## Problem
React Query cache keys for permissions and organizations are generic
(`['permissions']`, `['organizations']`) with no user identifier. When a
new session is established without going through the explicit sign-out
flow (e.g. clicking an email verification link while still logged in as
another account), stale data from the previous user persists in cache.
The new user ends up seeing the old user's permissions and org list,
which makes the project creation form appear enabled. When submitted,
the backend rejects with "not an owner" because the token belongs to the
new account which has no ownership of the old org.
A hard refresh clears the in-memory React Query state and forces a fresh
fetch, which is why it resolved the issue.
## Fix
Scope `permissionKeys.list` and `organizationKeys.list` by user ID so
different accounts never share the same cache slot. When a different
user logs in, their queries simply get fresh cache entries and never see
data from the previous session. Updated all invalidation and
`setQueriesData` call sites across 18 files to pass the current user ID.
## How to test
I don't think it can be tested in the preview environment sadly since
the request to verify has to go to auth.supabase.green instead of
vercel-ref.supabase.green
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Select returns null
return returns hello world
(so this example has always been broken)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated the database functions guide with refined code examples.
Documentation now demonstrates improved Postgres function syntax and
streamlined return mechanisms, providing developers with clearer
guidance for implementing database functions following current best
practices.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
Clarifies that installing the Supabase CLI globally via npm is not
supported.
## Details
The CLI already throws a clear error when attempting a global npm
install, but the documentation did not mention this.
This update adds a clear note to the Node.js installation section and
points users to supported alternatives.
## Related issue
Closes#4496
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a clear admonition in the getting started guide clarifying that
the Supabase CLI should not be installed globally via npm. Recommends
Homebrew, Scoop, or the standalone binary, and suggests using npx or a
local/dev dependency as alternatives. The guidance appears both after
the Node.js note and within the npm install tab.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Since queue operations is a feature users can opt-out of, we need to
make it cleaner to toggle between queuing vs straight edits. To do this,
refactor all the operations into a single hook and reference it in
places where we mutate the rows.
## Testing
- Test edit cells, rows, and deletes for non queue operations
- Test edit cells, rows, and deletes for queue operations, also double
check modifying the same rows that are not yet added
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
OpenAI claims to support recursive schemas with $defs/$ref, but in
practice it's unreliable. When Zod's z.lazy() is converted to JSON
Schema, it produces recursive $ref entries that OpenAI's structured
output frequently rejects with errors like "Recursive reference
detected" or "Invalid schema for response_format".
Simplify the AI generation schema since we only support AND and don't
need the recursion because we don't support nesting of groups.
### Summary
This PR removes the visible close button from the billing address
required modal to make it non dismissable, since the majority of users
on paid orgs are still not filling their billing address.
The modal already prevents dismissal via Esc and outside/backdrop
interaction, and this change preserves that behavior. The existing
submit flow is unchanged, so the modal still closes after a successful
billing address update.
### Manual testing:
1. Open Studio in a state where the billing address required modal
appears.
2. Confirm the top-right close button is no longer shown.
3. Press Esc and verify the modal remains open.
4. Click outside the modal / on the backdrop and verify the modal
remains open.
5. Submit a valid billing address and verify the modal closes after a
successful save.
For testing whether an update successfully closes the modal, you can:
- You can create a free org without a billing address
- You will need to tweak this logic (on the frontend)
```
const shouldShow = Boolean(
IS_PLATFORM &&
// showMissingAddressModal &&
org &&
// org.plan.id !== 'free' &&
org.organization_missing_address &&
!org.billing_partner &&
permissionsLoaded &&
canBillingWrite
)
```
- Tweak the backend logic which computes `organization_missing_address`
to exclude free orgs
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update — Rewrite the Agent Skills documentation as a single flat
page with a skills table.
## What is the current behavior?
The Agent Skills docs have a nested structure with an index page and
individual dynamic pages for each skill (fetched from the
`supabase/agent-skills` repo). Skills also inject sub-items into the
sidebar navigation.
## What is the new behavior?
This PR replaces the nested skill pages with a single, flat Agent Skills
page that:
- Lists all skills in a **table** with name, description, and a
**copy-to-install button** (fetched dynamically from the
[supabase/agent-skills](https://github.com/supabase/agent-skills) repo)
- Includes **installation commands** for both the skills CLI (`npx
skills add`) and Claude Code plugins
- Links skill names directly to their source on GitHub instead of
rendering full skill content inline
- Removes the dynamic `[slug]` route, sidebar nav injection, and local
skill example files
### Navigation Structure
```
Start
> AI Tools
> Agent Skills (new)
> Prompts (existing)
> Supabase MCP server (existing)
```
Closes
[AI-361](https://linear.app/supabase/issue/AI-361/create-skills-documentation-page-in-ai-tooling-docs)
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
## Summary
Customers were upgrading to Pro to clear service restrictions, unaware
that restrictions aren't lifted immediately when the billing cycle
resets — there's a delay. This adds a clarifying note to both the docs
FAQ and the Studio restricted alert so users know what to expect.
Note: upgrading your plan or disabling spend cap *does* lift
restrictions immediately (unchanged). The delay only applies to the
billing-cycle-reset path for usage-limit violations.
## Changes
- `billing-faq.mdx`: Removes the implication that restrictions clear the
moment the billing period resets; adds "Note that there may be a short
delay after your billing period resets before restrictions are fully
lifted"
- `Restriction.tsx`: Updates the restricted alert to make clear that
upgrading lifts restrictions immediately, while the billing-reset path
may have a delay
## Testing
To test the Studio banner, find or create an org with
`restriction_status === 'restricted'`, or temporarily hardcode
`shownAlert = 'restricted'` in `Restriction.tsx` to preview:
- [x] Restricted alert reads clearly and distinguishes immediate
(upgrade) vs delayed (billing reset) paths
- [x] Docs FAQ answer under "How can I remove restrictions" reads
correctly with the new caveat
## Linear
- fixes GROWTH-704
The [`docs-mgmt-api-update`
workflow](https://github.com/supabase/supabase/blob/master/.github/workflows/docs-mgmt-api-update.yml#L21)
uses `sparse-checkout`, only pulling `apps/docs` and patches. After PR
#42987, the Makefile's `redocly` commands were changed to run via `pnpm
exec` `redocly` from `packages/generator`, but that directory was never
checked out, causing the can't `cd` error. Adding `packages/generator`
to `sparse-checkout` makes the existing Makefile dependency explicit in
the workflow.
## Context
Related to the queue table operations feature preview
Adding a "cancel" action in the save queue operation bar for convenience
to clear all changes (instead of having to go into the review panel)
Also aligning the positioning of the CTAs to match the review panel
- "Review" imo is a secondary action, while "Save" or "Cancel" are the
primary ones
- Hence am shifting the "review" CTA to the left, contextually beside
the number of pending changes text
<img width="449" height="100" alt="image"
src="https://github.com/user-attachments/assets/c3faa6c1-e244-40ee-b251-44ab1e785c6e"
/>
- This also aligns with the CTA placements in the review panel
<img width="502" height="71" alt="image"
src="https://github.com/user-attachments/assets/35b7de0a-dbf4-4e8a-acef-53508c9b13b9"
/>
- Also removed plural grammar for the button CTAs - thinking thats not
necessary, wanna keep button CTA texts short and sweet + The "x pending
change(s)" also captures the plurality
## Context
Shifts all remaining dashboard queries into pg-meta so that we
centralize all manually written queries in one place
Having them in packages/pg-meta also allows us to write tests for them
## To test
Just needs a smoke test on
- Role Impersonation
- Lints
- Data API
- Database
- Enumerated Types
- Integrations
- Foreign Data Wrappers
- Vault
## Description
Fixes#43800
When editing SMTP settings while custom SMTP is already enabled, the
form footer was incorrectly displaying "Rate limit for sending emails
will be increased to 30". The rate limit is only set during the initial
enable transition, so the message and submit behavior were out of sync.
## Changes
This fix aligns the footer message with the submit logic (Option A from
the issue):
- **Enabling SMTP**: Shows rate limit increase message
- **Already enabled, editing settings**: Shows "Custom SMTP settings
will be updated"
- **Disabling SMTP**: Shows rate limit reduction message
## Testing
1. Go to Authentication → SMTP Settings
2. Enable custom SMTP and save (rate limit is set to 30)
3. Edit any SMTP field (e.g. change host or port)
4. Footer now correctly shows "Custom SMTP settings will be updated"
instead of the rate limit message
Made with [Cursor](https://cursor.com)
---------
Co-authored-by: vj2303 <vishnu.jangid@ax-ia.ai>
Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com>
## Context
Edge functions code editor which uses the FileExplorerAndEditor
component doesn't resize when the viewport shrinks
This PR fixes that + also refactors the FileExplorerAndEditor a bit to
resolve the lint issue with `nodeRenderer` by refactoring the prop into
a renderer that uses `useCallback`
This version fixes a problem in which the upgrade button was not
enabled. The last two versions (1.0.29 and 1.0.30) of
`stripe-experiment-sync` package returned version 1.0.28 from the
exported function `getCurrentVersion`. The `getCurrentVersion` function
is used by studio code to show the upgrade button if the installed
version is lower than the current version. Version 1.0.31 fixes this
bug.
## What kind of change does this PR introduce?
Chore that references DEPR-394.
## What is the current behavior?
Key/value editors for headers are implemented separately in multiple
places.
## What is the new behavior?
DEPR-394 is consolidating repeated RHF field-array UIs across Studio and
the design system.
- adds a shared `KeyValueFieldArray` component in `ui-patterns`
- adds a shared `httpHeaderAddActions` helper for preset header rows
- migrates the key/value header editors in:
- Platform Webhooks
- Cron Jobs HTTP headers
- Database Webhooks HTTP headers
- documents the key/value pattern in the design system with:
- a dedicated fragment page
- updated forms guidance
- updated form pattern demos
| Preview |
| --- |
| <img width="1102" height="420" alt="CleanShot 2026-03-23 at 12 22
18@2x"
src="https://github.com/user-attachments/assets/f8d23ff9-7063-462f-8074-b400561f77e9"
/> |
## Additional context
This is PR 1 of a 3-PR stack for DEPR-394.
## What kind of change does this PR introduce?
UI fix.
## What is the current behavior?
Form contents overflow horizontally on `SSOConfig`’s `AttributeMapping`
section.
## What is the new behavior?
These form contents no longer overflow.
| Before | After |
| --- | --- |
| <img width="1096" height="997" alt="SSO Organization Settings Toolshed
Supabase-BB366F67-15C9-40A3-8CB7-C0DA7363A2EC"
src="https://github.com/user-attachments/assets/daabcba2-408a-4d44-8bf6-beb0c21d12ed"
/> | <img width="1096" height="997" alt="SSO Organization Settings
Toolshed Supabase-550B04A9-5B3C-4BCE-9CE3-C4B5F516BE35"
src="https://github.com/user-attachments/assets/741f6178-7633-4c6d-87cd-6fdd5d0e4606"
/> |
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## Summary
Fixes several high-impact Sentry errors reported in production.
### Fixed Issues
- **[SUPABASE-APP-EJ3](https://supabase.sentry.io/issues/7356937474/)**
— `TypeError: Cannot read properties of undefined (reading 'direct')`.
`connectionStringPooler` could be `undefined` when the connection source
doesn't match any key in the connection strings map. Added an early
return guard in `resolveConnectionString`.
- **[SUPABASE-APP-B17](https://supabase.sentry.io/issues/7117468199/)**
— `RangeError: Invalid time zone specified: Etc/Unknown`.
`dayjs.tz.guess()` returns `"Etc/Unknown"` for some users with
misconfigured browser/OS timezones. Added a shared
`guessLocalTimezone()` helper that validates the guessed timezone via
`Intl.DateTimeFormat` and falls back to UTC. Applied across all 4 call
sites.
- **[SUPABASE-APP-BCM](https://supabase.sentry.io/issues/7192934901/)**
— `TypeError: Cannot convert undefined or null to object`.
`Object.entries(definition.properties)` crashed when a JSON schema
definition existed but had no `properties` field. Updated the guard to
check `definition?.properties` instead of just `definition`.
- https://supabase.sentry.io/issues/7357780302/?project=5459134
- https://supabase.sentry.io/issues/7358344652/?project=5459134
- https://supabase.sentry.io/issues/7096737077/?project=5459134
## Test plan
- [ ] Verify connect dialog renders without errors when connection data
is still loading
- [ ] Verify API docs Entity view handles schema definitions without
properties
- [ ] Verify charts/tooltips display correct timezone labels
---------
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
This is a prototype for private apps UI. There are no endpoints at the
minute, just wanted to see what a potential flow could look like.
## Problem
When you have many tables, it's hard to follow the relations between
them in the Schema Visualiser
## Solution
When selecting an edge (the line between tables), highlight it along
with the related tables and columns to make it easier.
Also, if there is enough space, display a popover showing the relation
details
## Screencasts
https://github.com/user-attachments/assets/11d35fa7-3674-4f13-b77f-8ebe25c66b04
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the current behavior?
There is a 401 guide
## What is the new behavior?
This is an improved version of the same guide
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## Summary
- fix the Studio SQL row formatter to emit raw boolean and numeric
literals instead of quoted strings
- serialize text array members as SQL string literals inside
`ARRAY[...]`
- escape fallback string formats outside `text`/`varchar`, and add
regression coverage for that path
Closes#44024
## Test plan
- [x] Ran a direct `tsx` smoke against `formatTableRowsToSQL()` for the
`storage.buckets` case and confirmed it now emits `true`, `false`,
`10485760`, and `ARRAY['image/*']`
- [x] Ran focused formatter smokes for JSON escaping, text arrays, and
fallback string formats like `citext`
- [x] `pnpm --filter studio test -- TableEntity.utils.test.ts`
Note: the targeted Vitest run is still blocked in this environment
before the test executes (`localStorage.getItem is not a function`).
---------
Co-authored-by: Alaister Young <alaister@users.noreply.github.com>
## Problem
The Query Performance page loaded all results in a single query with a
fixed limit of 20 rows, giving users no way to browse beyond the first
page. There was also no way to control how many rows were shown at once.
## Fix
adds pagination
## How to test
- Navigate to `/observability/query-performance` in Studio
- scroll to bottom
- should automatically load more results
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This PR updates @supabase/*-js libraries to version 2.100.0.
**Source**: supabase-js-stable-release
**Changes**:
- Updated @supabase/supabase-js to 2.100.0
- Updated @supabase/auth-js to 2.100.0
- Updated @supabase/realtime-js to 2.100.0
- Updated @supabase/postgest-js to 2.100.0
- Refreshed pnpm-lock.yaml
This PR was created automatically.
Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update to `humans.txt` to add `Colum Ferry`
## What is the current behavior?
`Colum Ferry` does not exist in `humans.txt`
## What is the new behavior?
`Colum Ferry` exists in `humans.txt`
"Linking.useURL()" has been deprecated in Expo. This updates the example
to use the recommended "useLinkingURL()" hook, which provides the same
functionality for handling initial and subsequent deep links.
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the current behavior?
The Expo example code uses "Linking.useURL()", which is now marked as
deprecated in Expo SDK 50+ and produces a TypeScript warning.
## What is the new behavior?
The example now uses the recommended "useLinkingURL()" hook from
"expo-linking". This prevents deprecation warnings for developers
adopting this example. The functionality (handling initial and
subsequent deep links) remains exactly the same.
## Additional context
Expo Linking documentation:
https://docs.expo.dev/versions/latest/sdk/linking/
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Add docs for the custom OAuth & OIDC providers
## Notes
- Pricing to be clarified. Until now, we allow 3 providers per project.
- Dashboard instructions will be updated after dashboard is finalized.
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
