## What kind of change does this PR introduce?
Feature / abuse-prevention update. Resolves DEPR-198.
## What is the current behaviour?
Free projects using Supabase's built-in email service can edit raw Auth
email template subjects and HTML in Studio. That is the risky cohort
this project is trying to constrain.
## What is the new behaviour?
### Template editing restrictions
For free projects using Supabase's built-in email service, Studio keeps
Auth email templates viewable and previewable but disables subject/body
editing and saving. Editing is unlocked by setting up Custom SMTP,
configuring a send-email hook, or upgrading to a paid plan.
**Grandfathering:** projects created before `2026-06-01T00:00:00Z` (the
platform enforcement cutoff) are exempt; their editing UI stays
unlocked. This mirrors `FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE` in the
platform PR exactly.
| After |
| --- |
| <img width="1024" height="759" alt="Emails Authentication Fizz Test
Supabase-173BB09B-0FB9-4133-8202-9E310DDB347A"
src="https://github.com/user-attachments/assets/c966212d-ed0c-443b-8197-440cc2937ef6"
/> |
| <img width="1024" height="759" alt="Emails Authentication Fizz Test
Supabase-CD5845EB-0E45-4779-8989-44E775B2411A"
src="https://github.com/user-attachments/assets/055a64d6-b5e8-4d37-a261-6e280f04536a"
/> |
### Warning dialogs on transitions that reset templates
Two flows now surface a warning before the user commits to a state
change that resets their custom email templates to defaults:
1. **Disabling custom SMTP** (SMTP settings page): a confirmation dialog
warns that templates will be reset to defaults and the email rate limit
reduced to 2 per hour. On confirm, Studio resets all 13 templates via
the existing per-template reset endpoint (`Promise.allSettled`). The
"won't be able to edit" sentence is shown only for post-cutoff projects;
grandfathered projects skip it. The corresponding server-side
enforcement is in the Platform PR:
https://github.com/supabase/platform/pull/33129
2. **Downgrading to the Free plan** (billing settings): an admonition in
the existing downgrade confirmation modal warns that custom templates
will be reset to defaults and won't be editable without custom SMTP. The
admonition is shown only when the org has at least one post-cutoff
project; orgs whose projects are all grandfathered skip it.
| Custom SMTP | Downgrading |
| --- | --- |
| <img width="862" height="586" alt="66764"
src="https://github.com/user-attachments/assets/6470c8a6-2f79-40a5-ad3b-bfe5b0ba9c54"
/> | <img width="1268" height="1552" alt="CleanShot 2026-05-22 at 17 28
37@2x-FEB1901E-38E6-42DF-8C27-0A036D8A1B94"
src="https://github.com/user-attachments/assets/e8caa9e6-c3ed-4787-b771-af77a43eb854"
/> |
### Informational admonition when enabling SMTP
When a user enables custom SMTP for the first time, a sandwiched
admonition above the save footer informs them that the email rate limit
will be increased to 30 per hour and can be adjusted.
_This is just a minor cosmetic change, unrelated to the email template
disabling. Sorry._
| Before | After |
| --- | --- |
| <img width="1024" height="759" alt="Emails Authentication Chisel
Toolshed Supabase-54317D18-803C-4A58-8211-2359355D083B"
src="https://github.com/user-attachments/assets/29eff649-02dc-40f3-a379-0b4d484a76c7"
/> | <img width="1024" height="759" alt="Emails Authentication Chisel
Toolshed Supabase-9E12399E-E9FB-4F9A-B029-A08008EA4B50"
src="https://github.com/user-attachments/assets/e542ed86-4da6-407e-8293-0f4c0f071e18"
/> |
## How to test
All existing projects pre-date the enforcement cutoff
(`2026-06-01T00:00:00Z`) and are grandfathered, so the restriction UI
won't appear by default. To force the restricted state locally,
back-date the cutoff in one file:
In
`apps/studio/components/interfaces/Auth/EmailTemplates/EmailTemplates.utils.ts`,
temporarily change:
```ts
export const FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE = '2026-06-01T00:00:00Z'
```
to:
```ts
export const FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE = '2025-01-01T00:00:00Z'
```
Revert before committing. With the cutoff back-dated, use a free-plan
project and:
- **Template restriction + admonition:** navigate to Authentication >
Emails with no custom SMTP configured. Subject/body fields should be
read-only and the "Set up SMTP" admonition should appear, with its
dropdown offering upgrade and send-email hook options.
- **SMTP disable warning:** enable custom SMTP on a project, then
disable it via Authentication > SMTP Settings. The confirmation dialog
should warn that templates will reset to defaults and that editing will
be restricted after disabling.
- **Downgrade warning:** in billing settings, initiate a downgrade to
the Free plan. The downgrade modal should include an admonition warning
about template reset and restricted editing (only if the org has at
least one post-cutoff project).
## Additional context
The default Auth email template copy was also improved across docs,
examples, and UI library snippets (separate prior commits).
The per-template reset button (`ResetTemplateDialog`) was migrated to
the async `AlertDialogAction` pattern introduced in #45960; the dialog
stays open and shows a loading state while the reset is in-flight,
closes on success, and stays open on error.
Closes PRODSEC-183
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Stephen Morgan <stephen@doublethink.co.nz>
## What kind of change does this PR introduce?
Docs update. Related to DEPR-551.
## What is the current behavior?
Docs MDX still uses the legacy `label` prop for Admonitions, even though
#45618 added `title` and kept `label` only as a backwards-compatible
alias after #45302 was reverted in #45535.
## What is the new behavior?
Migrates Docs-owned Admonitions from `label=` to `title=` without
changing rendered copy, component APIs, Studio callsites, design-system
examples, or the legacy `label` alias.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Standardized admonition headings across the docs by switching how
admonition headings are provided (preserving all visible guidance and
examples). Content and instructions remain unchanged; this ensures
consistent rendering of callouts and improves uniformity across guides
and reference pages.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46053?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Clarified API key changes (new publishable/secret scheme, where to
obtain each, legacy keys valid through end of 2026) and updated many
getting-started tutorials with clearer setup, flow, and auth guidance.
* **New Features**
* Added/expanded profile photo/avatar upload and account integration
steps across multiple tutorials.
* **Guides**
* Added guidance on auth helper methods and when to use them.
* **Examples**
* Example app updated to use token claims for auth state.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Katerina Skroumpelou <mandarini@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Fixes the same duplicate-word typo ("support support") in two quickstart
guides:
- `apps/docs/content/guides/auth/quickstarts/react.mdx`
- `apps/docs/content/guides/getting-started/tutorials/with-nextjs.mdx`
Both occurrences are in the "Customize email template" / "Email
template" sections:
> Before proceeding, change the email template to support ~~support~~ a
server-side authentication flow that sends a token hash:
Pure docs typo fix — no functional changes.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Corrected typographical errors in authentication guides to improve
clarity and readability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs - [React Native Expo user management
guide](https://supabase.com/docs/guides/getting-started/tutorials/with-expo-react-native)
## What is the new behavior?
Guide has been updated to be in line with #42269
- Removing `@rneui/themed` package and using native components.
- Update guide screenshot.
- Main stylesheet for the example.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Documentation
- Updated Expo React Native tutorial with modernized component approach
using React Native primitives and centralized styling patterns.
- Simplified codebase examples with consistent formatting and improved
maintainability.
- Core functionality preserved with updated implementation patterns.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated all quickstart guides and tutorials to reference publishable
keys instead of anon keys for Supabase client initialization.
* Simplified environment variable setup instructions across multiple
framework guides by removing anon key configuration requirements.
* Clarified usage of publishable keys in step-by-step setup
documentation for various frameworks and platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: fadymak <dev@fadymak.com>
## What kind of change does this PR introduce?
Documentation update
## What is the current behavior?
The Refine tutorial uses `supabaseClient.auth.getSession()` in the
`authProvider.check` method to verify authentication. `getSession` is
deprecated and not recommended for auth verification.
## What is the new behavior?
Replaced `getSession()` with `getClaims()` which reads claims from the
locally cached JWT. This is the recommended approach as mentioned in the
issue.
## Files changed
- `apps/docs/content/guides/getting-started/tutorials/with-refine.mdx` —
Updated `check` method in the authProvider code example
-
`examples/user-management/refine-user-management/src/providers/auth-provider.ts`
— Updated the corresponding example code to match
Closes#42193
---------
Co-authored-by: gorillaworkout <bayudarmawan215@gmail.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
I modified previous webinars to include the following:
- A YouTube embed of the recording
- New "Watch the Recording" CTA buttons
- New slug for the go page `/vibe-coding-done-right-webinar`
---------
Co-authored-by: Alan Daniel <stylesshjs@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Fixes#42192
Replaces the deprecated `getSession` call with `getClaims` in the
SolidJS tutorial documentation (`with-solidjs.mdx`).
Changes:
- `supabase.auth.getSession()` → `supabase.auth.getClaims()`
- `data.session` → `data.claims`
This follows the recommended migration pattern per the Supabase auth
docs, and is consistent with the same fix applied to the Refine tutorial
in #43006.
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Simplified React getting-started tutorial: concise, action-oriented
steps, inline code replaced by external sample references, removed the
Bonus: Profile photos section, and expanded README guidance and setup
steps.
* **Examples**
* User-management example converted to a user-focused auth flow with
safer unmount handling, adjusted profile/account interactions, and
updated sample references.
* **Chores**
* Upgraded example dependencies and tooling to align with newer React
and ecosystem versions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Clarified React Native and Angular auth guides with improved
environment setup and JWT validation guidance.
* **New Features**
* Added a React Native environment template for quickstart.
* Example app now uses JWT claims for user state and display.
* **Chores**
* Replaced UI library components with native React Native components for
compatibility.
* Updated package configuration and dependency versions.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
* Update with-expo-react-native.mdx
* fix(docs): update default active tab from async-storage to local-storage in Expo tutorial
* fix(docs): add expo-sqlite installation step in Expo tutorial
* Quickstart next 16 update
* Fix paths and env vars
* docs: refactor nextjs server-side auth to use Proxy instead of middleware
* docs: refactor nextjs server-side auth to match proxy
* docs: refactor nextjs example to match Proxy
* docs: refactor nextjs auth AI prompt to match Proxy
* docs: refactor nextjs sentry telemetry integration to match Proxy
* examples: update nextjs realtime example to match middleware
* docs: refactoring guides to use nextjs proxy
* examples: update nextjs-full example to match Next16 template
* example: update nextjs-user-management to match nextjs 16
* docs: refactoring nextjs user-management tutorial to use typescript only
* docs: refactoring nextjs quickstart, removing step 4
since this step is already included on `with-supabase` template, we can
just remove this redundant step
* docs: auth-helpers nextjs pages, Nextjs16 proxy disclaimer
* stamp: lint
* stamp: revert 'NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY'
* stamp: nextjs examples, revert to use cookie options
* fix(docs): typo
* docs: updating nextjs-auth troubleshoot guide to match proxy
* Update apps/docs/content/guides/getting-started/quickstarts/nextjs.mdx
* Revert auth-helpers changes
* Revert auth-helpers content
* Apply suggestions from code review
* Update apps/docs/content/troubleshooting/how-do-you-troubleshoot-nextjs---supabase-auth-issues-riMCZV.mdx
* Update apps/docs/content/troubleshooting/how-do-you-troubleshoot-nextjs---supabase-auth-issues-riMCZV.mdx
* Update apps/docs/content/troubleshooting/how-do-you-troubleshoot-nextjs---supabase-auth-issues-riMCZV.mdx
* Update apps/docs/content/troubleshooting/how-do-you-troubleshoot-nextjs---supabase-auth-issues-riMCZV.mdx
* Apply suggestions from code review
* Prettier
---------
Co-authored-by: kallebysantos <kalleby_santos@hotmail.com>
* docs: update Refine svg in HeroFrameworks
* docs: use capital R for Refine mentions
* docs: use main branch for Refine repository references
* docs: update connect interface example code for Refine
* docs: update Refine quick start tutorial with Refine v5
* examples(refine-user-management): upgrade to Refine v5
* docs: update Refine getting started tutorial with Refine v5
* chore(studio): update Refine icon on Connect modal
* docs: update Refine svg
* docs: update welcome screen screenshot in Refine tutorial
* docs: update dimensions of welcome screen screenshot in Refine tutorial
* chore: remove leftover dist assets from Refine example
* chore(linter): add Refine to Rule001 and Rule003
* chore: format getting started with Refine.mdx
* chore: remove .prettierrc file from the example
* Clearup keys and connection instructions in web getting started guides
* Update apps/docs/content/_partials/project_setup.mdx
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Update apps/docs/content/_partials/project_setup.mdx
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* prettier
* second try
* Fix keys for getting started section
* Updated keys for auth section, SSR aside
* Remove mention of dropdowns for now
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* fix: rewrite relative URLs when syncing to GitHub discussion
Relative URLs back to supabse.com won't work in GitHub discussions, so
rewrite them back to absolute URLs starting with https://supabase.com
* fix: replace all supabase urls with relative urls
* chore: add linting for relative urls
* chore: bump linter version
* Prettier
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
* Draft
* Update text for guide
* Update text for guide
* Update code for newer next js versions
* Final small change
* Update apps/docs/content/_partials/project_setup.mdx
Co-authored-by: Charis <26616127+charislam@users.noreply.github.com>
* Changes from review
* Use project name in tutorial text
* Fix up inclusion
* Fix inclusion
* Prettier
---------
Co-authored-by: Charis <26616127+charislam@users.noreply.github.com>
* General updates and switch to Svelte 5
* Update code example to Svelte 5
* Update some examples to use codesamples component
* Add Svelte to codesample component
* Final code updates
* Add more CodeSample components
Partials are currently defined via MDX includes. This PR switches to pre-compile-time partials, which have a new syntax:
```
<$Partial path="path/to/file.mdx" />
```
## Rationale
This produces two improvements:
1. Partial substitution can occur in pipelines that don't use MDX compilation. For example, we can now do partial substitution before building the search index, so partial content will also be indexed.
2. After the App Router migration, the MDXProviders should've been deprecated, but were kept around for the sole reason of making partials work, and leading to us shipping unnecessary client-side code. We get a minor decrease in overall client bundle size (5.74 MB to 5.6 MB) by getting rid of the Providers.
## Breaking changes
Besides the change to partial syntax, the arguments are also less powerful than before because we are doing string substitution and don't have the full power of JS. Defining string variables is still possible (documented in the Contributing guide), and since that's all we actually do in practice, this shouldn't be too cumbersome. There is always the escape hatch of making a custom component for more complex content reuse cases.
PR to start introducing Linter V2!
Primary improvements from this linter:
Better parsing of MDX (fewer false positives)
More flexibility
And suggested autofixes! (see auto-generated PR comment below for how that works)
Turning this on for only a small portion of the repo at first to avoid an avalanche of alerts, will slowly expand from there.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
