `user.email_new` to `user.new_email`
in the Send Email Hook documentation to match the actual User interface
definition from `@supabase/auth-js`
## Related
- closes#43157
- closes https://github.com/supabase/cli/issues/4496
This PR fixes some prettier issues:
- Bump and unify all prettier versions to 3.7.3 across teh whole repo
- Bump the SQL prettier plugin
- When running `test:prettier`, check `mdx` files also
- Run the new prettier format on all files
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
When a session token is refreshed server-side, `@supabase/ssr` writes
the updated JWT via Set-Cookie. If a CDN caches that response and serves
it to another user, that user will be signed in as the wrong person.
Adds documentation covering this in two places:
- creating-a-client.mdx: brief mention with a link to the full
explanation
- advanced-guide.mdx: expands the existing CDN FAQ with an explanation
of the risk and Cache-Control: private, no-store examples for Next.js
and Nuxt
Related: https://github.com/supabase/supabase-js/issues/1682
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
