## What
Migrates the Edge Functions **documentation** from the legacy
`Deno.serve` + manual `createClient` pattern to the
[`@supabase/server`](https://github.com/supabase/server) `withSupabase`
wrapper. This is the part of
[COM-269](https://linear.app/supabase/issue/COM-269) that AI coding
assistants index, so it's split out to ship first; the standalone
`examples/` functions follow in a second PR.
## Canonical pattern
```ts
import { withSupabase } from 'npm:@supabase/server@1'
export default {
fetch: withSupabase({ auth: 'user' }, async (req, ctx) => {
const { data } = await ctx.supabase.from('countries').select('*')
return Response.json({ data })
}),
}
```
- `export default { fetch }` object shape (not `Deno.serve`, not a bare
default export), versioned `npm:@supabase/server@1`.
- `auth` mode picks the caller: `user` → `ctx.supabase` (RLS);
`secret`/`publishable`/`none` → set `verify_jwt = false`, `secret` uses
`ctx.supabaseAdmin`.
- `Response.json(...)` over `new Response(JSON.stringify(...))`.
## Changes
- **AI prompt** (`examples/prompts/edge-functions.md`) — rewritten to
lead with `withSupabase` as the default; `auth`-mode table;
`@supabase/server@1`. Highest AI-indexing impact.
- **connect-to-postgres** — "Using supabase-js" now uses `ctx.supabase`
(+ its CodeSample deps `postgres-on-the-edge`, `drizzle`).
- **Example pages** — semantic-search, push-notifications,
amazon-bedrock, cloudflare-turnstile, og-image, send-emails,
slack-bot-mention, auth-send-email-hook.
- **Guides** — ai-models, background-tasks, routing (+ `restful-tasks`
dep), kysely-postgres, sentry-monitoring, upstash-redis, elevenlabs ×2,
websockets, cors (reframed: CORS is automatic with `withSupabase`).
## Notable fixes
- **websockets**: the JWT-auth examples had a latent bug — handler
wasn't `async` and called `getClaims()` without the extracted token. Now
`await supabase.auth.getUser(jwt)`. (`withSupabase` can't authenticate
WebSocket clients since they can't send headers — noted in the page.)
- **restful-tasks**: fixed a broken `npm:supabase-js` import →
`npm:@supabase/supabase-js`.
## Follow-ups (not in this PR)
- The ~42 standalone `examples/` edge functions → second PR.
- A dedicated `withSupabase` intro page (today it's only documented
inside the auth-framed "Securing Edge Functions" page).
- `.claude/skills/supabase-server/SKILL.md` is stale (`allow:` vs
`auth:`).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated Edge Function examples to the modern withSupabase + exported
fetch handler pattern across guides and examples.
* Standardized JSON response/error handling (uses built-in JSON helpers)
and preserved streaming/SSE behaviors where applicable.
* Clarified auth modes, context clients (user vs admin), and automatic
CORS handling; removed manual preflight boilerplate.
* Updated local serve/deploy instructions to include --no-verify-jwt for
relevant examples.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
Edge Function examples that use the new publishable/secret API keys read
them with a double lookup:
```ts
const SUPABASE_SECRET_KEYS = JSON.parse(Deno.env.get('SUPABASE_SECRET_KEYS')!)
const secretKey = Deno.env.get(SUPABASE_SECRET_KEYS['default']) // ❌ returns undefined
```
`SUPABASE_SECRET_KEYS` / `SUPABASE_PUBLISHABLE_KEYS` are a JSON object
that maps a key name to the **actual key value** (e.g.
`{"default":"sb_secret_..."}`), confirmed by:
- the self-hosted injection in `docker/docker-compose.yml`
(`SUPABASE_SECRET_KEYS: "{\"default\":\"${SUPABASE_SECRET_KEY:-}\"}"`)
- the `@supabase/server` SDK README
So `SUPABASE_SECRET_KEYS['default']` is already the key. Wrapping it in
another `Deno.env.get(...)` looks up an env var named `sb_secret_...`,
which doesn't exist, so the value is `undefined` and the examples fail
at runtime.
## Fix
Unwrap the outer `Deno.env.get(...)` so the key is read directly:
```ts
const SUPABASE_SECRET_KEYS = JSON.parse(Deno.env.get('SUPABASE_SECRET_KEYS')!)
const secretKey = SUPABASE_SECRET_KEYS['default'] // ✅
```
Applied across 23 files (example functions, the
`examples/prompts/edge-functions.md` codegen guidance, and two docs
guides). The correct `JSON.parse(Deno.env.get('SUPABASE_SECRET_KEYS')!)`
declaration line is untouched. The generated `apps/docs/examples/` copy
regenerates from `examples/` at build time.
## Notes
- Docs context:
[#46600](https://github.com/supabase/supabase/pull/46600), which
documents the same key model.
- Follow-up (not in this PR): a few examples send the secret key on the
`Authorization: Bearer` header, which the new keys reject. Worth a
separate audit.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Clarified examples and guides for correctly reading parsed Supabase
secret and publishable key maps.
* **Examples**
* Standardized credential usage across Edge Functions and samples so
Supabase clients consistently receive keys from the parsed key maps
rather than indirect lookups.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update (new guides + follow-up documentation fix from review
feedback).
## What is the current behavior?
There was no consolidated docs example for resumable WebSockets with
Edge Functions, and no dedicated troubleshooting guide for worker
timeouts / WebSocket drops.
## What is the new behavior?
- Adds a resumable WebSockets guide for Edge Functions, including:
- session persistence
- event replay
- idempotency pattern and schema examples
- client/server example flow
- Adds an Edge Functions troubleshooting guide for worker timeouts and
WebSocket drops.
- Updates docs navigation to surface the new guides.
- Follow-up fix from review feedback: the browser client example now
stores `sessionId` and `lastEventId` in `sessionStorage` (instead of
`localStorage`).
## Additional context
- Branch has been updated with latest `origin/master`.
- This PR remains documentation-focused; no production runtime code
changes were introduced.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a guide on resumable WebSockets covering session persistence,
event replay, idempotency patterns, SQL schema examples, and
client/server usage.
* Added a troubleshooting guide on Edge Functions worker timeouts and
WebSocket drops with scenarios, symptoms, and practical workarounds.
* Enhanced WebSocket docs with a production note on worker lifecycle and
keeping runtime promises open to avoid premature shutdown.
* Navigation updated to surface the new guides.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46178?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Lakshan Perera <lakshan@supabase.io>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated examples and guides to use Supabase publishable (client) keys
instead of anon keys for client-side usage across frameworks and
platforms.
* Renamed environment variable examples and .env templates to reflect
publishable key naming.
* Adjusted sample requests and client-init examples to send/use the
publishable key via the apikey header where applicable.
* Updated references from service_role to secret for server-side
credential guidance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: fadymak <fady@fadymak.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Replaced legacy "Anon"/"Service Role" key terminology with
"Publishable Keys" and "Secret Keys" across Edge Functions guides
* Updated authentication examples and request headers (client-side vs
server-side) to reflect publishable/secret key usage
* Standardized environment-variable examples to use parsed secret-key
maps with a selectable default
* Removed guidance for bypassing JWT verification via the deprecated CLI
flag
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Kalleby Santos <kalleby_santos@hotmail.com>
This PR fixes some prettier issues:
- Bump and unify all prettier versions to 3.7.3 across teh whole repo
- Bump the SQL prettier plugin
- When running `test:prettier`, check `mdx` files also
- Run the new prettier format on all files
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated Edge Functions CORS header guides with version-specific
approaches for SDK v2.95.0+ and earlier versions.
* Revised code examples across multiple Edge Functions to reflect
current CORS header implementation patterns.
* Enhanced troubleshooting documentation with updated preflight handling
guidance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
v2.95.0 of the supabase-js sdk has been released, which contains
https://github.com/supabase/supabase-js/pull/2071
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated guides and examples to recommend using CORS headers from the
Supabase JS SDK (v2.95.0+) instead of manually defining headers.
* Examples now show the SDK-based approach and include a clear fallback
path for older SDK versions that require hardcoded headers.
* Added notes that SDK header updates will be reflected automatically in
edge functions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
* docs: update link to Vecs Python source code in developers guide
* docs: update README to remove outdated GDScript links. These repos have been deleted
* docs: update links in CONTRIBUTING.md for consistency and accuracy
* docs: update Twilio verification service link
* docs: update Mixpeek Python Client link in video search guide, remove link to missing code example
* docs: update GIN index link to point to PostgreSQL 16 documentation ('current' symantic no longer exists)
* docs: update Cloudflare Turnstile links to avoid 302 redirect
* docs: update LlamaIndex SupabaseVectorStore link to the correct documentation
* docs: update link to related issue for error message translation in auth-ui guide (to avoid 302 redirect)
* docs: update link from Next.js middleware to Next.js Proxy in auth-helpers guide to follow Next.js's new naming convention
* Update DEVELOPERS.md
* Update CONTRIBUTING.md
Direct to correct URL
* Update hybrid-search.mdx
Fix URL
* docs: renam Next.js middleware to proxy
* Update DEVELOPERS.md
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
---------
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
* Add Pedro Rodrigues to humans.txt
* docs: add MCP-lite Edge Functions tutorial
- Add comprehensive tutorial on building MCP servers with mcp-lite on Supabase Edge Functions
- Add navigation entries in Examples and Third-Party Tools sections
- Based on Fiberplane blog post about mcp-lite and Supabase integration
* docs: remove redundant 'supabase init' step from MCP-lite tutorial
The template from 'npm create mcp-lite@latest' already initializes Supabase, so this step is not needed.
* docs: clarify local development steps for MCP-lite tutorial
- Separate 'supabase start' and 'supabase functions serve' into distinct steps
- Clarify that npm run dev only serves the function, not starts Supabase
- Make it clear these should be run in separate terminals
* style: format MCP-lite tutorial with prettier
* Update apps/docs/content/guides/functions/examples/mcp-server-mcp-lite.mdx
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Fix rules
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
* fix: rewrite relative URLs when syncing to GitHub discussion
Relative URLs back to supabse.com won't work in GitHub discussions, so
rewrite them back to absolute URLs starting with https://supabase.com
* fix: replace all supabase urls with relative urls
* chore: add linting for relative urls
* chore: bump linter version
* Prettier
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Update link to webhooks settings in edge functions example for push notifications
After the recent addition of integrations and database webhooks settings being moved to the integrations page, the link to database webhooks settings in the edge functions example for push notifications led to a 404.
* Minor correction to FCM Push Notifications Guide
Hi,
Just some minor edits to the FCM guide I wanted to share.
Thanks,
Ronan O'Driscoll
* Apply suggestions from code review
---------
Co-authored-by: Charis <26616127+charislam@users.noreply.github.com>
