## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update.
## What is the current behavior?
The "Securing Edge Functions" guide (`/docs/guides/functions/auth`)
opens with two conceptual sections — "Understanding authorization
headers" and "The `verify_jwt` platform check" — followed by a "Common
auth patterns" section that re-implements the same four use cases twice:
once without an SDK using `Deno.serve` + manual `createClient` + manual
`Authorization` header forwarding, and again using `@supabase/server`.
The recommended path is buried below background reading and a
legacy-style implementation.
Linear: COM-235.
## What is the new behavior?
The guide now leads with practical how-tos built on `@supabase/server`:
- Authenticated user calls (`auth: 'user'`)
- Service-to-service calls (`auth: 'secret'`)
- Public functions (`auth: 'none'`)
- External webhooks (`auth: 'none'` + signature verification)
- Combining modes
- Custom error responses
- Environment variables
The two conceptual sections are extracted into a new sibling page at
`/docs/guides/functions/auth-headers` ("Authorization headers"), linked
from the top of the how-to page and added to the side nav between
"Securing your functions" and "Legacy JWT secret".
The legacy SDK-less examples are removed. The mode table uses the
unnamed forms (`'secret'`, `'publishable'`), and a note in the
service-to-service section introduces the `'secret:<name>'` /
`'publishable:<name>'` syntax for callers that want to scope to a
specific named key.
## Additional context
Each section preserves the "who calls this and why" framing from the
original (cron jobs, workers, and `pg_net` for service-to-service;
`supabase.functions.invoke` for authenticated user calls; signed webhook
providers for external webhooks).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a new guide explaining Edge Functions authentication headers,
JWT validation, and API key handling
* Redesigned core authentication guide to focus on the primary wrapper
approach with clearer examples and common scenarios
* Improved navigation and added redirects to make authentication docs
easier to find and access
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45959?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>