## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Consolidated API key deprecation guidance into a reusable notice for
consistent messaging across docs. Announces deprecation of legacy
anon/service_role JWT-secret keys by end of 2026, instructs switching to
sb_publishable_xxx / sb_secret_xxx, and provides steps to locate and
copy both new and legacy keys. Applied across auth, getting-started,
API, and realtime guides.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: fadymak <dev@fadymak.com>
## What
Adds a getting-started guide for migrating an existing project from the
legacy JWT-based `anon` and `service_role` keys to the new publishable
(`sb_publishable_...`) and secret (`sb_secret_...`) keys.
The guide walks through the migration step by step:
- **Before you start** — maps legacy keys to their replacements.
- **Step 1** — create the new `default` keys.
- **Step 2 / 3** — swap the publishable key in client code and the
secret key in backend code.
- **Database Webhooks and `pg_net`** — move the key from the
`Authorization: Bearer` header to the `apikey` header (the new keys
aren't JWTs and are rejected on `Authorization`), with a Vault note for
not inlining secrets.
- **Step 4** — update Edge Functions, with two options: read the new env
vars (`SUPABASE_PUBLISHABLE_KEYS` / `SUPABASE_SECRET_KEYS`) and set
`verify_jwt = false`, or adopt the `@supabase/server` SDK.
- **Step 5 / 6** — verify nothing uses the legacy keys, then deactivate
them (reversible).
- **Next steps** — clarifies that JWT signing keys are a separate,
independent migration.
## Notes
While writing this we found Studio issues to fix separately (the Invoke
Function cURL snippet and the Database Webhooks editor both put the new
keys on the `Authorization` header).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a comprehensive migration guide for moving from legacy JWT-based
API keys to the new publishable and secret keys with zero‑downtime
steps, verification, limitations, and next steps.
* Clarified API key behavior and recommended migration actions in the
getting‑started docs.
* Added a navigation entry linking to the new migration guide.
* **Style**
* Relaxed documentation lint rules to allow expected wording/phrases
(e.g., "backends", "Database Webhooks").
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
This PR migrates the whole monorepo to use Tailwind v4:
- Removed `@tailwindcss/container-queries` plugin since it's included by
default in v4,
- Bump all instances of Tailwind to v4. Made minimal changes to the
shared config to remove non-supported features (`alpha` mentions),
- Migrate all apps to be compatible with v4 configs,
- Fix the `typography.css` import in 3 apps,
- Add missing rules which were included by default in v3,
- Run `pnpm dlx @tailwindcss/upgrade` on all apps, which renames a lot
of classes
- Rename all misnamed classes according to
https://tailwindcss.com/docs/upgrade-guide#renamed-utilities in all
apps.
---------
Co-authored-by: Jordi Enric <jordi.err@gmail.com>
