lywsvip/supabase
1
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-05-11 10:49:48 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
create-pull-request/patch
supabase/apps/docs/content/guides/functions/secrets.mdx

164 lines
5.2 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: 'functions-secrets'
title: 'Environment Variables'
description: 'Managing secrets and environment variables.'
subtitle: 'Manage sensitive data securely across environments.'
---
## Default secrets
Edge Functions have access to these secrets by default:
- `SUPABASE_URL`: The API gateway for your Supabase project
- `SUPABASE_DB_URL`: The URL for your Postgres database. You can use this to connect directly to your database
- `SUPABASE_PUBLISHABLE_KEYS`: The `publishable` keys JSON dictionary for your Supabase API. This is safe to use in a browser when you have Row Level Security enabled
- `SUPABASE_SECRET_KEYS`: The `secret` keys JSON dictionary for your Supabase API. This is safe to use in Edge Functions, but it should NEVER be used in a browser. This key will bypass Row Level Security
- `SUPABASE_JWKS`: The JSON Web Key Set used to verify user JWTs. Same value served at `https://<project-ref>.supabase.co/auth/v1/.well-known/jwks.json`
Legacy keys:
- `SUPABASE_ANON_KEY`: The `anon` key for your Supabase API. This is safe to use in a browser when you have Row Level Security enabled
- `SUPABASE_SERVICE_ROLE_KEY`: The `service_role` key for your Supabase API. This is safe to use in Edge Functions, but it should NEVER be used in a browser. This key will bypass Row Level Security
In a hosted environment, functions have access to the following environment variables:
- `SB_REGION`: The region function was invoked
- `SB_EXECUTION_ID`: A UUID of function instance ([isolate](/docs/guides/functions/architecture#4-execution-mechanics-fast-and-isolated))
- `DENO_DEPLOYMENT_ID`: Version of the function code (`{project_ref}_{function_id}_{version}`)
---
## Accessing environment variables
You can access environment variables using Deno's built-in handler, and passing it the name of the environment variable youd like to access.
```js
Deno.env.get('NAME_OF_SECRET')
```
For example, in a function:
```ts
import { createClient } from 'npm:@supabase/supabase-js@2'
const SUPABASE_PUBLISHABLE_KEYS = JSON.parse(Deno.env.get('SUPABASE_PUBLISHABLE_KEYS')!)
// For user-facing operations (respects RLS)
const supabase = createClient(
Deno.env.get('SUPABASE_URL')!,
// If you want to use a different api key, change 'default' to your preferred key name
SUPABASE_PUBLISHABLE_KEYS['default']
)
const SUPABASE_SECRET_KEYS = JSON.parse(Deno.env.get('SUPABASE_SECRET_KEYS')!)
// For admin operations (bypasses RLS)
const supabaseAdmin = createClient(
Deno.env.get('SUPABASE_URL')!,
// If you want to use a different api key, change 'default' to your preferred key name
SUPABASE_SECRET_KEYS['default']
)
```
---
### Local secrets
In development, you can load environment variables in two ways:
1. Through an `.env` file placed at `supabase/functions/.env`, which is automatically loaded on `supabase start`
2. Through the `--env-file` option for `supabase functions serve`. This allows you to use custom file names like `.env.local` to distinguish between different environments.
```bash
supabase functions serve --env-file .env.local
```
<Admonition type="caution">
Never check your `.env` files into Git! Instead, add the path to this file to your `.gitignore`.
</Admonition>
We can automatically access the secrets in our Edge Functions through Denos handler
```tsx
const secretKey = Deno.env.get('STRIPE_SECRET_KEY')
```
Now we can invoke our function locally. If you're using the default `.env` file at `supabase/functions/.env`, it's automatically loaded:
```bash
supabase functions serve hello-world
```
Or you can specify a custom `.env` file with the `--env-file` flag:
```bash
supabase functions serve hello-world --env-file .env.local
```
This is useful for managing different environments (development, staging, etc.).
---
### Production secrets
You will also need to set secrets for your production Edge Functions. You can do this via the Dashboard or using the CLI.
**Using the Dashboard**:
1. Visit [Edge Function Secrets Management](/dashboard/project/_/functions/secrets) page in your Dashboard.
2. Add the Key and Value for your secret and press Save
<Image
alt="Edge Functions Secrets Management"
src={{
light: '/docs/img/edge-functions-secrets--light.jpg',
dark: '/docs/img/edge-functions-secrets.jpg',
}}
width={3757}
height={1525}
/>
Note that you can paste multiple secrets at a time.
**Using the CLI**
You can create a `.env` file to help deploy your secrets to production
```bash
# .env
STRIPE_SECRET_KEY=sk_live_...
```
<Admonition type="caution">
Never check your `.env` files into Git! Instead, add the path to this file to your `.gitignore`.
</Admonition>
You can push all the secrets from the `.env` file to your remote project using `supabase secrets set`. This makes the environment visible in the dashboard as well.
```bash
supabase secrets set --env-file .env
```
Alternatively, this command also allows you to set production secrets individually rather than storing them in a `.env` file.
```bash
supabase secrets set STRIPE_SECRET_KEY=sk_live_...
```
To see all the secrets which you have set remotely, you can use `supabase secrets list`
```bash
supabase secrets list
```
<Admonition type="note">
You don't need to re-deploy after setting your secrets. They're available immediately in your
functions.
</Admonition>
Reference in New Issue View Git Blame Copy Permalink