mirror of
https://github.com/supabase/supabase.git
synced 2026-07-05 13:14:36 +08:00
193 lines
6.8 KiB
Plaintext
193 lines
6.8 KiB
Plaintext
---
|
|
title: 'APIs'
|
|
description: 'Supabase APIs'
|
|
---
|
|
|
|
# APIs
|
|
|
|
## Overview
|
|
|
|
Supabase generates APIs directly from your database schema. The API is:
|
|
|
|
- Instant and auto-generated: as you update your database the changes are immediately accessible through your API.
|
|
- Self documenting: Supabase generates documentation in the Dashboard which updates as you make database changes.
|
|
- Secure: the API is configured to work with PostgreSQL's Row Level Security, provisioned behind an API gateway with key-auth enabled.
|
|
- Fast: our benchmarks for basic reads are more than 300% faster than Firebase. The API is a very thin layer on top of Postgres, which does most of the heavy lifting.
|
|
- Scalable: the API can serve thousands of simultaneous requests, and works well for Serverless workloads.
|
|
|
|
### RESTful API
|
|
|
|
Supabase provides a RESTful API using [PostgREST](https://postgrest.org/). This is a very thin API layer on top of Postgres. It provides everything you need from a CRUD API:
|
|
|
|
- Basic CRUD operations
|
|
- Deeply nested joins, allowing you to fetch data from multiple tables in a single fetch
|
|
- Works with Postgres Views
|
|
- Works with Postgres Functions
|
|
- Works with the Postgres security model - including Row Level Security, Roles, and Grants.
|
|
|
|
<iframe width="560" height="315" src="https://www.youtube.com/embed/rPAJJFdtPw0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
|
|
|
|
### Realtime API
|
|
|
|
Supabase provides a [Realtime](https://github.com/supabase/realtime) API using Realtime. You can use this to listen to database changes over websockets. Realtime leverages PostgreSQL's built-in logical replication. You can manage your Realtime API simply by managing Postgres publications.
|
|
|
|
## Getting started
|
|
|
|
After you have added tables or functions to your database, you can use the API.
|
|
|
|
### Creating API Routes
|
|
|
|
API routes are automatically created when you create Postgres Tables, Views, or Functions.
|
|
|
|
Let's create our first API route by creating a table called `todos` (which will store some public user information). This will create a corresponding route `todos` which can accept `GET`, `POST`, `PATCH`, & `DELETE` requests.
|
|
|
|
<!--
|
|
TODO: Tabs
|
|
Tab name: UI
|
|
1. Go to the "Table editor" section.
|
|
2. Click "New Table".
|
|
3. Enter the table name "todos".
|
|
4. Click "Save".
|
|
5. Click "New Column".
|
|
6. Enter the column name "task" and make the type "text".
|
|
7. Click "Save".
|
|
|
|
Tab name: SQL
|
|
-- Create a table called "todos" with a column to store tasks.
|
|
|
|
create table todos (
|
|
id bigint generated by default as identity primary key,
|
|
task text check (char_length(task) > 3)
|
|
);
|
|
|
|
-->
|
|
|
|
|
|
<video width="99%" playsinline controls>
|
|
<source src="/docs/videos/api/api-create-table-sm.mp4" type="video/mp4" playsInline />
|
|
</video>
|
|
|
|
### API URL and Keys
|
|
|
|
Every Supabase project has a unique API URL. Your API is secured behind an API gateway which requires an API Key for every request.
|
|
|
|
You can find the Keys inside the Dashboard.
|
|
|
|
<!--
|
|
Tabs
|
|
tab name: UI
|
|
|
|
-->
|
|
```
|
|
1. Go to the "Settings" section.
|
|
2. Click "API" in the sidebar.
|
|
3. Find your API URL in this page.
|
|
4. Find your "anon" and "service_role" keys on this page.
|
|
```
|
|
|
|
**Details and links:**
|
|
|
|
You are provided with two keys initially:
|
|
|
|
- an `anon` key, which is safe to be used in a browser context.
|
|
- a `service_role` key, which should only be used on a server. This key can bypass Row Level Security.
|
|
|
|
### Accessing the Docs
|
|
|
|
Supabase generates documentation in the Dashboard which updates as you make database changes.
|
|
|
|
Let's view the documentation for the todos table which we created in the first step.
|
|
|
|
<!--
|
|
Todo: Tabs
|
|
Tab name: UI
|
|
-->
|
|
|
|
```
|
|
1. Go to the "API" section.
|
|
2. Find "todos" in the "Tables and Views" section.
|
|
3. Switch between the Javascript and the cURL docs using the tabs.
|
|
```
|
|
|
|
### Using the API
|
|
|
|
You can interact with your API directly via HTTP requests, or you can use the client libraries which we provide.
|
|
|
|
Let's see how to make a request to the `todos` table which we created in the first step, using the API URL (`[SUPABASE_URL]`) and Key (`[SUPABASE_ANON_KEY]`) we provided:
|
|
|
|
<!--
|
|
TODO: Tabs
|
|
|
|
Tab name: Javascript
|
|
|
|
// Initialize the JS client
|
|
import { createClient } from '@supabase/supabase-js'
|
|
const supabase = createClient([SUPABASE_URL], [SUPABASE_ANON_KEY])
|
|
|
|
// Make a request
|
|
let { data: todos, error } = await supabase
|
|
.from('todos')
|
|
.select('*')
|
|
|
|
Tab name: cURL
|
|
# Append /rest/v1/ to your URL, and then use the table name as the route
|
|
curl '[SUPABASE_URL]/rest/v1/todos' \
|
|
-H "apikey: [SUPABASE_ANON_KEY]" \
|
|
-H "Authorization: Bearer SUPABASE_ANON_KEY"
|
|
|
|
-->
|
|
|
|
|
|
**Details and links:**
|
|
|
|
- When you create a table in Postgres, Row Level Security is disabled by default. Make sure you secure it by [enabling RLS](https://supabase.com/docs/guides/api#securing-your-routes).
|
|
- Never expose the service_role key in a browser or anywhere where a user can see it.
|
|
- JS Reference: [select()](https://supabase.com/docs/reference/javascript/select), [insert()](https://supabase.com/docs/reference/javascript/insert), [update()](https://supabase.com/docs/reference/javascript/update), [upsert()](https://supabase.com/docs/reference/javascript/upsert), [delete()](https://supabase.com/docs/reference/javascript/delete), [rpc()](https://supabase.com/docs/reference/javascript/rpc) (call Postgres functions).
|
|
|
|
### Managing Realtime
|
|
The Realtime API works through PostgreSQL's replication functionality. Postgres sends database changes to a "publication" called `supabase_realtime`, and by managing this publication you can control which data is broadcast.
|
|
|
|
By default Realtime is disabled on your database. Let's turn on Realtime for the `todos` table.
|
|
|
|
<!--
|
|
TODO: Tabs
|
|
Tab name: UI
|
|
1. Go to the "Database" section.
|
|
2. Click on "Replication" in the sidebar.
|
|
3. Control which database events are sent by toggling the Insert/Update/Delete toggles.
|
|
4. Control which tables broadcast changes by clicking into the "Source" and toggling the tables.
|
|
|
|
Tab name: SQL
|
|
alter publication supabase_realtime add table products;
|
|
-->
|
|
|
|
|
|
**Details and links:**
|
|
|
|
- You should only turn on realtime for Public tables (where all data should be accessible).
|
|
- [JS Reference](https://supabase.com/docs/reference/javascript/subscribe): Subscribe to database changes using the realtime client
|
|
|
|
### Securing your Routes
|
|
|
|
<!--
|
|
TODO: Tabs
|
|
|
|
Tab name: UI
|
|
1. Go to the "Authentication" section.
|
|
2. Click on "Policies" in the sidebar.
|
|
3. Click on the Padlock to enable Row Level Security.
|
|
|
|
Tab name: SQL
|
|
alter table todos enable row level security;
|
|
>
|
|
|
|
-->
|
|
|
|
**Details and links:**
|
|
- Your API is designed to work with Postgres Row Level Security. If you use Supabase [Auth](https://supabase.com/docs/guides/auth), you can restrict data based on the logged-in user.
|
|
- To control access to your data, you can use [Policies](https://supabase.com/docs/guides/auth#policies).
|
|
|
|
|
|
|
|
|