Supabase connector
OAuth 2.0DatabasesDeveloper ToolsConnect to the Supabase Management API to manage organizations, projects, database branches, API keys, secrets, custom domains, network restrictions...
Supabase connector
-
Install the SDK
Section titled “Install the SDK”Terminal window npm install @scalekit-sdk/nodeTerminal window pip install scalekit -
Set your credentials
Section titled “Set your credentials”Add your Scalekit credentials to your
.envfile. Find values in app.scalekit.com > Developers > API Credentials..env SCALEKIT_ENVIRONMENT_URL=<your-environment-url>SCALEKIT_CLIENT_ID=<your-client-id>SCALEKIT_CLIENT_SECRET=<your-client-secret> -
Set up the connector
Section titled “Set up the connector”Dashboard setup steps
Register your Scalekit environment with Supabase so Scalekit handles the OAuth flow and token lifecycle for your users. Create a Supabase OAuth app, then add its Client ID and Client Secret to your Scalekit connection.
-
Copy the redirect URI from Scalekit
-
In the Scalekit dashboard, go to AgentKit > Connections > Create Connection. Find Supabase and click Create.
-
Click Use your own credentials and copy the redirect URI. It looks like
https://<SCALEKIT_ENVIRONMENT_URL>/sso/v1/oauth/<CONNECTION_ID>/callback.
-
-
Create an OAuth app in Supabase
-
Sign in to the Supabase dashboard and go to your organization’s Settings > OAuth Apps.
-
Under Published apps, click Publish OAuth app.
-
Give the app a Name (for example,
Agent Connect).
-
-
Add the redirect URI
-
Open the app you created and add the redirect URI you copied from Scalekit under Authorization callback URLs.
-
Click Add URL, then save your changes.
-
-
Copy your Client ID and Client Secret
-
Copy the Client ID shown in the Published apps table, or from the app’s detail panel next to the app name.
-
Under Client secrets, click Generate new secret and copy it immediately — Supabase only shows the full secret once.

-
-
Add credentials in Scalekit
- Return to the connection you created in Scalekit and enter:
- Client ID — from your Supabase OAuth app
- Client Secret — from your Supabase OAuth app
- Click Save.
- Return to the connection you created in Scalekit and enter:
-
-
Authorize and make your first call
Section titled “Authorize and make your first call”quickstart.ts import { ScalekitClient } from '@scalekit-sdk/node'import 'dotenv/config'const scalekit = new ScalekitClient(process.env.SCALEKIT_ENV_URL,process.env.SCALEKIT_CLIENT_ID,process.env.SCALEKIT_CLIENT_SECRET,)const actions = scalekit.actionsconst connector = 'supabase'const identifier = 'user_123'// Generate an authorization link for the userconst { link } = await actions.getAuthorizationLink({ connectionName: connector, identifier })console.log('Authorize Supabase:', link)process.stdout.write('Press Enter after authorizing...')await new Promise(r => process.stdin.once('data', r))// Make your first callconst result = await actions.executeTool({connector,identifier,toolName: 'supabase_list_organizations',toolInput: {},})console.log(result)quickstart.py import osfrom scalekit.client import ScalekitClientfrom dotenv import load_dotenvload_dotenv()scalekit_client = ScalekitClient(env_url=os.getenv("SCALEKIT_ENV_URL"),client_id=os.getenv("SCALEKIT_CLIENT_ID"),client_secret=os.getenv("SCALEKIT_CLIENT_SECRET"),)actions = scalekit_client.actionsconnection_name = "supabase"identifier = "user_123"# Generate an authorization link for the userlink_response = actions.get_authorization_link(connection_name=connection_name,identifier=identifier,)print("Authorize Supabase:", link_response.link)input("Press Enter after authorizing...")# Make your first callresult = actions.execute_tool(tool_input={},tool_name="supabase_list_organizations",connection_name=connection_name,identifier=identifier,)print(result)
What you can do
Section titled “What you can do”Connect this agent connector to let your agent:
- Hostname activate custom — [Beta] Activate a previously initialized custom hostname for a Supabase project
- Config activate vanity subdomain, deactivate vanity subdomain, verify dns — [Beta] Activate a vanity subdomain for a Supabase project, giving it a custom *.supabase.co-style subdomain instead of the project ref-based domain
- Migration apply, patch, upsert — Apply a new database migration to a Supabase project by running the given SQL and recording it in the project’s migration history
- Access authorize jit — Authorize a just-in-time (JIT) request to assume a Postgres role in a Supabase project’s database from a specific remote host
- Create bulk, branch, login role — Create multiple Edge Function secrets in a single call and add them to the specified Supabase project
- Delete bulk, branch, function — [DESTRUCTIVE, IRREVERSIBLE] Permanently delete one or more secrets (Edge Function environment variables) from a Supabase project by name
Tool list
Section titled “Tool list”Use the exact tool names from the Tool list below when you call execute_tool. If you’re not sure which name to use, list the tools available for the current user first.
supabase_activate_custom_hostname#[Beta] Activate a previously initialized custom hostname for a Supabase project. Call this after the DNS configuration has been verified (see Verify DNS Config) to make the custom hostname live. Requires only the project ref. Returns the current hostname configuration status and Cloudflare-backed detail.1 param
[Beta] Activate a previously initialized custom hostname for a Supabase project. Call this after the DNS configuration has been verified (see Verify DNS Config) to make the custom hostname live. Requires only the project ref. Returns the current hostname configuration status and Cloudflare-backed detail.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_activate_vanity_subdomain_config#[Beta] Activate a vanity subdomain for a Supabase project, giving it a custom *.supabase.co-style subdomain instead of the project ref-based domain. Only available on the Pro, Team, or Enterprise organization plan. Requires the project ref and the desired vanity_subdomain (check availability first with the Check Vanity Subdomain Availability tool). Returns the resulting custom_domain.2 params
[Beta] Activate a vanity subdomain for a Supabase project, giving it a custom *.supabase.co-style subdomain instead of the project ref-based domain. Only available on the Pro, Team, or Enterprise organization plan. Requires the project ref and the desired vanity_subdomain (check availability first with the Check Vanity Subdomain Availability tool). Returns the resulting custom_domain.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.vanity_subdomainstringrequiredThe desired vanity subdomain label (up to 63 characters), e.g. 'acme-prod'. The resulting domain will be <vanity_subdomain>.supabase.co.supabase_apply_migration#Apply a new database migration to a Supabase project by running the given SQL and recording it in the project's migration history. Optionally name the migration and provide rollback SQL. Note: this endpoint is only available to selected partner OAuth apps and may return a 403 for other apps. Supply an Idempotency-Key header value to ensure the same migration is only tracked once if the request is retried. Requires the project ref and a query.5 params
Apply a new database migration to a Supabase project by running the given SQL and recording it in the project's migration history. Optionally name the migration and provide rollback SQL. Note: this endpoint is only available to selected partner OAuth apps and may return a 403 for other apps. Supply an Idempotency-Key header value to ensure the same migration is only tracked once if the request is retried. Requires the project ref and a query.
querystringrequiredThe SQL statements to run as this migration. Cannot be empty.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.idempotency_keystringoptionalA unique key to ensure the same migration is tracked only once, even if this request is retried. Sent as the Idempotency-Key header.namestringoptionalOptional name for the migration, used to build the migration's file/version label.rollbackstringoptionalOptional SQL statements that undo this migration, stored alongside it in the migration history for reference.supabase_authorize_jit_access#Authorize a just-in-time (JIT) request to assume a Postgres role in a Supabase project's database from a specific remote host. Requires the project ref, the role name to assume (e.g., postgres), and the requesting host's IP address (rhost). Returns the authorized user_id and the resulting user_role details, including expiry and any allowed network CIDRs.3 params
Authorize a just-in-time (JIT) request to assume a Postgres role in a Supabase project's database from a specific remote host. Requires the project ref, the role name to assume (e.g., postgres), and the requesting host's IP address (rhost). Returns the authorized user_id and the resulting user_role details, including expiry and any allowed network CIDRs.
refstringrequiredProject reference ID (the 20-character lowercase project ref shown in the Supabase dashboard URL).rhoststringrequiredIP address of the host requesting database role access. Example: 203.0.113.10.rolestringrequiredThe Postgres role name to authorize for this session. Example: postgres.supabase_bulk_create_secrets#Create multiple Edge Function secrets in a single call and add them to the specified Supabase project. Provide an array of {name, value} objects. Secret names must not start with the SUPABASE_ prefix, which is reserved. Existing secrets with the same name are overwritten.2 params
Create multiple Edge Function secrets in a single call and add them to the specified Supabase project. Provide an array of {name, value} objects. Secret names must not start with the SUPABASE_ prefix, which is reserved. Existing secrets with the same name are overwritten.
refstringrequiredThe project ref to create secrets in. A 20-character lowercase string that uniquely identifies a Supabase project. Example: 'abcdefghijklmnopqrst'.secretsarrayrequiredArray of secret objects to create, each with a 'name' (must not start with SUPABASE_, max 256 chars) and a 'value' (max 24576 chars). Example: [{"name":"OPENAI_API_KEY","value":"sk-example-secret"}].supabase_bulk_delete_secrets#[DESTRUCTIVE, IRREVERSIBLE] Permanently delete one or more secrets (Edge Function environment variables) from a Supabase project by name. Once deleted, the secret's value cannot be recovered, and any Edge Function that reads the deleted secret at runtime will get an undefined/missing value the next time it is invoked, which can cause those functions to fail or misbehave immediately. Double-check the secret names before calling this — there is no confirmation step and no way to undo the deletion. Requires the project ref and an array of secret names to delete.2 params
[DESTRUCTIVE, IRREVERSIBLE] Permanently delete one or more secrets (Edge Function environment variables) from a Supabase project by name. Once deleted, the secret's value cannot be recovered, and any Edge Function that reads the deleted secret at runtime will get an undefined/missing value the next time it is invoked, which can cause those functions to fail or misbehave immediately. Double-check the secret names before calling this — there is no confirmation step and no way to undo the deletion. Requires the project ref and an array of secret names to delete.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.secret_namesarrayrequiredArray of secret names to permanently delete from the project. Example: ["OPENAI_API_KEY", "STRIPE_SECRET_KEY"]. Use the List Secrets tool first to confirm exact names.supabase_bulk_update_functions#Bulk update Edge Functions for a Supabase project. Creates a new function or replaces an existing one for each entry provided; the operation is idempotent but you must manually bump each function's version to force redeployment. Requires the project ref and an array of function objects (id, slug, name, status, version required per entry). Returns the resulting list of functions.2 params
Bulk update Edge Functions for a Supabase project. Creates a new function or replaces an existing one for each entry provided; the operation is idempotent but you must manually bump each function's version to force redeployment. Requires the project ref and an array of function objects (id, slug, name, status, version required per entry). Returns the resulting list of functions.
functionsarrayrequiredArray of function objects to create or replace. Each item requires id, slug, name, status (ACTIVE, REMOVED, or THROTTLED), and version. Optional fields: created_at (unix epoch ms), verify_jwt, import_map, entrypoint_path, import_map_path, ezbr_sha256. Example: [{"id": "3c078cce-ad70-4148-9f37-4da362789053", "slug": "hello-world", "name": "Hello World", "status": "ACTIVE", "version": 2, "verify_jwt": true, "entrypoint_path": "index.ts"}]refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_cancel_project_restoration#Cancel an in-progress restoration of a Supabase project (e.g. a restore from backup or pause/unpause restore). Has no request body; returns an empty 200 response on success. Calling this when no restoration is in progress may return an error.1 param
Cancel an in-progress restoration of a Supabase project (e.g. a restore from backup or pause/unpause restore). Has no request body; returns an empty 200 response on success. Calling this when no restoration is in progress may return an error.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_check_vanity_subdomain_availability#[Beta] Check whether a vanity subdomain label is available for a Supabase project before activating it. Only available on the Pro, Team, or Enterprise organization plan. Requires the project ref and the vanity_subdomain label to check. Returns an available boolean.2 params
[Beta] Check whether a vanity subdomain label is available for a Supabase project before activating it. Only available on the Pro, Team, or Enterprise organization plan. Requires the project ref and the vanity_subdomain label to check. Returns an available boolean.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.vanity_subdomainstringrequiredThe vanity subdomain label (up to 63 characters) to check for availability, e.g. 'acme-prod'.supabase_create_branch#Create a new database branch (preview environment) from a Supabase project. Requires a unique branch_name. Optionally link a git_branch, mark it persistent, set the region/instance size/Postgres engine/release channel, seed initial secrets, copy production data, or register a notify_url webhook. Returns the created branch object.12 params
Create a new database branch (preview environment) from a Supabase project. Requires a unique branch_name. Optionally link a git_branch, mark it persistent, set the region/instance size/Postgres engine/release channel, seed initial secrets, copy production data, or register a notify_url webhook. Returns the created branch object.
branch_namestringrequiredUnique name for the new branch, e.g. 'preview-login-page'. Must be at least 1 character.refstringrequiredProject reference ID (20-character lowercase string) to branch from.desired_instance_sizestringoptionalCompute instance size for the branch database.git_branchstringoptionalGit branch to associate with this database branch, e.g. 'feature/login-page'.is_defaultbooleanoptionalWhether this branch should be marked as the default branch for the project.notify_urlstringoptionalHTTP endpoint that Supabase calls with branch status updates, e.g. 'https://example.com/webhooks/branches'.persistentbooleanoptionalWhether the branch should persist (not be automatically cleaned up) rather than being an ephemeral preview branch.postgres_enginestringoptionalPostgres engine version to use for the branch. If not provided, the latest version is used.regionstringoptionalAWS region to deploy the branch's database in, e.g. 'us-east-1'. Defaults to the parent project's region if omitted.release_channelstringoptionalRelease channel to run the branch on. If not provided, GA (general availability) is used.secretsobjectoptionalKey-value map of secrets (environment variables) to seed into the new branch. Example: {"MY_SECRET": "value"}.with_databooleanoptionalWhether to copy data from the parent project's production database into the new branch.supabase_create_login_role#[Beta] Create a temporary Postgres login role for use with the Supabase CLI, with an auto-generated password. Requires the project ref and whether the role should be read_only. Returns the created role name, its temporary password, and ttl_seconds indicating how long the role remains valid.2 params
[Beta] Create a temporary Postgres login role for use with the Supabase CLI, with an auto-generated password. Requires the project ref and whether the role should be read_only. Returns the created role name, its temporary password, and ttl_seconds indicating how long the role remains valid.
read_onlybooleanrequiredWhether the created role should have read-only database access. Set to true for a read-only role, false for read-write.refstringrequiredProject reference ID (the 20-character lowercase project ref shown in the Supabase dashboard URL).supabase_create_organization#Create a new Supabase organization owned by the authenticated user. Requires a name (up to 256 characters). Returns the created organization's id, slug, and name.1 param
Create a new Supabase organization owned by the authenticated user. Requires a name (up to 256 characters). Returns the created organization's id, slug, and name.
namestringrequiredName for the new organization, up to 256 characters, e.g. 'Acme'.supabase_create_project#Create a new Supabase project inside an organization. Requires organization_slug, a project name, and a database password (db_pass). Optionally set the AWS region (deprecated in favor of region_selection), the desired compute instance size, and other advanced options. Returns the created project object including its ref, status, and organization_id.11 params
Create a new Supabase project inside an organization. Requires organization_slug, a project name, and a database password (db_pass). Optionally set the AWS region (deprecated in favor of region_selection), the desired compute instance size, and other advanced options. Returns the created project object including its ref, status, and organization_id.
db_passstringrequiredPassword for the project's Postgres database. Choose a strong, unique password — it cannot be retrieved later, only reset.namestringrequiredName of the project to create. Maximum 256 characters. Example: 'acme-prod'.organization_slugstringrequiredSlug of the organization that will own the project. Required. Example: 'tsrqponmlkjihgfedcba'.desired_instance_sizestringoptionalDesired compute instance size for the new project. Omit to default to the smallest possible size. One of: nano, micro, small, medium, large, xlarge, 2xlarge, 4xlarge, 8xlarge, 12xlarge, 16xlarge, 24xlarge, 24xlarge_optimized_memory, 24xlarge_optimized_cpu, 24xlarge_high_memory, 48xlarge, 48xlarge_optimized_memory, 48xlarge_optimized_cpu, 48xlarge_high_memory.high_availabilitybooleanoptionalExperimental. Whether to enable high availability for the project.kps_enabledbooleanoptionalDeprecated. This field is ignored in this request.organization_idstringoptionalDeprecated. Use organization_slug instead. Numeric/legacy organization identifier.planstringoptionalDeprecated. Subscription plan is now set at the organization level and is ignored in this request. One of: free, pro.regionstringoptionalDeprecated. AWS region the project's server resides in. Prefer region_selection instead. One of: us-east-1, us-east-2, us-west-1, us-west-2, ap-east-1, ap-southeast-1, ap-northeast-1, ap-northeast-2, ap-southeast-2, eu-west-1, eu-west-2, eu-west-3, eu-north-1, eu-central-1, eu-central-2, ca-central-1, ap-south-1, sa-east-1.region_selectionobjectoptionalRegion selection object. Only one of region or region_selection should be specified. Shape is either {"type":"specific","code":"us-east-1"} or {"type":"smartGroup","code":"americas"} (smartGroup codes: americas, emea, apac).template_urlstringoptionalTemplate URL used to create the project from the CLI, as a full URI.supabase_create_project_api_key#Create a new API key for a Supabase project, identified by its project ref. Choose a type (publishable or secret) and a lowercase snake_case name (4-64 chars). Optionally add a description or a secret JWT template. Set reveal=true to include the plaintext key value in the response — otherwise only metadata is returned.6 params
Create a new API key for a Supabase project, identified by its project ref. Choose a type (publishable or secret) and a lowercase snake_case name (4-64 chars). Optionally add a description or a secret JWT template. Set reveal=true to include the plaintext key value in the response — otherwise only metadata is returned.
namestringrequiredName for the new API key. Must be lowercase snake_case, start with a letter or underscore, and be 4-64 characters long. Example: 'ci_secret_key'.refstringrequiredThe project ref to create the API key in. A 20-character lowercase string that uniquely identifies a Supabase project. Example: 'abcdefghijklmnopqrst'.typestringrequiredThe type of API key to create. One of: publishable, secret.descriptionstringoptionalOptional human-readable description of what this key is used for.revealbooleanoptionalWhether to include the plaintext API key value in the response. Defaults to false.secret_jwt_templateobjectoptionalOptional JSON object defining a custom JWT template for this secret key.supabase_create_project_signing_key#Create a new JWT signing key for a Supabase project's Auth service. The new key is created in standby status by default (not yet used to sign new JWTs) unless status is set to in_use. Optionally bring your own private JWK instead of letting Supabase generate one. Returns the created signing key object with id, algorithm, status, public_jwk, and timestamps.4 params
Create a new JWT signing key for a Supabase project's Auth service. The new key is created in standby status by default (not yet used to sign new JWTs) unless status is set to in_use. Optionally bring your own private JWK instead of letting Supabase generate one. Returns the created signing key object with id, algorithm, status, public_jwk, and timestamps.
algorithmstringrequiredThe signing algorithm for the new key.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.private_jwkobjectoptionalOptional bring-your-own private JWK object (JSON Web Key) to use for this signing key instead of having Supabase generate one. Shape depends on the key type (kty: RSA, EC, or oct) and must include the fields required by that key type (e.g. for RSA: kty, n, e, d, p, q, dp, dq, qi).statusstringoptionalThe initial status of the new signing key. Defaults to standby (not yet used to sign new tokens).supabase_create_project_tpa_integration#Create a new third-party auth (TPA) integration for a Supabase project, allowing an external OIDC-compatible identity provider (such as Firebase Auth or Auth0) to issue JWTs that Supabase's API and RLS policies will accept. Provide either oidc_issuer_url (Supabase resolves the JWKS automatically) or jwks_url, or supply a static custom_jwks object directly. Returns the created integration with id, type, and resolved configuration.4 params
Create a new third-party auth (TPA) integration for a Supabase project, allowing an external OIDC-compatible identity provider (such as Firebase Auth or Auth0) to issue JWTs that Supabase's API and RLS policies will accept. Provide either oidc_issuer_url (Supabase resolves the JWKS automatically) or jwks_url, or supply a static custom_jwks object directly. Returns the created integration with id, type, and resolved configuration.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.custom_jwksobjectoptionalA static JSON Web Key Set object to use directly instead of resolving keys dynamically from jwks_url or oidc_issuer_url. Shape: {"keys": [...]}.jwks_urlstringoptionalThe URL of the third-party provider's JSON Web Key Set (JWKS) endpoint, used to verify JWT signatures. Provide this if oidc_issuer_url is not available.oidc_issuer_urlstringoptionalThe OIDC issuer URL of the third-party auth provider. Supabase uses this to auto-discover the provider's JWKS endpoint.supabase_create_restore_point#Create a named restore point for a Supabase project's database. A restore point is a labeled marker of the database's current state that can later be used as a target when restoring backups. This is a safe, non-destructive operation — it only creates a marker and does not modify or overwrite any existing data.2 params
Create a named restore point for a Supabase project's database. A restore point is a labeled marker of the database's current state that can later be used as a target when restoring backups. This is a safe, non-destructive operation — it only creates a marker and does not modify or overwrite any existing data.
namestringrequiredA short, human-readable label for the restore point (max 20 characters). Used later to identify this point when restoring. Example: before-upgrade.refstringrequiredThe 20-character lowercase Supabase project reference ID. Found in the project's dashboard URL or via the List Projects tool. Example: abcdefghijklmnopqrst.supabase_create_sso_provider#Create a new SAML 2.0 SSO provider for a Supabase project's Auth service, enabling users from an identity provider to sign in via SSO. Requires type set to 'saml' plus either metadata_xml or metadata_url describing the identity provider. Optionally restrict the provider to specific email domains and map SAML attributes to user fields. Requires SAML 2.0 support to be enabled for the project. Returns the created provider with id, saml config, and domains.7 params
Create a new SAML 2.0 SSO provider for a Supabase project's Auth service, enabling users from an identity provider to sign in via SSO. Requires type set to 'saml' plus either metadata_xml or metadata_url describing the identity provider. Optionally restrict the provider to specific email domains and map SAML attributes to user fields. Requires SAML 2.0 support to be enabled for the project. Returns the created provider with id, saml config, and domains.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.typestringrequiredThe type of SSO provider to create. Currently only 'saml' is supported.attribute_mappingobjectoptionalMapping of SAML assertion attributes to Supabase user fields. Shape: {"keys": {"<field>": {"name": "<saml_attribute_name>"}}}.domainsarrayoptionalList of email domains that should be routed to this SSO provider for sign-in.metadata_urlstringoptionalURL to the identity provider's SAML metadata XML document. Provide this or metadata_xml (at least one is required by the SAML provider).metadata_xmlstringoptionalThe identity provider's SAML metadata as an inline XML string. Provide this or metadata_url.name_id_formatstringoptionalThe SAML NameID format the identity provider should use when asserting the user's identifier.supabase_deactivate_vanity_subdomain_config#[Beta] Delete a Supabase project's vanity subdomain configuration, removing the custom subdomain and reverting the project's API/Auth URLs to the default Supabase domain. Requires the project ref. Returns 200 with no meaningful body on success.1 param
[Beta] Delete a Supabase project's vanity subdomain configuration, removing the custom subdomain and reverting the project's API/Auth URLs to the default Supabase domain. Requires the project ref. Returns 200 with no meaningful body on success.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_delete_branch#Delete a Supabase database branch (preview environment) by its branch ref. Requires branch_id_or_ref, the branch's project ref (or deprecated UUID branch ID). By default the branch is deleted immediately; set force to false to schedule deletion with a 1-hour grace period instead (only available when soft deletion is enabled for the project). Returns a message field with value 'ok' on success.2 params
Delete a Supabase database branch (preview environment) by its branch ref. Requires branch_id_or_ref, the branch's project ref (or deprecated UUID branch ID). By default the branch is deleted immediately; set force to false to schedule deletion with a 1-hour grace period instead (only available when soft deletion is enabled for the project). Returns a message field with value 'ok' on success.
branch_id_or_refstringrequiredThe branch's project ref (20-character lowercase string) or the deprecated UUID branch ID.forcebooleanoptionalWhether to delete the branch immediately (true, the default) or schedule deletion with a 1-hour grace period (false). Scheduled deletion is only available when soft deletion is enabled for the project.supabase_delete_function#Delete a Supabase Edge Function with the specified slug from a project. Requires the project ref and the function's slug. This permanently removes the function and its deployed code; it cannot be undone. Returns 200 with no meaningful body on success.2 params
Delete a Supabase Edge Function with the specified slug from a project. Requires the project ref and the function's slug. This permanently removes the function and its deployed code; it cannot be undone. Returns 200 with no meaningful body on success.
function_slugstringrequiredSlug (identifier) of the Edge Function to delete, e.g. 'hello-world'. Alphanumeric characters, underscores, and hyphens only.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_delete_hostname_config#[Beta] Delete a Supabase project's custom hostname configuration, removing the custom domain from the project. Requires the project ref. Optionally set remove_addon to true to also remove the custom domain add-on from the project's subscription (default false, which keeps the add-on but clears the hostname configuration). Returns 200 with no meaningful body on success.2 params
[Beta] Delete a Supabase project's custom hostname configuration, removing the custom domain from the project. Requires the project ref. Optionally set remove_addon to true to also remove the custom domain add-on from the project's subscription (default false, which keeps the add-on but clears the hostname configuration). Returns 200 with no meaningful body on success.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.remove_addonbooleanoptionalIf true, also removes the custom domain add-on from the project's subscription in addition to clearing the hostname configuration. Defaults to false.supabase_delete_invite_external_jit_access#Revoke and delete a pending invitation for an external user to receive just-in-time (JIT) database access on a Supabase project. Once deleted, the invite link becomes invalid immediately and the invited user can no longer use it to gain database access. This action is irreversible — a new invite must be created from scratch if access is still needed.2 params
Revoke and delete a pending invitation for an external user to receive just-in-time (JIT) database access on a Supabase project. Once deleted, the invite link becomes invalid immediately and the invited user can no longer use it to gain database access. This action is irreversible — a new invite must be created from scratch if access is still needed.
invite_idstringrequiredThe UUID of the external JIT access invite to revoke and delete. Example: 55555555-5555-4555-8555-555555555555.refstringrequiredThe 20-character lowercase Supabase project reference ID. Found in the project's dashboard URL or via the List Projects tool. Example: abcdefghijklmnopqrst.supabase_delete_jit_access#Remove all just-in-time (JIT) database access mappings for a specific user on a Supabase project, immediately revoking that user's database access. This action takes effect immediately and is irreversible — the user loses direct database access right away and must be re-granted JIT access (via a new invite) if access is needed again.2 params
Remove all just-in-time (JIT) database access mappings for a specific user on a Supabase project, immediately revoking that user's database access. This action takes effect immediately and is irreversible — the user loses direct database access right away and must be re-granted JIT access (via a new invite) if access is needed again.
refstringrequiredThe 20-character lowercase Supabase project reference ID. Found in the project's dashboard URL or via the List Projects tool. Example: abcdefghijklmnopqrst.user_idstringrequiredThe UUID of the user whose JIT database access mappings should be revoked. Example: 55555555-5555-4555-8555-555555555555.supabase_delete_login_roles#[Beta] Delete the existing database login role(s) used by the Supabase CLI for this project. Once deleted, any CLI sessions or scripts relying on those login roles will lose database access immediately and will need to re-authenticate to obtain new roles. This action is irreversible.1 param
[Beta] Delete the existing database login role(s) used by the Supabase CLI for this project. Once deleted, any CLI sessions or scripts relying on those login roles will lose database access immediately and will need to re-authenticate to obtain new roles. This action is irreversible.
refstringrequiredThe 20-character lowercase Supabase project reference ID. Found in the project's dashboard URL or via the List Projects tool. Example: abcdefghijklmnopqrst.supabase_delete_network_bans#[Beta, DESTRUCTIVE] Remove one or more IPv4 addresses from a Supabase project's network ban list, immediately restoring their ability to connect to the project's database and services. This is a security-relevant operation: addresses are usually banned automatically after repeated failed connection attempts, and un-banning an address that was blocked for a legitimate reason (e.g. a compromised or malicious client) re-opens that access path. Only use this to unblock IP addresses you have verified are safe (e.g. your own office/CI IP that was auto-banned). Requires the project ref and an array of IPv4 addresses to unban.4 params
[Beta, DESTRUCTIVE] Remove one or more IPv4 addresses from a Supabase project's network ban list, immediately restoring their ability to connect to the project's database and services. This is a security-relevant operation: addresses are usually banned automatically after repeated failed connection attempts, and un-banning an address that was blocked for a legitimate reason (e.g. a compromised or malicious client) re-opens that access path. Only use this to unblock IP addresses you have verified are safe (e.g. your own office/CI IP that was auto-banned). Requires the project ref and an array of IPv4 addresses to unban.
ipv4_addressesarrayrequiredArray of IPv4 addresses to remove from the project's network ban list. Each address is unbanned immediately and can reconnect to the project right away. Example: ["203.0.113.10", "198.51.100.24"].refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.identifierstringoptionalOptional free-form identifier for this unban request, used for audit/tracking purposes on Supabase's side. Not required for the operation to succeed.requester_ipbooleanoptionalWhether to also include the requester's own public IP address (the caller of this API) in the list of addresses to unban. Defaults to false.supabase_delete_project#[DESTRUCTIVE, IRREVERSIBLE] Permanently delete a Supabase project. This deletes the project's Postgres database, all stored data, all Storage objects, all Edge Functions, all API keys, all backups, and all configuration associated with the project. There is no undo and no recovery once this completes. Anything depending on the project's API URL, database connection string, or API keys will stop working immediately. Only call this when the caller has explicitly confirmed they want the project permanently destroyed. Requires the project ref.1 param
[DESTRUCTIVE, IRREVERSIBLE] Permanently delete a Supabase project. This deletes the project's Postgres database, all stored data, all Storage objects, all Edge Functions, all API keys, all backups, and all configuration associated with the project. There is no undo and no recovery once this completes. Anything depending on the project's API URL, database connection string, or API keys will stop working immediately. Only call this when the caller has explicitly confirmed they want the project permanently destroyed. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only) of the project to permanently delete. Found in the project's Supabase dashboard URL or Settings > General.supabase_delete_project_api_key#[DESTRUCTIVE, IRREVERSIBLE] Permanently delete an API key from a Supabase project by its UUID. Any application, service, or client using this key to authenticate against the project's API loses access immediately and irreversibly — there is no way to restore a deleted key. If the key being deleted is the project's only secret or publishable key, deleting it can break all API access until a replacement key is created. Use the was_compromised and reason parameters to record why the key was deleted for audit purposes. Requires the project ref and the API key's UUID.5 params
[DESTRUCTIVE, IRREVERSIBLE] Permanently delete an API key from a Supabase project by its UUID. Any application, service, or client using this key to authenticate against the project's API loses access immediately and irreversibly — there is no way to restore a deleted key. If the key being deleted is the project's only secret or publishable key, deleting it can break all API access until a replacement key is created. Use the was_compromised and reason parameters to record why the key was deleted for audit purposes. Requires the project ref and the API key's UUID.
idstringrequiredThe UUID of the API key to permanently delete.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.reasonstringoptionalOptional free-form reason describing why this API key is being deleted, recorded for audit purposes.revealbooleanoptionalWhether to include the actual secret value of the deleted API key in the response. Defaults to false (redacted) when omitted.was_compromisedbooleanoptionalWhether this key is being deleted because it was compromised (leaked, exposed publicly, etc). Defaults to false when omitted.supabase_delete_project_tpa_integration#Permanently remove a third-party auth (TPA) integration from a Supabase project's Auth config, identified by its UUID. This disconnects the external OIDC/JWKS-based auth integration; existing JWTs issued by it will no longer be trusted. Requires the project ref and the tpa_id. Returns the deleted integration's details.2 params
Permanently remove a third-party auth (TPA) integration from a Supabase project's Auth config, identified by its UUID. This disconnects the external OIDC/JWKS-based auth integration; existing JWTs issued by it will no longer be trusted. Requires the project ref and the tpa_id. Returns the deleted integration's details.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.tpa_idstringrequiredUUID of the third-party auth integration to remove. Obtain it from the list of configured TPA integrations for the project.supabase_delete_sso_provider#Permanently remove a SAML SSO provider from a Supabase project's Auth config, identified by its UUID. Users authenticating through this provider will lose SSO access until it is reconfigured. Requires the project ref and the provider_id. Returns the deleted provider's SAML config, domains, and timestamps.2 params
Permanently remove a SAML SSO provider from a Supabase project's Auth config, identified by its UUID. Users authenticating through this provider will lose SSO access until it is reconfigured. Requires the project ref and the provider_id. Returns the deleted provider's SAML config, domains, and timestamps.
provider_idstringrequiredUUID of the SSO provider to remove. Obtain it from the list of configured SSO providers for the project.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_deploy_function#Deploy a Supabase Edge Function, creating it if it does not already exist or updating it if it does. Uploads a single source file's contents (as base64) along with metadata describing the entrypoint. Sent as multipart/form-data. Set bundleOnly to true to only validate/bundle without activating the deployment. Requires the project ref, the function's entrypoint path, and the file content.10 params
Deploy a Supabase Edge Function, creating it if it does not already exist or updating it if it does. Uploads a single source file's contents (as base64) along with metadata describing the entrypoint. Sent as multipart/form-data. Set bundleOnly to true to only validate/bundle without activating the deployment. Requires the project ref, the function's entrypoint path, and the file content.
entrypoint_pathstringrequiredRelative path of the function's entrypoint file within the uploaded bundle, e.g. 'index.ts'.file_content_base64stringrequiredBase64-encoded contents of the function's source file (the bundled Deno/TypeScript entrypoint) to upload.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.bundle_onlybooleanoptionalWhen true, only bundles and validates the function without activating the new deployment. Boolean.file_namestringoptionalFilename to use for the uploaded source file, matching the entrypoint_path (e.g. 'index.ts').import_map_pathstringoptionalRelative path of an import map file (deno.json or import_map.json) within the uploaded bundle, if one is used.namestringoptionalDisplay name for the function. If omitted, the slug is used as the display name.slugstringoptionalSlug (identifier) for the function being deployed, e.g. 'hello-world'. If omitted, the slug is derived from metadata.name.static_patternsarrayoptionalOptional array of glob patterns matching additional static files in the bundle that should be served as-is (not executed).verify_jwtbooleanoptionalWhether Supabase should verify a JWT on incoming requests to this function before invoking it.supabase_diff_branch#[Beta] Diff a Supabase database branch against production, returning a plain-text schema diff (SQL statements) that can be reviewed or applied as a migration. Use this to preview schema changes made on a development branch before merging. By default uses the Migra diffing engine; set pgdelta to true to use pg-delta instead. Optionally restrict the diff to specific schemas.3 params
[Beta] Diff a Supabase database branch against production, returning a plain-text schema diff (SQL statements) that can be reviewed or applied as a migration. Use this to preview schema changes made on a development branch before merging. By default uses the Migra diffing engine; set pgdelta to true to use pg-delta instead. Optionally restrict the diff to specific schemas.
branch_id_or_refstringrequiredThe 20-character branch reference (lowercase letters, same format as a project ref) or, for legacy branches, the branch UUID. Found in the Supabase dashboard for the branch you want to diff.included_schemasstringoptionalComma-separated list of Postgres schema names to include in the diff (e.g. "public,auth"). If omitted, the API's default schema selection is used.pgdeltabooleanoptionalWhen true, use pg-delta instead of Migra to compute the schema diff. Defaults to false (Migra).supabase_disable_preview_branching#Disable preview (database) branching for a Supabase project. Requires the project ref. This deletes all existing branches for the project and turns off the branching feature; it cannot be undone from this call. Returns 200 with no meaningful body on success.1 param
Disable preview (database) branching for a Supabase project. Requires the project ref. This deletes all existing branches for the project and turns off the branching feature; it cannot be undone from this call. Returns 200 with no meaningful body on success.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_disable_readonly_mode_temporarily#Temporarily disable a Supabase project's database readonly mode for the next 15 minutes. Readonly mode is normally enabled automatically when a project approaches its disk space limit to prevent disk-full errors; disabling it allows write operations to resume so you can free up space (e.g., run DELETE/VACUUM) or complete an upgrade. The override automatically expires after 15 minutes and readonly mode is re-enabled if the underlying disk-space condition still applies — writes performed while temporarily unlocked can worsen a disk-full condition, so free up space quickly during the window.1 param
Temporarily disable a Supabase project's database readonly mode for the next 15 minutes. Readonly mode is normally enabled automatically when a project approaches its disk space limit to prevent disk-full errors; disabling it allows write operations to resume so you can free up space (e.g., run DELETE/VACUUM) or complete an upgrade. The override automatically expires after 15 minutes and readonly mode is re-enabled if the underlying disk-space condition still applies — writes performed while temporarily unlocked can worsen a disk-full condition, so free up space quickly during the window.
refstringrequiredThe 20-character lowercase Supabase project reference ID. Found in the project's dashboard URL or via the List Projects tool. Example: abcdefghijklmnopqrst.supabase_generate_typescript_types#Generate TypeScript type definitions for a Supabase project's database schema, for use with supabase-js. Requires the project ref; optionally scope generation to specific comma-separated schemas (defaults to public). The response is a JSON object with a single 'types' field containing the generated TypeScript source as a string — it is not a general-purpose JSON object with typed fields.2 params
Generate TypeScript type definitions for a Supabase project's database schema, for use with supabase-js. Requires the project ref; optionally scope generation to specific comma-separated schemas (defaults to public). The response is a JSON object with a single 'types' field containing the generated TypeScript source as a string — it is not a general-purpose JSON object with typed fields.
refstringrequiredProject reference ID (the 20-character lowercase project ref shown in the Supabase dashboard URL).included_schemasstringoptionalComma-separated list of database schemas to include when generating types. Example: public,auth. Defaults to public.supabase_get_action_run#Get the current status of a Supabase Environments action run (the automated clone/pull/health/configure/migrate/seed/deploy pipeline used to spin up a preview branch). Returns the run's id, branch_id, per-step run_steps array (name, status, timestamps), workdir, check_run_id, and created_at/updated_at.2 params
Get the current status of a Supabase Environments action run (the automated clone/pull/health/configure/migrate/seed/deploy pipeline used to spin up a preview branch). Returns the run's id, branch_id, per-step run_steps array (name, status, timestamps), workdir, check_run_id, and created_at/updated_at.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.run_idstringrequiredThe unique ID of the action run to look up, as returned by list_action_runs or when a branch action was triggered.supabase_get_action_run_logs#Get the plain-text logs produced by a Supabase Environments action run (the clone/pull/health/configure/migrate/seed/deploy pipeline used to spin up a preview branch). Useful for diagnosing why a branch action step failed. Returns the raw log output as text, not JSON.2 params
Get the plain-text logs produced by a Supabase Environments action run (the clone/pull/health/configure/migrate/seed/deploy pipeline used to spin up a preview branch). Useful for diagnosing why a branch action step failed. Returns the raw log output as text, not JSON.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.run_idstringrequiredThe unique ID of the action run whose logs you want to retrieve, as returned by list_action_runs or get_action_run.supabase_get_auth_service_config#Get a project's Auth (GoTrue) service configuration. Returns a large object describing signup restrictions, external OAuth provider settings (Apple, Azure, Bitbucket, Google, etc.), SMTP/email settings, rate limits, session settings, and more. Requires only the project ref.1 param
Get a project's Auth (GoTrue) service configuration. Returns a large object describing signup restrictions, external OAuth provider settings (Apple, Azure, Bitbucket, Google, etc.), SMTP/email settings, rate limits, session settings, and more. Requires only the project ref.
refstringrequiredThe Supabase project reference ID, a 20-character lowercase string that identifies the project. Found in the project URL or Project Settings.supabase_get_available_regions#[Beta] Get the list of regions available for creating a new Supabase project under an organization, along with recommended regions. Optionally narrow recommendations by continent and desired compute instance size. Returns a recommendations object (a smartGroup and specific regions) and an all object listing every available region grouped the same way.3 params
[Beta] Get the list of regions available for creating a new Supabase project under an organization, along with recommended regions. Optionally narrow recommendations by continent and desired compute instance size. Returns a recommendations object (a smartGroup and specific regions) and an all object listing every available region grouped the same way.
organization_slugstringrequiredThe organization's slug identifier, as shown in the Supabase dashboard URL (e.g. app.supabase.com/org/<slug>).continentstringoptionalContinent code used to bias region recommendations. One of NA (North America), SA (South America), EU (Europe), AF (Africa), AS (Asia), OC (Oceania), AN (Antarctica).desired_instance_sizestringoptionalDesired compute instance size, used to filter regions that support it. Omit to default to the smallest possible size. One of nano, micro, small, medium, large, xlarge, 2xlarge, 4xlarge, 8xlarge, 12xlarge, 16xlarge, 24xlarge, 24xlarge_optimized_memory, 24xlarge_optimized_cpu, 24xlarge_high_memory, 48xlarge, 48xlarge_optimized_memory, 48xlarge_optimized_cpu, 48xlarge_high_memory.supabase_get_backup_schedule#Get the daily backup schedule configured for a Supabase project. Requires only the project ref. Returns schedule_for (the UTC time of day backups run, in HH:MM:SS format) and updated_at (when the schedule was last changed). Only available on the Enterprise organization plan.1 param
Get the daily backup schedule configured for a Supabase project. Requires only the project ref. Returns schedule_for (the UTC time of day backups run, in HH:MM:SS format) and updated_at (when the schedule was last changed). Only available on the Enterprise organization plan.
refstringrequiredProject reference ID (the 20-character lowercase project ref shown in the Supabase dashboard URL).supabase_get_branch#Fetch a specific database branch of a Supabase project by its name. Returns the branch's id, project_ref, git_branch, persistent flag, status, timestamps, and related metadata.2 params
Fetch a specific database branch of a Supabase project by its name. Returns the branch's id, project_ref, git_branch, persistent flag, status, timestamps, and related metadata.
namestringrequiredName of the branch to retrieve, e.g. 'preview-login-page'.refstringrequiredProject reference ID (20-character lowercase string) that owns the branch.supabase_get_branch_config#Fetch the configuration of a Supabase database branch, including its Postgres version/engine, release channel, status, and database connection details (db_host, db_port, db_user, db_pass, jwt_secret). Note: the response includes sensitive credentials — handle it securely.1 param
Fetch the configuration of a Supabase database branch, including its Postgres version/engine, release channel, status, and database connection details (db_host, db_port, db_user, db_pass, jwt_secret). Note: the response includes sensitive credentials — handle it securely.
branch_id_or_refstringrequiredBranch reference (20-character lowercase string) or the deprecated branch UUID.supabase_get_database_metadata#Get database metadata for a Supabase project, listing each database and its schemas by name. Requires only the project ref. Returns a 'databases' array, where each entry has a name and a nested 'schemas' array of schema names. Note: this is an experimental, deprecated endpoint that may change or be removed in future API versions — use with caution.1 param
Get database metadata for a Supabase project, listing each database and its schemas by name. Requires only the project ref. Returns a 'databases' array, where each entry has a name and a nested 'schemas' array of schema names. Note: this is an experimental, deprecated endpoint that may change or be removed in future API versions — use with caution.
refstringrequiredProject reference ID (the 20-character lowercase project ref shown in the Supabase dashboard URL).supabase_get_database_openapi#Get the auto-generated PostgREST OpenAPI specification for a Supabase project's database — the same specification served by the project's /rest/v1/ endpoint, useful for discovering available tables, columns, and REST operations without querying the project directly. Requires the project ref; optionally scope to a specific database schema (defaults to public). Returns the raw OpenAPI specification as a JSON object.2 params
Get the auto-generated PostgREST OpenAPI specification for a Supabase project's database — the same specification served by the project's /rest/v1/ endpoint, useful for discovering available tables, columns, and REST operations without querying the project directly. Requires the project ref; optionally scope to a specific database schema (defaults to public). Returns the raw OpenAPI specification as a JSON object.
refstringrequiredProject reference ID (the 20-character lowercase project ref shown in the Supabase dashboard URL).schemastringoptionalThe database schema to generate the PostgREST OpenAPI spec for. Defaults to public.supabase_get_function#Retrieve metadata for a specific Supabase Edge Function by slug, including its status, version, verify_jwt setting, and entrypoint/import-map paths. Does not include the function's source code; use get_function_body for that. Requires the project ref and function slug.2 params
Retrieve metadata for a specific Supabase Edge Function by slug, including its status, version, verify_jwt setting, and entrypoint/import-map paths. Does not include the function's source code; use get_function_body for that. Requires the project ref and function slug.
function_slugstringrequiredSlug (identifier) of the Edge Function to retrieve, e.g. 'hello-world'. Alphanumeric characters, underscores, and hyphens only.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_function_body#Retrieve the raw Deno/TypeScript source code (the deployed bundle contents) of a specific Supabase Edge Function by slug. Returns the function body as plain text, not JSON. Requires the project ref and function slug.2 params
Retrieve the raw Deno/TypeScript source code (the deployed bundle contents) of a specific Supabase Edge Function by slug. Returns the function body as plain text, not JSON. Requires the project ref and function slug.
function_slugstringrequiredSlug (identifier) of the Edge Function whose source code you want, e.g. 'hello-world'. Alphanumeric characters, underscores, and hyphens only.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_hostname_config#[Beta] Get a Supabase project's custom hostname configuration, including the current status (e.g. not_started, initiated, challenge_verified, origin_setup_completed, services_reconfigured), the configured custom_hostname, and Cloudflare-backed SSL/verification detail. Requires only the project ref.1 param
[Beta] Get a Supabase project's custom hostname configuration, including the current status (e.g. not_started, initiated, challenge_verified, origin_setup_completed, services_reconfigured), the configured custom_hostname, and Cloudflare-backed SSL/verification detail. Requires only the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_jit_access#Get the user-id to role mappings for just-in-time (JIT) database access on a Supabase project. Returns the list of users who have been authorized to assume specific Postgres roles, including per-role expiry and network restrictions. Requires the project ref.1 param
Get the user-id to role mappings for just-in-time (JIT) database access on a Supabase project. Returns the list of users who have been authorized to assume specific Postgres roles, including per-role expiry and network restrictions. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_jit_access_config#[Beta] Get a Supabase project's temporary (just-in-time) access configuration. Returns whether JIT access is enabled or disabled for the project, or an unavailable state with a reason (e.g., postgres_upgrade_required, temporarily_unavailable). Requires the project ref.1 param
[Beta] Get a Supabase project's temporary (just-in-time) access configuration. Returns whether JIT access is enabled or disabled for the project, or an unavailable state with a reason (e.g., postgres_upgrade_required, temporarily_unavailable). Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_migration#Fetch an existing entry from a Supabase project's database migration history by version. Returns the migration version, name, SQL statements, rollback statements, creator, and idempotency key. Note: this endpoint is only available to selected partner OAuth apps and may return a 403 for other apps. Requires the project ref and migration version.2 params
Fetch an existing entry from a Supabase project's database migration history by version. Returns the migration version, name, SQL statements, rollback statements, creator, and idempotency key. Note: this endpoint is only available to selected partner OAuth apps and may return a 403 for other apps. Requires the project ref and migration version.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.versionstringrequiredThe migration version identifier, typically a numeric timestamp (e.g., 20250312000000) matching the migration filename prefix.supabase_get_network_restrictions#[Beta] Get a Supabase project's network restrictions (database firewall allow-list). Returns entitlement (whether restrictions are allowed on this plan), config (the currently requested dbAllowedCidrs / dbAllowedCidrsV6 CIDR lists), old_config (the previously applied config, if a newer one is pending), status (stored or applied), and timestamps. Requires the project ref.1 param
[Beta] Get a Supabase project's network restrictions (database firewall allow-list). Returns entitlement (whether restrictions are allowed on this plan), config (the currently requested dbAllowedCidrs / dbAllowedCidrsV6 CIDR lists), old_config (the previously applied config, if a newer one is pending), status (stored or applied), and timestamps. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_organization#Get information about a Supabase organization by its slug. Returns the organization's id, name, plan, opt-in tags, and allowed release channels.1 param
Get information about a Supabase organization by its slug. Returns the organization's id, name, plan, opt-in tags, and allowed release channels.
slugstringrequiredSlug (identifier) of the organization to look up, e.g. 'tsrqponmlkjihgfedcba'.supabase_get_organization_entitlements#Get the feature entitlements available to a Supabase organization based on its billing plan and any account-specific overrides. Returns an array of entitlement objects, each describing a feature key (e.g. instances.high_availability, auth.saml_2, branching_limit), its type (boolean, numeric, or set), whether the organization hasAccess to it, and its config/limits.1 param
Get the feature entitlements available to a Supabase organization based on its billing plan and any account-specific overrides. Returns an array of entitlement objects, each describing a feature key (e.g. instances.high_availability, auth.saml_2, branching_limit), its type (boolean, numeric, or set), whether the organization hasAccess to it, and its config/limits.
slugstringrequiredThe organization's slug identifier, as shown in the Supabase dashboard URL (e.g. app.supabase.com/org/<slug>).supabase_get_performance_advisors#Get Supabase's automated performance advisor lints for a project, such as unindexed foreign keys, unused indexes, or duplicate indexes. Returns an object with a lints array; each lint includes name, title, level (ERROR/WARN/INFO), categories, description, detail, remediation, and metadata. Note: this is an experimental Supabase endpoint and may change or be removed in future API versions.1 param
Get Supabase's automated performance advisor lints for a project, such as unindexed foreign keys, unused indexes, or duplicate indexes. Returns an object with a lints array; each lint includes name, title, level (ERROR/WARN/INFO), categories, description, detail, remediation, and metadata. Note: this is an experimental Supabase endpoint and may change or be removed in future API versions.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_pgsodium_config#[Beta] Get the pgsodium encryption configuration for a Supabase project. Returns the project's root_key used by pgsodium for column-level and vault encryption. Requires the project ref.1 param
[Beta] Get the pgsodium encryption configuration for a Supabase project. Returns the project's root_key used by pgsodium for column-level and vault encryption. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_pooler_config#Get a Supabase project's connection pooler (Supavisor) configuration. Returns an array of pooler config objects, each including identifier, database_type (PRIMARY or READ_REPLICA), db_user, db_host, db_port, db_name, connection_string, pool_mode (transaction or session), default_pool_size, and max_client_conn. Requires the project ref.1 param
Get a Supabase project's connection pooler (Supavisor) configuration. Returns an array of pooler config objects, each including identifier, database_type (PRIMARY or READ_REPLICA), db_user, db_host, db_port, db_name, connection_string, pool_mode (transaction or session), default_pool_size, and max_client_conn. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_postgres_config#Get a Supabase project's Postgres database configuration. Returns the current values of tunable Postgres settings such as max_connections, max_wal_size, effective_cache_size, maintenance_work_mem, session_replication_role, statement timeouts, and logging options. Requires the project ref.1 param
Get a Supabase project's Postgres database configuration. Returns the current values of tunable Postgres settings such as max_connections, max_wal_size, effective_cache_size, maintenance_work_mem, session_replication_role, statement timeouts, and logging options. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_postgres_upgrade_eligibility#[Beta] Check whether a Supabase project is eligible to upgrade its Postgres version. Returns eligible (boolean), current_app_version, current_app_version_release_channel, latest_app_version, an array of target_upgrade_versions (each with postgres_version, release_channel, app_version), duration_estimate_hours, and any validation_errors blocking the upgrade. Requires the project ref.1 param
[Beta] Check whether a Supabase project is eligible to upgrade its Postgres version. Returns eligible (boolean), current_app_version, current_app_version_release_channel, latest_app_version, an array of target_upgrade_versions (each with postgres_version, release_channel, app_version), duration_estimate_hours, and any validation_errors blocking the upgrade. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_postgres_upgrade_status#[Beta] Get the latest status of a Supabase project's Postgres upgrade. Returns a databaseUpgradeStatus object (null if no upgrade has been initiated) with initiated_at, latest_status_at, target_version, status, progress (e.g. 0_requested through 10_completed_post_physical_backup), and error (if the upgrade failed). Requires the project ref; optionally scope the lookup to a specific tracking_id.2 params
[Beta] Get the latest status of a Supabase project's Postgres upgrade. Returns a databaseUpgradeStatus object (null if no upgrade has been initiated) with initiated_at, latest_status_at, target_version, status, progress (e.g. 0_requested through 10_completed_post_physical_backup), and error (if the upgrade failed). Requires the project ref; optionally scope the lookup to a specific tracking_id.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.tracking_idstringoptionalOptional tracking ID returned when the upgrade was initiated, used to look up the status of that specific upgrade attempt. Example: 9f4d3a20-6b2e-4a7e-8c91-1d5f3e7a2b4c.supabase_get_postgrest_service_config#Get a Supabase project's PostgREST (Data API) service configuration, identified by its project ref. Returns db_schema, max_rows, db_extra_search_path, db_pool, db_pool_acquisition_timeout, and the PostgREST jwt_secret.1 param
Get a Supabase project's PostgREST (Data API) service configuration, identified by its project ref. Returns db_schema, max_rows, db_extra_search_path, db_pool, db_pool_acquisition_timeout, and the PostgREST jwt_secret.
refstringrequiredThe project ref to fetch the PostgREST config for. A 20-character lowercase string that uniquely identifies a Supabase project. Example: 'abcdefghijklmnopqrst'.supabase_get_project#Get a specific Supabase project that belongs to the authenticated user or organization, identified by its project ref. Returns the project's id, ref, organization details, name, region, status, and database connection info.1 param
Get a specific Supabase project that belongs to the authenticated user or organization, identified by its project ref. Returns the project's id, ref, organization details, name, region, status, and database connection info.
refstringrequiredThe project ref to fetch. A 20-character lowercase string that uniquely identifies a Supabase project. Example: 'abcdefghijklmnopqrst'.supabase_get_project_api_key#Get a single Supabase project API key by its ID, identified by the project ref and key ID (UUID). Set reveal=true to include the plaintext key value in the response — otherwise only metadata is returned.3 params
Get a single Supabase project API key by its ID, identified by the project ref and key ID (UUID). Set reveal=true to include the plaintext key value in the response — otherwise only metadata is returned.
idstringrequiredThe UUID of the API key to fetch.refstringrequiredThe project ref the API key belongs to. A 20-character lowercase string that uniquely identifies a Supabase project. Example: 'abcdefghijklmnopqrst'.revealbooleanoptionalWhether to include the plaintext API key value in the response. Defaults to false.supabase_get_project_api_keys#Retrieve all API keys (legacy, publishable, and secret) configured for a Supabase project. By default secret values are redacted; set reveal to true to include the actual key values (hash/api_key) in the response. Returns an array of API key objects with id, type, name, description, prefix, and timestamps.2 params
Retrieve all API keys (legacy, publishable, and secret) configured for a Supabase project. By default secret values are redacted; set reveal to true to include the actual key values (hash/api_key) in the response. Returns an array of API key objects with id, type, name, description, prefix, and timestamps.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.revealbooleanoptionalWhether to reveal the actual secret values of the API keys (hash, api_key) in the response. Defaults to false (redacted) when omitted.supabase_get_project_logs#Query a project's unified log stream (edge_logs, postgres_logs, etc.) using ClickHouse SQL. Returns an object with a "result" array of matching log rows and an optional "error" field. If iso_timestamp_start and iso_timestamp_end are omitted, only the last 1 minute of logs is queried. The timestamp range must not exceed 24 hours.4 params
Query a project's unified log stream (edge_logs, postgres_logs, etc.) using ClickHouse SQL. Returns an object with a "result" array of matching log rows and an optional "error" field. If iso_timestamp_start and iso_timestamp_end are omitted, only the last 1 minute of logs is queried. The timestamp range must not exceed 24 hours.
refstringrequiredThe Supabase project reference ID, a 20-character lowercase string that identifies the project. Found in the project URL or Project Settings.iso_timestamp_endstringoptionalEnd of the time range to query, as an ISO 8601 timestamp. Must be paired with iso_timestamp_start and the range must not exceed 24 hours.iso_timestamp_startstringoptionalStart of the time range to query, as an ISO 8601 timestamp. Must be paired with iso_timestamp_end and the range must not exceed 24 hours.sqlstringoptionalA custom SQL query written in ClickHouse SQL dialect to execute against the log stream. Filter by the "source" column to target specific log sources such as edge_logs or postgres_logs.supabase_get_project_signing_keys#List all JWT signing keys for a project. Returns an object with a "keys" array; each entry has id, algorithm (EdDSA, ES256, RS256, or HS256), status (in_use, previously_used, revoked, or standby), public_jwk, created_at, and updated_at. Requires only the project ref.1 param
List all JWT signing keys for a project. Returns an object with a "keys" array; each entry has id, algorithm (EdDSA, ES256, RS256, or HS256), status (in_use, previously_used, revoked, or standby), public_jwk, created_at, and updated_at. Requires only the project ref.
refstringrequiredThe Supabase project reference ID, a 20-character lowercase string that identifies the project. Found in the project URL or Project Settings.supabase_get_project_tpa_integration#Get details of a single third-party auth (TPA) integration configured for a project, identified by its integration ID. Returns an object with id, type, oidc_issuer_url, jwks_url, custom_jwks, resolved_jwks, inserted_at, updated_at, and resolved_at.2 params
Get details of a single third-party auth (TPA) integration configured for a project, identified by its integration ID. Returns an object with id, type, oidc_issuer_url, jwks_url, custom_jwks, resolved_jwks, inserted_at, updated_at, and resolved_at.
refstringrequiredThe Supabase project reference ID, a 20-character lowercase string that identifies the project. Found in the project URL or Project Settings.tpa_idstringrequiredThe unique ID (UUID) of the third-party auth integration to retrieve.supabase_get_projects_for_organization#Get a paginated list of Supabase projects belonging to a specific organization, identified by its slug. Supports offset-based pagination (offset/limit), text search by project name, sorting, and filtering by project status. Returns an object with a 'projects' array (each including ref, name, region, status, and databases) and pagination metadata.6 params
Get a paginated list of Supabase projects belonging to a specific organization, identified by its slug. Supports offset-based pagination (offset/limit), text search by project name, sorting, and filtering by project status. Returns an object with a 'projects' array (each including ref, name, region, status, and databases) and pagination metadata.
slugstringrequiredSlug of the organization whose projects to list. Example: 'tsrqponmlkjihgfedcba'.limitintegeroptionalNumber of projects to return per page. Between 1 and 100. Defaults to 100.offsetintegeroptionalNumber of projects to skip for pagination. Defaults to 0.searchstringoptionalSearch projects by name (case-insensitive substring match).sortstringoptionalSort order for the returned projects. One of: name_asc, name_desc, created_asc, created_desc. Defaults to name_asc.statusesstringoptionalComma-separated list of project statuses to filter by, e.g. 'ACTIVE_HEALTHY,INACTIVE'. Supported values include ACTIVE_HEALTHY and INACTIVE.supabase_get_readonly_mode_status#Return a Supabase project's readonly mode status. Indicates whether readonly mode is currently enabled, whether a temporary override is active, and the timestamp until which the override remains active. Requires the project ref.1 param
Return a Supabase project's readonly mode status. Indicates whether readonly mode is currently enabled, whether a temporary override is active, and the timestamp until which the override remains active. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_restore_point#Get restore points created for a Supabase project's database. Returns the restore point's name, status (AVAILABLE, PENDING, REMOVED, or FAILED), and completion timestamp. Optionally filter by restore point name. Requires the project ref.2 params
Get restore points created for a Supabase project's database. Returns the restore point's name, status (AVAILABLE, PENDING, REMOVED, or FAILED), and completion timestamp. Optionally filter by restore point name. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.namestringoptionalOptional name of a specific restore point to look up. Maximum 20 characters. If omitted, the most recent restore point information is returned.supabase_get_security_advisors#Get Supabase's automated security advisor lints for a project, such as exposed auth.users tables, RLS misconfigurations, or leaked service keys. Returns an object with a lints array; each lint includes name, title, level (ERROR/WARN/INFO), categories, description, detail, remediation, and metadata. Note: this is an experimental Supabase endpoint and may change or be removed in future API versions.2 params
Get Supabase's automated security advisor lints for a project, such as exposed auth.users tables, RLS misconfigurations, or leaked service keys. Returns an object with a lints array; each lint includes name, title, level (ERROR/WARN/INFO), categories, description, detail, remediation, and metadata. Note: this is an experimental Supabase endpoint and may change or be removed in future API versions.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.lint_typestringoptionalOptional filter restricting results to a specific lint type. Currently only 'sql' is supported.supabase_get_services_health#Get the health status of one or more of a Supabase project's services. Returns an array of service health objects, each with name (auth, db, db_postgres_user, pooler, realtime, rest, storage, or pg_bouncer), status (COMING_UP, ACTIVE_HEALTHY, or UNHEALTHY), an info object with service-specific details, and an error message if unhealthy. Requires the project ref and the list of services to check.3 params
Get the health status of one or more of a Supabase project's services. Returns an array of service health objects, each with name (auth, db, db_postgres_user, pooler, realtime, rest, storage, or pg_bouncer), status (COMING_UP, ACTIVE_HEALTHY, or UNHEALTHY), an info object with service-specific details, and an error message if unhealthy. Requires the project ref and the list of services to check.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.servicesarrayrequiredArray of service names to check the health of. Each entry must be one of: auth, db, db_postgres_user, pooler, realtime, rest, storage, pg_bouncer. Example: ["auth", "rest"].timeout_msintegeroptionalOptional timeout in milliseconds for each service health check, between 0 and 10000. Example: 2000.supabase_get_snippet#Get a specific saved SQL snippet by its ID. Returns the snippet's metadata (name, description, visibility, owner, project) and its SQL content. Requires the snippet's UUID.1 param
Get a specific saved SQL snippet by its ID. Returns the snippet's metadata (name, description, visibility, owner, project) and its SQL content. Requires the snippet's UUID.
idstringrequiredThe UUID of the SQL snippet to retrieve, as shown in the Supabase SQL Editor URL or returned by list_snippets.supabase_get_ssl_enforcement_config#[Beta] Get a Supabase project's SSL enforcement configuration. Returns the current configuration, including whether SSL is enforced for direct database connections, and whether the configuration was applied successfully. Requires the project ref.1 param
[Beta] Get a Supabase project's SSL enforcement configuration. Returns the current configuration, including whether SSL is enforced for direct database connections, and whether the configuration was applied successfully. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_sso_provider#Retrieve a single SAML SSO provider configured for a Supabase project, identified by its UUID. Returns the provider's id, SAML configuration (entity_id, metadata_url, metadata_xml, attribute_mapping, name_id_format), associated domains, and timestamps.2 params
Retrieve a single SAML SSO provider configured for a Supabase project, identified by its UUID. Returns the provider's id, SAML configuration (entity_id, metadata_url, metadata_xml, attribute_mapping, name_id_format), associated domains, and timestamps.
provider_idstringrequiredThe UUID of the SSO provider to retrieve.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_get_vanity_subdomain_config#[Beta] Get the current vanity subdomain configuration for a Supabase project. Only available on the Pro, Team, or Enterprise organization plan. Requires only the project ref. Returns a status (not-used, custom-domain-used, or active) and the custom_domain if one is configured.1 param
[Beta] Get the current vanity subdomain configuration for a Supabase project. Only available on the Pro, Team, or Enterprise organization plan. Requires only the project ref. Returns a status (not-used, custom-domain-used, or active) and the custom_domain if one is configured.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_list_action_runs#List all Supabase Environments action runs for a project, paginated with offset/limit. Each run represents an automated clone/pull/health/configure/migrate/seed/deploy pipeline execution (e.g. for a preview branch). Returns an array of run objects with id, branch_id, run_steps, workdir, check_run_id, and timestamps.3 params
List all Supabase Environments action runs for a project, paginated with offset/limit. Each run represents an automated clone/pull/health/configure/migrate/seed/deploy pipeline execution (e.g. for a preview branch). Returns an array of run objects with id, branch_id, run_steps, workdir, check_run_id, and timestamps.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.limitnumberoptionalMaximum number of action runs to return per page. KNOWN LIMITATION: Supabase's endpoint requires this as a literal JSON number and does not coerce query-string values, so passing any value here (of any type) currently causes a 400 from Supabase. Omit this field; the API returns all runs without it.offsetnumberoptionalNumber of action runs to skip before starting to return results, for pagination. KNOWN LIMITATION: Supabase's endpoint requires this as a literal JSON number and does not coerce query-string values, so passing any value here (of any type) currently causes a 400 from Supabase. Omit this field; the API returns all runs without it.supabase_list_available_restore_versions#List the Postgres versions available to restore a Supabase project to. Returns an available_versions array, each entry with version, release_channel (internal, alpha, beta, ga, withdrawn, or preview), and postgres_engine (13, 14, 15, 17, or 17-oriole). Requires the project ref.1 param
List the Postgres versions available to restore a Supabase project to. Returns an available_versions array, each entry with version, release_channel (internal, alpha, beta, ga, withdrawn, or preview), and postgres_engine (13, 14, 15, 17, or 17-oriole). Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_list_backups#List all backups for a Supabase project's database. Returns the backup region, whether WAL-G and point-in-time recovery (PITR) are enabled, an array of backup objects (id, is_physical_backup, status, inserted_at), and physical backup date range data. Requires the project ref.1 param
List all backups for a Supabase project's database. Returns the backup region, whether WAL-G and point-in-time recovery (PITR) are enabled, an array of backup objects (id, is_physical_backup, status, inserted_at), and physical backup date range data. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_list_branches#List all database branches for a Supabase project. Returns an array of branch objects, each including id, name, project_ref, git_branch, persistent flag, status, and timestamps.1 param
List all database branches for a Supabase project. Returns an array of branch objects, each including id, name, project_ref, git_branch, persistent flag, status, and timestamps.
refstringrequiredProject reference ID (20-character lowercase string) whose branches to list.supabase_list_buckets#List all Supabase Storage buckets for a project. Returns an array of bucket objects with id, name, owner, public flag, created_at, and updated_at.1 param
List all Supabase Storage buckets for a project. Returns an array of bucket objects with id, name, owner, public flag, created_at, and updated_at.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_list_functions#List all Edge Functions previously deployed to a Supabase project. Returns an array of function objects including id, slug, name, status, version, and timestamps. Requires only the project ref.1 param
List all Edge Functions previously deployed to a Supabase project. Returns an array of function objects including id, slug, name, status, version, and timestamps. Requires only the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_list_migration_history#List the versions and names of database migrations that have already been applied to a Supabase project, in the order they were recorded. Note: this endpoint is only available to selected partner OAuth apps and may return a 403 for other apps. Requires the project ref.1 param
List the versions and names of database migrations that have already been applied to a Supabase project, in the order they were recorded. Note: this endpoint is only available to selected partner OAuth apps and may return a 403 for other apps. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_list_network_bans#[Beta] Get a Supabase project's network bans (IP addresses temporarily blocked, typically after repeated failed authentication attempts). Returns banned_ipv4_addresses, an array of banned IP address strings. Requires the project ref. Takes no request body.1 param
[Beta] Get a Supabase project's network bans (IP addresses temporarily blocked, typically after repeated failed authentication attempts). Returns banned_ipv4_addresses, an array of banned IP address strings. Requires the project ref. Takes no request body.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_list_network_bans_enriched#[Beta] Get a Supabase project's network bans enriched with additional information about which databases each ban affects. Returns banned_ipv4_addresses, an array of objects each with banned_address, identifier, and type. Requires the project ref. Takes no request body.1 param
[Beta] Get a Supabase project's network bans enriched with additional information about which databases each ban affects. Returns banned_ipv4_addresses, an array of objects each with banned_address, identifier, and type. Requires the project ref. Takes no request body.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_list_organization_members#List all members of a Supabase organization. Returns an array of member objects with user_id, user_name, email, role_name, mfa_enabled, and avatar_url.1 param
List all members of a Supabase organization. Returns an array of member objects with user_id, user_name, email, role_name, mfa_enabled, and avatar_url.
slugstringrequiredThe organization's slug identifier, as shown in the Supabase dashboard URL (e.g. app.supabase.com/org/<slug>).supabase_list_organizations#List all Supabase organizations that the authenticated user currently belongs to. Returns an array of organization objects, each including id, slug, and name. Takes no parameters.0 params
List all Supabase organizations that the authenticated user currently belongs to. Returns an array of organization objects, each including id, slug, and name. Takes no parameters.
supabase_list_project_tpa_integrations#List all third-party auth (TPA) integrations configured for a project. Returns an array of objects, each with id, type, oidc_issuer_url, jwks_url, custom_jwks, resolved_jwks, inserted_at, updated_at, and resolved_at. Requires only the project ref.1 param
List all third-party auth (TPA) integrations configured for a project. Returns an array of objects, each with id, type, oidc_issuer_url, jwks_url, custom_jwks, resolved_jwks, inserted_at, updated_at, and resolved_at. Requires only the project ref.
refstringrequiredThe Supabase project reference ID, a 20-character lowercase string that identifies the project. Found in the project URL or Project Settings.supabase_list_projects#List all Supabase projects accessible to the authenticated user or organization. Returns an array of project objects, each including id, organization_id, name, region, created_at, status, and a database object with the project's Postgres host. Takes no parameters.0 params
List all Supabase projects accessible to the authenticated user or organization. Returns an array of project objects, each including id, organization_id, name, region, created_at, status, and a database object with the project's Postgres host. Takes no parameters.
supabase_list_secrets#Return all secrets (Edge Function environment variables) previously added to the specified Supabase project. Returns an array of secret objects, each including name, value, and updated_at.1 param
Return all secrets (Edge Function environment variables) previously added to the specified Supabase project. Returns an array of secret objects, each including name, value, and updated_at.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_list_snippets#List saved SQL snippets (SQL Editor queries) for the currently authenticated user, optionally filtered to a single project. Supports cursor-based pagination and sorting. Returns an array of snippet summaries (id, name, description, owner, project, timestamps).5 params
List saved SQL snippets (SQL Editor queries) for the currently authenticated user, optionally filtered to a single project. Supports cursor-based pagination and sorting. Returns an array of snippet summaries (id, name, description, owner, project, timestamps).
cursorstringoptionalOpaque pagination cursor from a previous response, used to fetch the next page of results.limitstringoptionalMaximum number of snippets to return per page. Between 1 and 100.project_refstringoptionalThe 20-character project reference ID to filter snippets to. If omitted, snippets across all accessible projects are returned.sort_bystringoptionalField to sort results by: 'name' or 'inserted_at'.sort_orderstringoptionalSort direction to apply to sort_by: 'asc' or 'desc'.supabase_list_sso_provider#List all SSO (SAML 2.0) identity providers configured for a project. Returns an object with an "items" array; each entry includes id and a nested saml object with entity_id, metadata_url, metadata_xml, attribute_mapping, and name_id_format. Requires only the project ref. Returns a 404 if SAML 2.0 support is not enabled for the project.1 param
List all SSO (SAML 2.0) identity providers configured for a project. Returns an object with an "items" array; each entry includes id and a nested saml object with entity_id, metadata_url, metadata_xml, attribute_mapping, and name_id_format. Requires only the project ref. Returns a 404 if SAML 2.0 support is not enabled for the project.
refstringrequiredThe Supabase project reference ID, a 20-character lowercase string that identifies the project. Found in the project URL or Project Settings.supabase_merge_branch#Merge a Supabase database branch's migrations and edge functions into its parent (production) branch. Requires branch_id_or_ref. Optionally specify migration_version to merge up to a specific migration only; if omitted, all pending migrations are merged. This changes the production database schema and cannot be undone from this call. Returns a workflow_run_id to track progress and a message field with value 'ok'.2 params
Merge a Supabase database branch's migrations and edge functions into its parent (production) branch. Requires branch_id_or_ref. Optionally specify migration_version to merge up to a specific migration only; if omitted, all pending migrations are merged. This changes the production database schema and cannot be undone from this call. Returns a workflow_run_id to track progress and a message field with value 'ok'.
branch_id_or_refstringrequiredThe branch's project ref (20-character lowercase string) or the deprecated UUID branch ID.migration_versionstringoptionalOptional migration version timestamp (e.g. '20250312000000') to merge up to. If omitted, all pending migrations on the branch are merged into the parent branch.supabase_patch_migration#Patch an existing entry in a Supabase project's database migration history, identified by its version. Lets you update the recorded migration name and/or its rollback SQL without re-running the migration. Note: this endpoint is only available to selected partner OAuth apps — if your OAuth app doesn't have this permission, the API will reject the request.4 params
Patch an existing entry in a Supabase project's database migration history, identified by its version. Lets you update the recorded migration name and/or its rollback SQL without re-running the migration. Note: this endpoint is only available to selected partner OAuth apps — if your OAuth app doesn't have this permission, the API will reject the request.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.versionstringrequiredThe version identifier of the migration history entry to patch, as a numeric timestamp string.namestringoptionalNew name to record for this migration history entry. Pass null or omit to leave the existing name unchanged.rollbackstringoptionalNew rollback SQL statement to record for this migration history entry. Pass null or omit to leave the existing rollback SQL unchanged.supabase_patch_network_restrictions#[Alpha] Update a Supabase project's network restrictions (database firewall allow-list) by adding or removing CIDR ranges. Provide add_ipv4/add_ipv6 to append CIDRs to the allow-list, and remove_ipv4/remove_ipv6 to remove them. At least one of these should be provided. Returns the updated network restrictions configuration. Requires the project ref.5 params
[Alpha] Update a Supabase project's network restrictions (database firewall allow-list) by adding or removing CIDR ranges. Provide add_ipv4/add_ipv6 to append CIDRs to the allow-list, and remove_ipv4/remove_ipv6 to remove them. At least one of these should be provided. Returns the updated network restrictions configuration. Requires the project ref.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.add_ipv4arrayoptionalArray of IPv4 CIDR ranges to add to the database allow-list. Example: ["203.0.113.0/24"].add_ipv6arrayoptionalArray of IPv6 CIDR ranges to add to the database allow-list. Example: ["2001:db8::/32"].remove_ipv4arrayoptionalArray of IPv4 CIDR ranges to remove from the database allow-list. Example: ["198.51.100.0/24"].remove_ipv6arrayoptionalArray of IPv6 CIDR ranges to remove from the database allow-list. Example: ["2001:db8:1::/48"].supabase_pause_project#[DESTRUCTIVE] Pause a Supabase project. Pausing stops the project's Postgres database and all associated services (API, Auth, Storage, Realtime, Edge Functions), making the project completely inaccessible to end users and client applications until it is restored. Existing data is preserved while paused, but all active database connections are dropped immediately and any application relying on this project will start failing requests right away. Requires the project ref. Has no request body and returns an empty 200 response on success.1 param
[DESTRUCTIVE] Pause a Supabase project. Pausing stops the project's Postgres database and all associated services (API, Auth, Storage, Realtime, Edge Functions), making the project completely inaccessible to end users and client applications until it is restored. Existing data is preserved while paused, but all active database connections are dropped immediately and any application relying on this project will start failing requests right away. Requires the project ref. Has no request body and returns an empty 200 response on success.
refstringrequiredThe 20-character project reference ID (lowercase letters only) of the project to pause. Found in the project's Supabase dashboard URL or Settings > General.supabase_push_branch#Push the parent (production) branch's migrations and edge functions down into a Supabase database branch. Requires branch_id_or_ref. Optionally specify migration_version to push up to a specific migration only; if omitted, all pending migrations from the parent are pushed. This changes the branch's database schema and cannot be undone from this call. Returns a workflow_run_id to track progress and a message field with value 'ok'.2 params
Push the parent (production) branch's migrations and edge functions down into a Supabase database branch. Requires branch_id_or_ref. Optionally specify migration_version to push up to a specific migration only; if omitted, all pending migrations from the parent are pushed. This changes the branch's database schema and cannot be undone from this call. Returns a workflow_run_id to track progress and a message field with value 'ok'.
branch_id_or_refstringrequiredThe branch's project ref (20-character lowercase string) or the deprecated UUID branch ID.migration_versionstringoptionalOptional migration version timestamp (e.g. '20250312000000') to push up to. If omitted, all pending migrations from the parent branch are pushed to this branch.supabase_read_only_query#[Beta] Run a SQL query against a Supabase project's database as the restricted supabase_read_only_user role. Only read-style (SELECT-like) statements are accepted — the database role backing this endpoint lacks INSERT/UPDATE/DELETE/DDL privileges, so write statements will be rejected by Postgres. All table/view/function references in the query must be schema-qualified (e.g. public.users, not users). Optionally supply positional query parameters.3 params
[Beta] Run a SQL query against a Supabase project's database as the restricted supabase_read_only_user role. Only read-style (SELECT-like) statements are accepted — the database role backing this endpoint lacks INSERT/UPDATE/DELETE/DDL privileges, so write statements will be rejected by Postgres. All table/view/function references in the query must be schema-qualified (e.g. public.users, not users). Optionally supply positional query parameters.
querystringrequiredThe read-only SQL query to execute. Must be a SELECT-style statement only (no INSERT/UPDATE/DELETE/DDL) and must use fully schema-qualified names (e.g. public.pg_stat_activity).refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.parametersarrayoptionalOptional array of positional parameter values to bind into the query (referenced as $1, $2, ... in the SQL). Pass null or omit if the query has no parameters.supabase_remove_project_addon#Remove a billing addon from a Supabase project, or revert a compute instance to its previous (smaller) size. This immediately disables the selected addon variant — for compute addons (ci_*), the project's compute instance is rolled back to its prior size, which can cause a brief restart/downtime; for PITR addons (pitr_*), point-in-time-recovery retention is disabled and existing recovery history beyond the new retention window is lost; for the IPv4 addon, the dedicated IPv4 address is released. This action takes effect immediately and cannot be undone from this tool — re-adding the addon must be done through the Supabase dashboard billing page.2 params
Remove a billing addon from a Supabase project, or revert a compute instance to its previous (smaller) size. This immediately disables the selected addon variant — for compute addons (ci_*), the project's compute instance is rolled back to its prior size, which can cause a brief restart/downtime; for PITR addons (pitr_*), point-in-time-recovery retention is disabled and existing recovery history beyond the new retention window is lost; for the IPv4 addon, the dedicated IPv4 address is released. This action takes effect immediately and cannot be undone from this tool — re-adding the addon must be done through the Supabase dashboard billing page.
addon_variantstringrequiredThe addon variant to remove. Compute addons (ci_micro..ci_48xlarge_high_memory) revert the project's compute instance to its previous size. cd_default removes the custom domain addon. pitr_7/pitr_14/pitr_28 disable point-in-time-recovery at that retention window. ipv4_default releases the dedicated IPv4 address. Example: pitr_7.refstringrequiredThe 20-character lowercase Supabase project reference ID. Found in the project's dashboard URL or via the List Projects tool. Example: abcdefghijklmnopqrst.supabase_remove_project_signing_key#Permanently remove a JWT signing key from a Supabase project's Auth config, identified by its UUID. Only possible if the key has been in revoked status for a while; keys that are in_use, previously_used, or standby cannot be removed. Requires the project ref and the signing key id. Returns the removed key's algorithm, status, and timestamps.2 params
Permanently remove a JWT signing key from a Supabase project's Auth config, identified by its UUID. Only possible if the key has been in revoked status for a while; keys that are in_use, previously_used, or standby cannot be removed. Requires the project ref and the signing key id. Returns the removed key's algorithm, status, and timestamps.
idstringrequiredUUID of the signing key to remove. The key must currently be in revoked status. Obtain it from the list of the project's Auth signing keys.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_reset_branch#Reset a Supabase database branch, re-running its migrations from scratch and discarding any data or ad-hoc schema changes made on the branch since it was created. Requires branch_id_or_ref. Optionally specify migration_version to reset up to a specific migration only; if omitted, all migrations are replayed. This is a destructive operation that cannot be undone. Returns a workflow_run_id to track progress and a message field with value 'ok'.2 params
Reset a Supabase database branch, re-running its migrations from scratch and discarding any data or ad-hoc schema changes made on the branch since it was created. Requires branch_id_or_ref. Optionally specify migration_version to reset up to a specific migration only; if omitted, all migrations are replayed. This is a destructive operation that cannot be undone. Returns a workflow_run_id to track progress and a message field with value 'ok'.
branch_id_or_refstringrequiredThe branch's project ref (20-character lowercase string) or the deprecated UUID branch ID.migration_versionstringoptionalOptional migration version timestamp (e.g. '20250312000000') to reset up to. If omitted, all migrations are replayed from scratch.supabase_restart_project#[DESTRUCTIVE] Restart a Supabase project's underlying infrastructure. This forcibly restarts the project's Postgres database and associated services, immediately dropping all active database connections and in-flight requests. Client applications will see connection errors or brief downtime until the restart completes and services come back online. Data itself is not affected, but any transaction in progress at the moment of restart may be interrupted. Requires the project ref. Has no request body and returns an empty 200 response on success.1 param
[DESTRUCTIVE] Restart a Supabase project's underlying infrastructure. This forcibly restarts the project's Postgres database and associated services, immediately dropping all active database connections and in-flight requests. Client applications will see connection errors or brief downtime until the restart completes and services come back online. Data itself is not affected, but any transaction in progress at the moment of restart may be interrupted. Requires the project ref. Has no request body and returns an empty 200 response on success.
refstringrequiredThe 20-character project reference ID (lowercase letters only) of the project to restart. Found in the project's Supabase dashboard URL or Settings > General.supabase_restore_branch#Cancel a scheduled deletion for a Supabase database branch and restore it to an active state. Requires branch_id_or_ref. Use this after calling Delete Branch with force=false (which schedules deletion with a 1-hour grace period) if you want to keep the branch instead. Returns a message field with the value 'Branch restoration initiated'.1 param
Cancel a scheduled deletion for a Supabase database branch and restore it to an active state. Requires branch_id_or_ref. Use this after calling Delete Branch with force=false (which schedules deletion with a 1-hour grace period) if you want to keep the branch instead. Returns a message field with the value 'Branch restoration initiated'.
branch_id_or_refstringrequiredThe branch's project ref (20-character lowercase string) or the deprecated UUID branch ID.supabase_restore_physical_backup#Restore a physical backup for a Supabase project's database. WARNING: this is a highly destructive, irreversible operation — restoring a backup overwrites the project's CURRENT database with the contents of the selected backup, permanently discarding all data written after that backup was taken. The project's database becomes unavailable during the restore, and there is no automatic undo; if you need the current state afterward, create a restore point or manual backup first.2 params
Restore a physical backup for a Supabase project's database. WARNING: this is a highly destructive, irreversible operation — restoring a backup overwrites the project's CURRENT database with the contents of the selected backup, permanently discarding all data written after that backup was taken. The project's database becomes unavailable during the restore, and there is no automatic undo; if you need the current state afterward, create a restore point or manual backup first.
idintegerrequiredThe numeric ID of the physical backup to restore, as returned by the project's backups listing. Example: 12345.refstringrequiredThe 20-character lowercase Supabase project reference ID. Found in the project's dashboard URL or via the List Projects tool. Example: abcdefghijklmnopqrst.supabase_restore_pitr_backup#Restore a Supabase project's database to a specific point in time using Point-In-Time-Recovery (PITR). WARNING: this is a highly destructive, irreversible operation — it overwrites the project's CURRENT database with its state as of the given recovery timestamp, permanently discarding all data written after that timestamp. The database becomes unavailable during the restore, and there is no automatic undo; only project's with a PITR add-on and a target time within the retention window can be restored.2 params
Restore a Supabase project's database to a specific point in time using Point-In-Time-Recovery (PITR). WARNING: this is a highly destructive, irreversible operation — it overwrites the project's CURRENT database with its state as of the given recovery timestamp, permanently discarding all data written after that timestamp. The database becomes unavailable during the restore, and there is no automatic undo; only project's with a PITR add-on and a target time within the retention window can be restored.
recovery_time_target_unixintegerrequiredThe target recovery time as a Unix timestamp (seconds since epoch). The database is restored to its state at this exact point in time. Must fall within the project's PITR retention window. Example: 1740787200 (2025-03-01T00:00:00Z).refstringrequiredThe 20-character lowercase Supabase project reference ID. Found in the project's dashboard URL or via the List Projects tool. Example: abcdefghijklmnopqrst.supabase_restore_project#[DESTRUCTIVE] Restore (unpause) a previously paused Supabase project, bringing its Postgres database and associated services back online. This action changes project state and can trigger a lengthy provisioning process on Supabase's infrastructure; depending on how long the project was paused, restoring may take several minutes and, for very old paused projects, is not always guaranteed to succeed without support intervention. Requires the project ref. Has no request body and returns an empty 200 response on success.1 param
[DESTRUCTIVE] Restore (unpause) a previously paused Supabase project, bringing its Postgres database and associated services back online. This action changes project state and can trigger a lengthy provisioning process on Supabase's infrastructure; depending on how long the project was paused, restoring may take several minutes and, for very old paused projects, is not always guaranteed to succeed without support intervention. Requires the project ref. Has no request body and returns an empty 200 response on success.
refstringrequiredThe 20-character project reference ID (lowercase letters only) of the paused project to restore. Found in the project's Supabase dashboard URL or Settings > General.supabase_rollback_migrations#Roll back database migrations for a Supabase project and remove them from the migration history table. Only available to selected partner OAuth apps. WARNING: this is a destructive, irreversible operation from the tool's perspective — any migration with a version greater than or equal to the given threshold is rolled back and its history entry permanently deleted; this does not automatically undo schema/data changes unless the migrations themselves define down-migrations, so verify what the rollback will do before running it.2 params
Roll back database migrations for a Supabase project and remove them from the migration history table. Only available to selected partner OAuth apps. WARNING: this is a destructive, irreversible operation from the tool's perspective — any migration with a version greater than or equal to the given threshold is rolled back and its history entry permanently deleted; this does not automatically undo schema/data changes unless the migrations themselves define down-migrations, so verify what the rollback will do before running it.
gtestringrequiredRoll back all migrations with a version number greater than or equal to this value. Migration versions are typically timestamps formatted as YYYYMMDDHHMMSS. Example: 20250312000000.refstringrequiredThe 20-character lowercase Supabase project reference ID. Found in the project's dashboard URL or via the List Projects tool. Example: abcdefghijklmnopqrst.supabase_run_query#[Beta] Run an arbitrary SQL query directly against a Supabase project's Postgres database and return the result rows. WARNING: unless read_only is set to true, this can execute ANY SQL, including INSERT/UPDATE/DELETE/DROP statements that permanently modify or destroy data — treat it as a destructive, non-idempotent operation and review the query carefully before running it. Supports parameterized queries via the optional parameters array. Requires the project ref and a query.4 params
[Beta] Run an arbitrary SQL query directly against a Supabase project's Postgres database and return the result rows. WARNING: unless read_only is set to true, this can execute ANY SQL, including INSERT/UPDATE/DELETE/DROP statements that permanently modify or destroy data — treat it as a destructive, non-idempotent operation and review the query carefully before running it. Supports parameterized queries via the optional parameters array. Requires the project ref and a query.
querystringrequiredThe SQL statement to execute against the project's Postgres database. Cannot be empty. Can be any valid SQL, including statements that modify data or schema.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.parametersarrayoptionalOptional array of positional parameter values to bind into the query (e.g. for $1, $2 placeholders), to avoid SQL injection when including user-supplied values.read_onlybooleanoptionalWhen true, the query is executed against a read-only replica/transaction and any write statement is rejected. Strongly recommended for exploratory queries.supabase_undo#Initiate an undo (rollback) of a Supabase project's database to a previously created restore point. Requires the project ref and the exact name of an existing restore point (use the Get Restore Point tool to look up valid names). This is a destructive, irreversible operation that replaces the current database state with the older restore point's data. Returns 201 with no response body on success.2 params
Initiate an undo (rollback) of a Supabase project's database to a previously created restore point. Requires the project ref and the exact name of an existing restore point (use the Get Restore Point tool to look up valid names). This is a destructive, irreversible operation that replaces the current database state with the older restore point's data. Returns 201 with no response body on success.
namestringrequiredName of the existing restore point to undo (roll back) the database to. Maximum 20 characters. Must exactly match a restore point returned by the Get Restore Point tool.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_update_action_run_status#Update the status of one or more steps of an ongoing Supabase Environments action run (clone, pull, health, configure, migrate, seed, deploy). Typically called by CI/automation to report progress of a branch provisioning pipeline. Provide only the step(s) whose status changed; each accepts one of CREATED, DEAD, EXITED, PAUSED, REMOVING, RESTARTING, RUNNING.9 params
Update the status of one or more steps of an ongoing Supabase Environments action run (clone, pull, health, configure, migrate, seed, deploy). Typically called by CI/automation to report progress of a branch provisioning pipeline. Provide only the step(s) whose status changed; each accepts one of CREATED, DEAD, EXITED, PAUSED, REMOVING, RESTARTING, RUNNING.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.run_idstringrequiredThe unique ID of the action run whose step statuses are being updated.clonestringoptionalNew status for the 'clone' step. One of CREATED, DEAD, EXITED, PAUSED, REMOVING, RESTARTING, RUNNING.configurestringoptionalNew status for the 'configure' step. One of CREATED, DEAD, EXITED, PAUSED, REMOVING, RESTARTING, RUNNING.deploystringoptionalNew status for the 'deploy' step. One of CREATED, DEAD, EXITED, PAUSED, REMOVING, RESTARTING, RUNNING.healthstringoptionalNew status for the 'health' step. One of CREATED, DEAD, EXITED, PAUSED, REMOVING, RESTARTING, RUNNING.migratestringoptionalNew status for the 'migrate' step. One of CREATED, DEAD, EXITED, PAUSED, REMOVING, RESTARTING, RUNNING.pullstringoptionalNew status for the 'pull' step. One of CREATED, DEAD, EXITED, PAUSED, REMOVING, RESTARTING, RUNNING.seedstringoptionalNew status for the 'seed' step. One of CREATED, DEAD, EXITED, PAUSED, REMOVING, RESTARTING, RUNNING.supabase_update_auth_service_config#Update a Supabase project's Auth (GoTrue) service configuration. Supports over 200 optional settings covering signup restrictions, JWT/session lifetime, SMTP and email templates, SMS/phone OTP providers, external OAuth providers (Apple, Azure, Google, GitHub, etc.), MFA (TOTP/WebAuthn/phone), passkeys, rate limits, CAPTCHA, Auth hooks, and the project's built-in OAuth server. Only the fields you provide are changed; omitted fields keep their current value. Requires the project ref. Returns the updated auth config object.235 params
Update a Supabase project's Auth (GoTrue) service configuration. Supports over 200 optional settings covering signup restrictions, JWT/session lifetime, SMTP and email templates, SMS/phone OTP providers, external OAuth providers (Apple, Azure, Google, GitHub, etc.), MFA (TOTP/WebAuthn/phone), passkeys, rate limits, CAPTCHA, Auth hooks, and the project's built-in OAuth server. Only the fields you provide are changed; omitted fields keep their current value. Requires the project ref. Returns the updated auth config object.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.api_max_request_durationintegeroptionalMaximum duration, in seconds, Auth allows for a single API request before timing out.custom_oauth_enabledbooleanoptionalWhether custom (non-catalog) OAuth provider configurations are enabled for this project.db_max_pool_sizeintegeroptionalMaximum size of the database connection pool used by the Auth service.db_max_pool_size_unitstringoptionalUnit for db_max_pool_size: a fixed number of connections, or a percentage of the project's total available connections.disable_signupbooleanoptionalWhether to disable new user signups. When true, only existing users can sign in; new signups are rejected.external_anonymous_users_enabledbooleanoptionalWhether anonymous sign-ins are enabled for the project.external_apple_additional_client_idsstringoptionalComma-separated list of additional OAuth client IDs accepted for Sign in with Apple (e.g. for multiple native apps).external_apple_client_idstringoptionalOAuth client ID registered with Apple, used for Sign in with Apple.external_apple_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Apple.external_apple_enabledbooleanoptionalWhether Sign in with Apple is enabled for this project.external_apple_secretstringoptionalOAuth client secret registered with Apple, used for Sign in with Apple. Treated as a secret.external_azure_client_idstringoptionalOAuth client ID registered with Azure, used for Sign in with Azure.external_azure_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Azure.external_azure_enabledbooleanoptionalWhether Sign in with Azure is enabled for this project.external_azure_secretstringoptionalOAuth client secret registered with Azure, used for Sign in with Azure. Treated as a secret.external_azure_urlstringoptionalBase URL of the self-hosted/on-prem Azure instance to authenticate against.external_bitbucket_client_idstringoptionalOAuth client ID registered with Bitbucket, used for Sign in with Bitbucket.external_bitbucket_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Bitbucket.external_bitbucket_enabledbooleanoptionalWhether Sign in with Bitbucket is enabled for this project.external_bitbucket_secretstringoptionalOAuth client secret registered with Bitbucket, used for Sign in with Bitbucket. Treated as a secret.external_discord_client_idstringoptionalOAuth client ID registered with Discord, used for Sign in with Discord.external_discord_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Discord.external_discord_enabledbooleanoptionalWhether Sign in with Discord is enabled for this project.external_discord_secretstringoptionalOAuth client secret registered with Discord, used for Sign in with Discord. Treated as a secret.external_email_enabledbooleanoptionalWhether email-based sign-up and sign-in (password or OTP) is enabled.external_facebook_client_idstringoptionalOAuth client ID registered with Facebook, used for Sign in with Facebook.external_facebook_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Facebook.external_facebook_enabledbooleanoptionalWhether Sign in with Facebook is enabled for this project.external_facebook_secretstringoptionalOAuth client secret registered with Facebook, used for Sign in with Facebook. Treated as a secret.external_figma_client_idstringoptionalOAuth client ID registered with Figma, used for Sign in with Figma.external_figma_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Figma.external_figma_enabledbooleanoptionalWhether Sign in with Figma is enabled for this project.external_figma_secretstringoptionalOAuth client secret registered with Figma, used for Sign in with Figma. Treated as a secret.external_github_client_idstringoptionalOAuth client ID registered with Github, used for Sign in with Github.external_github_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Github.external_github_enabledbooleanoptionalWhether Sign in with Github is enabled for this project.external_github_secretstringoptionalOAuth client secret registered with Github, used for Sign in with Github. Treated as a secret.external_gitlab_client_idstringoptionalOAuth client ID registered with Gitlab, used for Sign in with Gitlab.external_gitlab_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Gitlab.external_gitlab_enabledbooleanoptionalWhether Sign in with Gitlab is enabled for this project.external_gitlab_secretstringoptionalOAuth client secret registered with Gitlab, used for Sign in with Gitlab. Treated as a secret.external_gitlab_urlstringoptionalBase URL of the self-hosted/on-prem Gitlab instance to authenticate against.external_google_additional_client_idsstringoptionalComma-separated list of additional OAuth client IDs accepted for Sign in with Google (e.g. for multiple native apps).external_google_client_idstringoptionalOAuth client ID registered with Google, used for Sign in with Google.external_google_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Google.external_google_enabledbooleanoptionalWhether Sign in with Google is enabled for this project.external_google_secretstringoptionalOAuth client secret registered with Google, used for Sign in with Google. Treated as a secret.external_google_skip_nonce_checkbooleanoptionalWhen true, skips validating the OIDC nonce claim for Sign in with Google. Only disable this if you understand the replay-attack risk.external_kakao_client_idstringoptionalOAuth client ID registered with Kakao, used for Sign in with Kakao.external_kakao_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Kakao.external_kakao_enabledbooleanoptionalWhether Sign in with Kakao is enabled for this project.external_kakao_secretstringoptionalOAuth client secret registered with Kakao, used for Sign in with Kakao. Treated as a secret.external_keycloak_client_idstringoptionalOAuth client ID registered with Keycloak, used for Sign in with Keycloak.external_keycloak_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Keycloak.external_keycloak_enabledbooleanoptionalWhether Sign in with Keycloak is enabled for this project.external_keycloak_secretstringoptionalOAuth client secret registered with Keycloak, used for Sign in with Keycloak. Treated as a secret.external_keycloak_urlstringoptionalBase URL of the self-hosted/on-prem Keycloak instance to authenticate against.external_linkedin_oidc_client_idstringoptionalOAuth client ID registered with LinkedIn (OIDC), used for Sign in with LinkedIn (OIDC).external_linkedin_oidc_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with LinkedIn (OIDC).external_linkedin_oidc_enabledbooleanoptionalWhether Sign in with LinkedIn (OIDC) is enabled for this project.external_linkedin_oidc_secretstringoptionalOAuth client secret registered with LinkedIn (OIDC), used for Sign in with LinkedIn (OIDC). Treated as a secret.external_notion_client_idstringoptionalOAuth client ID registered with Notion, used for Sign in with Notion.external_notion_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Notion.external_notion_enabledbooleanoptionalWhether Sign in with Notion is enabled for this project.external_notion_secretstringoptionalOAuth client secret registered with Notion, used for Sign in with Notion. Treated as a secret.external_phone_enabledbooleanoptionalWhether phone-based sign-up and sign-in (SMS OTP) is enabled.external_slack_client_idstringoptionalOAuth client ID registered with Slack, used for Sign in with Slack.external_slack_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Slack.external_slack_enabledbooleanoptionalWhether Sign in with Slack is enabled for this project.external_slack_oidc_client_idstringoptionalOAuth client ID registered with Slack (OIDC), used for Sign in with Slack (OIDC).external_slack_oidc_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Slack (OIDC).external_slack_oidc_enabledbooleanoptionalWhether Sign in with Slack (OIDC) is enabled for this project.external_slack_oidc_secretstringoptionalOAuth client secret registered with Slack (OIDC), used for Sign in with Slack (OIDC). Treated as a secret.external_slack_secretstringoptionalOAuth client secret registered with Slack, used for Sign in with Slack. Treated as a secret.external_spotify_client_idstringoptionalOAuth client ID registered with Spotify, used for Sign in with Spotify.external_spotify_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Spotify.external_spotify_enabledbooleanoptionalWhether Sign in with Spotify is enabled for this project.external_spotify_secretstringoptionalOAuth client secret registered with Spotify, used for Sign in with Spotify. Treated as a secret.external_twitch_client_idstringoptionalOAuth client ID registered with Twitch, used for Sign in with Twitch.external_twitch_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Twitch.external_twitch_enabledbooleanoptionalWhether Sign in with Twitch is enabled for this project.external_twitch_secretstringoptionalOAuth client secret registered with Twitch, used for Sign in with Twitch. Treated as a secret.external_twitter_client_idstringoptionalOAuth client ID registered with Twitter, used for Sign in with Twitter.external_twitter_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Twitter.external_twitter_enabledbooleanoptionalWhether Sign in with Twitter is enabled for this project.external_twitter_secretstringoptionalOAuth client secret registered with Twitter, used for Sign in with Twitter. Treated as a secret.external_web3_ethereum_enabledbooleanoptionalWhether Sign-in with Ethereum (Web3 wallet) is enabled.external_web3_solana_enabledbooleanoptionalWhether Sign-in with Solana (Web3 wallet) is enabled.external_workos_client_idstringoptionalOAuth client ID registered with Workos, used for Sign in with Workos.external_workos_enabledbooleanoptionalWhether Sign in with Workos is enabled for this project.external_workos_secretstringoptionalOAuth client secret registered with Workos, used for Sign in with Workos. Treated as a secret.external_workos_urlstringoptionalBase URL of the self-hosted/on-prem Workos instance to authenticate against.external_x_client_idstringoptionalOAuth client ID registered with X (Twitter), used for Sign in with X (Twitter).external_x_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with X (Twitter).external_x_enabledbooleanoptionalWhether Sign in with X (Twitter) is enabled for this project.external_x_secretstringoptionalOAuth client secret registered with X (Twitter), used for Sign in with X (Twitter). Treated as a secret.external_zoom_client_idstringoptionalOAuth client ID registered with Zoom, used for Sign in with Zoom.external_zoom_email_optionalbooleanoptionalWhen true, a verified email address is not required to complete Sign in with Zoom.external_zoom_enabledbooleanoptionalWhether Sign in with Zoom is enabled for this project.external_zoom_secretstringoptionalOAuth client secret registered with Zoom, used for Sign in with Zoom. Treated as a secret.hook_after_user_created_enabledbooleanoptionalWhether the 'after user created' Auth hook is enabled. When enabled, Auth calls the configured URI at the relevant point in the auth flow.hook_after_user_created_secretsstringoptionalComma-separated list of base64/HMAC signing secrets used to verify requests to the 'after user created' hook came from Supabase Auth.hook_after_user_created_uristringoptionalURI Auth calls for the 'after user created' hook. Supports 'https://', 'http://' (local dev), or 'pg-functions://' for a Postgres function.hook_before_user_created_enabledbooleanoptionalWhether the 'before user created' Auth hook is enabled. When enabled, Auth calls the configured URI at the relevant point in the auth flow.hook_before_user_created_secretsstringoptionalComma-separated list of base64/HMAC signing secrets used to verify requests to the 'before user created' hook came from Supabase Auth.hook_before_user_created_uristringoptionalURI Auth calls for the 'before user created' hook. Supports 'https://', 'http://' (local dev), or 'pg-functions://' for a Postgres function.hook_custom_access_token_enabledbooleanoptionalWhether the 'custom access token' Auth hook is enabled. When enabled, Auth calls the configured URI at the relevant point in the auth flow.hook_custom_access_token_secretsstringoptionalComma-separated list of base64/HMAC signing secrets used to verify requests to the 'custom access token' hook came from Supabase Auth.hook_custom_access_token_uristringoptionalURI Auth calls for the 'custom access token' hook. Supports 'https://', 'http://' (local dev), or 'pg-functions://' for a Postgres function.hook_mfa_verification_attempt_enabledbooleanoptionalWhether the 'mfa verification attempt' Auth hook is enabled. When enabled, Auth calls the configured URI at the relevant point in the auth flow.hook_mfa_verification_attempt_secretsstringoptionalComma-separated list of base64/HMAC signing secrets used to verify requests to the 'mfa verification attempt' hook came from Supabase Auth.hook_mfa_verification_attempt_uristringoptionalURI Auth calls for the 'mfa verification attempt' hook. Supports 'https://', 'http://' (local dev), or 'pg-functions://' for a Postgres function.hook_password_verification_attempt_enabledbooleanoptionalWhether the 'password verification attempt' Auth hook is enabled. When enabled, Auth calls the configured URI at the relevant point in the auth flow.hook_password_verification_attempt_secretsstringoptionalComma-separated list of base64/HMAC signing secrets used to verify requests to the 'password verification attempt' hook came from Supabase Auth.hook_password_verification_attempt_uristringoptionalURI Auth calls for the 'password verification attempt' hook. Supports 'https://', 'http://' (local dev), or 'pg-functions://' for a Postgres function.hook_send_email_enabledbooleanoptionalWhether the 'send email' Auth hook is enabled. When enabled, Auth calls the configured URI at the relevant point in the auth flow.hook_send_email_secretsstringoptionalComma-separated list of base64/HMAC signing secrets used to verify requests to the 'send email' hook came from Supabase Auth.hook_send_email_uristringoptionalURI Auth calls for the 'send email' hook. Supports 'https://', 'http://' (local dev), or 'pg-functions://' for a Postgres function.hook_send_sms_enabledbooleanoptionalWhether the 'send sms' Auth hook is enabled. When enabled, Auth calls the configured URI at the relevant point in the auth flow.hook_send_sms_secretsstringoptionalComma-separated list of base64/HMAC signing secrets used to verify requests to the 'send sms' hook came from Supabase Auth.hook_send_sms_uristringoptionalURI Auth calls for the 'send sms' hook. Supports 'https://', 'http://' (local dev), or 'pg-functions://' for a Postgres function.jwt_expintegeroptionalExpiry time (in seconds) for access tokens (JWTs) issued by Auth. Between 0 and 604800 (7 days).mailer_allow_unverified_email_sign_insbooleanoptionalWhether users with an unverified email address are allowed to sign in.mailer_autoconfirmbooleanoptionalWhen true, new users are automatically confirmed without needing to click a confirmation email link.mailer_notifications_email_changed_enabledbooleanoptionalWhether to send a notification email to the user when their email changed occurs.mailer_notifications_identity_linked_enabledbooleanoptionalWhether to send a notification email to the user when their identity linked occurs.mailer_notifications_identity_unlinked_enabledbooleanoptionalWhether to send a notification email to the user when their identity unlinked occurs.mailer_notifications_mfa_factor_enrolled_enabledbooleanoptionalWhether to send a notification email to the user when their mfa factor enrolled occurs.mailer_notifications_mfa_factor_unenrolled_enabledbooleanoptionalWhether to send a notification email to the user when their mfa factor unenrolled occurs.mailer_notifications_password_changed_enabledbooleanoptionalWhether to send a notification email to the user when their password changed occurs.mailer_notifications_phone_changed_enabledbooleanoptionalWhether to send a notification email to the user when their phone changed occurs.mailer_otp_expintegeroptionalExpiry time (in seconds) for email OTP / magic link tokens.mailer_otp_lengthintegeroptionalNumber of digits in generated email OTP codes. Between 6 and 10.mailer_secure_email_change_enabledbooleanoptionalWhen true, changing a user's email address requires confirmation from both the old and the new email address.mailer_subjects_confirmationstringoptionalSubject line used for the 'confirmation' auth email template.mailer_subjects_email_changestringoptionalSubject line used for the 'email change' auth email template.mailer_subjects_email_changed_notificationstringoptionalSubject line used for the 'email changed notification' auth email template.mailer_subjects_identity_linked_notificationstringoptionalSubject line used for the 'identity linked notification' auth email template.mailer_subjects_identity_unlinked_notificationstringoptionalSubject line used for the 'identity unlinked notification' auth email template.mailer_subjects_invitestringoptionalSubject line used for the 'invite' auth email template.mailer_subjects_magic_linkstringoptionalSubject line used for the 'magic link' auth email template.mailer_subjects_mfa_factor_enrolled_notificationstringoptionalSubject line used for the 'mfa factor enrolled notification' auth email template.mailer_subjects_mfa_factor_unenrolled_notificationstringoptionalSubject line used for the 'mfa factor unenrolled notification' auth email template.mailer_subjects_password_changed_notificationstringoptionalSubject line used for the 'password changed notification' auth email template.mailer_subjects_phone_changed_notificationstringoptionalSubject line used for the 'phone changed notification' auth email template.mailer_subjects_reauthenticationstringoptionalSubject line used for the 'reauthentication' auth email template.mailer_subjects_recoverystringoptionalSubject line used for the 'recovery' auth email template.mailer_templates_confirmation_contentstringoptionalCustom HTML body template for the 'confirmation' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_email_change_contentstringoptionalCustom HTML body template for the 'email change' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_email_changed_notification_contentstringoptionalCustom HTML body template for the 'email changed notification' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_identity_linked_notification_contentstringoptionalCustom HTML body template for the 'identity linked notification' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_identity_unlinked_notification_contentstringoptionalCustom HTML body template for the 'identity unlinked notification' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_invite_contentstringoptionalCustom HTML body template for the 'invite' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_magic_link_contentstringoptionalCustom HTML body template for the 'magic link' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_mfa_factor_enrolled_notification_contentstringoptionalCustom HTML body template for the 'mfa factor enrolled notification' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_mfa_factor_unenrolled_notification_contentstringoptionalCustom HTML body template for the 'mfa factor unenrolled notification' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_password_changed_notification_contentstringoptionalCustom HTML body template for the 'password changed notification' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_phone_changed_notification_contentstringoptionalCustom HTML body template for the 'phone changed notification' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_reauthentication_contentstringoptionalCustom HTML body template for the 'reauthentication' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mailer_templates_recovery_contentstringoptionalCustom HTML body template for the 'recovery' auth email. Supports GoTrue template variables (e.g. {{ .ConfirmationURL }}).mfa_max_enrolled_factorsintegeroptionalMaximum number of MFA factors a single user may enroll.mfa_phone_enroll_enabledbooleanoptionalWhether users are allowed to enroll a phone-number (SMS OTP) MFA factor.mfa_phone_max_frequencyintegeroptionalMinimum number of seconds between MFA SMS challenge messages sent to the same phone number (0-32767).mfa_phone_otp_lengthintegeroptionalNumber of digits in generated MFA phone OTP codes (0-32767).mfa_phone_templatestringoptionalCustom SMS message template used when sending an MFA phone OTP challenge. Supports the {{ .Code }} variable.mfa_phone_verify_enabledbooleanoptionalWhether phone-number (SMS OTP) MFA verification is enabled at sign-in.mfa_totp_enroll_enabledbooleanoptionalWhether users are allowed to enroll a new TOTP (authenticator app) MFA factor.mfa_totp_verify_enabledbooleanoptionalWhether TOTP (authenticator app) MFA verification is enabled at sign-in.mfa_web_authn_enroll_enabledbooleanoptionalWhether users are allowed to enroll a new WebAuthn (hardware key / platform authenticator) MFA factor.mfa_web_authn_verify_enabledbooleanoptionalWhether WebAuthn MFA verification is enabled at sign-in.nimbus_oauth_client_idstringoptionalClient ID for Supabase's internal Nimbus OAuth integration (advanced/internal use).nimbus_oauth_client_secretstringoptionalClient secret for Supabase's internal Nimbus OAuth integration (advanced/internal use). Treated as a secret.oauth_server_allow_dynamic_registrationbooleanoptionalWhether third-party OAuth clients may register themselves dynamically (RFC 7591 Dynamic Client Registration) against this project's OAuth server.oauth_server_authorization_pathstringoptionalCustom path used for the OAuth authorization endpoint when this project acts as an OAuth server.oauth_server_enabledbooleanoptionalWhether this project can act as an OAuth 2.1 authorization server, issuing tokens to third-party client apps.passkey_enabledbooleanoptionalWhether passkey (WebAuthn passwordless) sign-in is enabled for this project.password_hibp_enabledbooleanoptionalWhen true, passwords are checked against the Have I Been Pwned breached-password database and rejected if found.password_min_lengthintegeroptionalMinimum required password length. Between 6 and 32767 characters.password_required_charactersstringoptionalCharacter sets that must each appear at least once in a password, expressed as a colon-separated list of character classes (e.g. lowercase:uppercase:digits). Empty string means no requirement.rate_limit_anonymous_usersintegeroptionalRate limit on anonymous sign-ins, expressed as a per-hour or per-interval integer cap enforced by Auth.rate_limit_email_sentintegeroptionalRate limit on emails sent, expressed as a per-hour or per-interval integer cap enforced by Auth.rate_limit_otpintegeroptionalRate limit on OTP requests, expressed as a per-hour or per-interval integer cap enforced by Auth.rate_limit_sms_sentintegeroptionalRate limit on SMS messages sent, expressed as a per-hour or per-interval integer cap enforced by Auth.rate_limit_token_refreshintegeroptionalRate limit on token refresh requests, expressed as a per-hour or per-interval integer cap enforced by Auth.rate_limit_verifyintegeroptionalRate limit on OTP/token verification attempts, expressed as a per-hour or per-interval integer cap enforced by Auth.rate_limit_web3integeroptionalRate limit on Web3 (wallet) sign-in attempts, expressed as a per-hour or per-interval integer cap enforced by Auth.refresh_token_rotation_enabledbooleanoptionalAuth config field 'refresh_token_rotation_enabled' (refresh token rotation enabled).saml_enabledbooleanoptionalWhether this project can act as a SAML 2.0 Service Provider for SSO sign-in.saml_external_urlstringoptionalThe external base URL used in this project's SAML Service Provider metadata (issuer / ACS URL).security_captcha_enabledbooleanoptionalWhether CAPTCHA verification is required on sign-up, sign-in, and password recovery.security_captcha_providerstringoptionalThe CAPTCHA provider to use when CAPTCHA is enabled.security_captcha_secretstringoptionalSecret key for the configured CAPTCHA provider, used to verify CAPTCHA tokens server-side.security_manual_linking_enabledbooleanoptionalWhether users may manually link additional identities/providers to their existing account.security_refresh_token_reuse_intervalintegeroptionalGrace period, in seconds, during which a previously used (rotated) refresh token is still accepted, to tolerate network retries.security_sb_forwarded_for_enabledbooleanoptionalWhether to trust the 'X-Forwarded-For' header to determine client IP addresses (for rate limiting and logs) when behind a trusted proxy.security_update_password_require_reauthenticationbooleanoptionalWhether users must reauthenticate (re-enter credentials) before changing their password.sessions_inactivity_timeoutnumberoptionalNumber of seconds of inactivity after which a session is revoked. 0 disables the timeout.sessions_single_per_userbooleanoptionalWhen true, signing in on a new device/browser revokes the user's other active sessions.sessions_tagsstringoptionalComma-separated list of tags used to group and manage sessions (e.g. by client type).sessions_timeboxnumberoptionalMaximum lifetime of a session in seconds, after which the user must sign in again, regardless of activity. 0 disables the limit.site_urlstringoptionalThe base URL of the site, used as an allowed redirect URL for authentication flows (e.g. password recovery, email confirmation links).sms_autoconfirmbooleanoptionalWhen true, new users signing up with a phone number are automatically confirmed without an SMS OTP challenge.sms_max_frequencyintegeroptionalMinimum number of seconds between SMS messages sent to the same phone number, for rate limiting (0-32767).sms_messagebird_access_keystringoptionalMessageBird API access key, required when sms_provider is 'messagebird'.sms_messagebird_originatorstringoptionalMessageBird originator (sender ID or phone number) shown to recipients, required when sms_provider is 'messagebird'.sms_otp_expintegeroptionalExpiry time (in seconds) for SMS OTP codes.sms_otp_lengthintegeroptionalNumber of digits in generated SMS OTP codes (0-32767).sms_providerstringoptionalThe SMS delivery provider used to send phone OTP messages.sms_templatestringoptionalCustom SMS message template used for sign-up/sign-in phone OTP challenges. Supports the {{ .Code }} variable.sms_test_otpstringoptionalComma-separated list of phone-number=otp pairs used for test/demo sign-ins without sending real SMS (e.g. '+15555550100=123456').sms_test_otp_valid_untilstringoptionalISO 8601 timestamp after which the configured sms_test_otp values stop working.sms_textlocal_api_keystringoptionalTextlocal API key, required when sms_provider is 'textlocal'.sms_textlocal_senderstringoptionalTextlocal sender ID shown to recipients, required when sms_provider is 'textlocal'.sms_twilio_account_sidstringoptionalTwilio Account SID, required when sms_provider is 'twilio'.sms_twilio_auth_tokenstringoptionalTwilio Auth Token, required when sms_provider is 'twilio'.sms_twilio_content_sidstringoptionalTwilio Content SID for the WhatsApp/Messaging template used to send OTP codes via Twilio, when applicable.sms_twilio_message_service_sidstringoptionalTwilio Messaging Service SID used to send OTP messages, required when sms_provider is 'twilio' and a Messaging Service is used instead of a single from-number.sms_twilio_verify_account_sidstringoptionalTwilio Account SID used with Twilio Verify, required when sms_provider is 'twilio_verify'.sms_twilio_verify_auth_tokenstringoptionalTwilio Auth Token used with Twilio Verify, required when sms_provider is 'twilio_verify'.sms_twilio_verify_message_service_sidstringoptionalTwilio Verify Messaging Service SID, required when sms_provider is 'twilio_verify' and a Messaging Service is used.sms_vonage_api_keystringoptionalVonage API key, required when sms_provider is 'vonage'.sms_vonage_api_secretstringoptionalVonage API secret, required when sms_provider is 'vonage'.sms_vonage_fromstringoptionalVonage sender ID or phone number shown to recipients, required when sms_provider is 'vonage'.smtp_admin_emailstringoptionalThe 'from' email address used when Auth sends emails via the configured SMTP server.smtp_hoststringoptionalHostname of the custom SMTP server used to send auth emails instead of Supabase's default mailer.smtp_max_frequencyintegeroptionalMinimum number of seconds between emails sent to the same address, used for rate limiting (0-32767).smtp_passstringoptionalPassword or API key used to authenticate with the custom SMTP server. Treated as a secret.smtp_portstringoptionalPort number of the custom SMTP server (as a string), e.g. '587' or '465'.smtp_sender_namestringoptionalDisplay name shown as the sender on outgoing auth emails.smtp_userstringoptionalUsername used to authenticate with the custom SMTP server.uri_allow_liststringoptionalComma-separated list of additional redirect URLs allowed after auth actions (sign-in, sign-up, password reset). Supports wildcards.webauthn_rp_display_namestringoptionalHuman-readable Relying Party name shown to users during passkey/WebAuthn registration prompts.webauthn_rp_idstringoptionalWebAuthn Relying Party ID — typically your application's domain (without scheme or path).webauthn_rp_originsstringoptionalComma-separated list of allowed WebAuthn origins (full URLs, including scheme) that may perform passkey registration/authentication.supabase_update_backup_schedule#Update the time of day (in UTC) at which a Supabase project's daily backup runs. The new schedule takes effect on the next backup window that includes the new time; if that time has already passed today, the first backup at the new time occurs the following day. Only available on the Enterprise organization plan, and the schedule can only be updated 3 times per 24 hours.2 params
Update the time of day (in UTC) at which a Supabase project's daily backup runs. The new schedule takes effect on the next backup window that includes the new time; if that time has already passed today, the first backup at the new time occurs the following day. Only available on the Enterprise organization plan, and the schedule can only be updated 3 times per 24 hours.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.schedule_forstringrequiredTime of day to schedule daily backups, in UTC. Format: HH:MM:SS.supabase_update_branch_config#Update the configuration of a Supabase database branch. Provide the branch_id_or_ref and any of branch_name, git_branch, persistent, status, request_review, or notify_url to change. Fields left blank are unchanged. Returns the updated branch object.7 params
Update the configuration of a Supabase database branch. Provide the branch_id_or_ref and any of branch_name, git_branch, persistent, status, request_review, or notify_url to change. Fields left blank are unchanged. Returns the updated branch object.
branch_id_or_refstringrequiredBranch reference (20-character lowercase string) or the deprecated branch UUID to update.branch_namestringoptionalNew name for the branch. Leave blank to keep the current name.git_branchstringoptionalNew Git branch to associate with this database branch. Leave blank to keep the current association.notify_urlstringoptionalHTTP endpoint that Supabase calls with branch status updates, e.g. 'https://example.com/webhooks/branches'.persistentbooleanoptionalWhether the branch should persist rather than being cleaned up as an ephemeral preview branch.request_reviewbooleanoptionalWhether to request a review for this branch (e.g., to trigger a merge/review workflow).statusstringoptionalStatus to set on the branch.supabase_update_database_password#Update the Postgres database password for a Supabase project. This is marked destructive because rotating the password immediately invalidates any existing direct database connections (including connection poolers and integrations) that use the old password — they will fail to reconnect until updated with the new password.2 params
Update the Postgres database password for a Supabase project. This is marked destructive because rotating the password immediately invalidates any existing direct database connections (including connection poolers and integrations) that use the old password — they will fail to reconnect until updated with the new password.
passwordstringrequiredNew database password. Must be at least 4 characters. Choose a strong, unique password — this is the credential used for direct Postgres connections.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_update_function#Update an existing Supabase Edge Function's metadata and/or source code (JSON content type). Provide the project ref and the function's slug, then any of name, body (the Deno/TypeScript source), or verify_jwt to change. Fields left blank are unchanged. Returns the updated function object.5 params
Update an existing Supabase Edge Function's metadata and/or source code (JSON content type). Provide the project ref and the function's slug, then any of name, body (the Deno/TypeScript source), or verify_jwt to change. Fields left blank are unchanged. Returns the updated function object.
function_slugstringrequiredSlug (identifier) of the Edge Function to update, e.g. 'hello-world'. Alphanumeric, underscores, and hyphens only.refstringrequiredProject reference ID (20-character lowercase string). Found in the project's Supabase dashboard URL or via the List Projects tool.bodystringoptionalNew Deno/TypeScript source code for the function. Leave blank to keep the current code.namestringoptionalNew display name for the function. Leave blank to keep the current name.verify_jwtbooleanoptionalWhether Supabase should verify a JWT on incoming requests to this function before invoking it. Leave blank to keep the current setting.supabase_update_hostname_config#[Beta] Initialize or update a Supabase project's custom hostname configuration by supplying the desired custom_hostname. This starts the process of provisioning the custom domain; follow up with Verify DNS Config and Activate Custom Hostname once DNS records are in place. Requires the project ref and custom_hostname.2 params
[Beta] Initialize or update a Supabase project's custom hostname configuration by supplying the desired custom_hostname. This starts the process of provisioning the custom domain; follow up with Verify DNS Config and Activate Custom Hostname once DNS records are in place. Requires the project ref and custom_hostname.
custom_hostnamestringrequiredThe fully-qualified custom hostname to configure for this project, e.g. 'docs.example.com'. Maximum 253 characters.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_update_jit_access#Update the just-in-time (JIT) database access mapping for a single user on a Supabase project — this replaces the set of Postgres roles the given user_id is allowed to assume, along with per-role expiry, allowed network (CIDR) restrictions, and whether the role is limited to database branches. Provide the full desired roles array; it replaces any existing mapping for that user.3 params
Update the just-in-time (JIT) database access mapping for a single user on a Supabase project — this replaces the set of Postgres roles the given user_id is allowed to assume, along with per-role expiry, allowed network (CIDR) restrictions, and whether the role is limited to database branches. Provide the full desired roles array; it replaces any existing mapping for that user.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.rolesarrayrequiredArray of role mapping objects to grant to user_id. Each object requires a role name and may include expires_at (unix timestamp, seconds), allowed_networks ({allowed_cidrs: [{cidr}], allowed_cidrs_v6: [{cidr}]}), and branches_only (boolean). Example: [{"role": "postgres", "expires_at": 1740787200, "allowed_networks": {"allowed_cidrs": [{"cidr": "203.0.113.0/24"}]}, "branches_only": false}]user_idstringrequiredUUID of the user to update the JIT role mapping for.supabase_update_jit_access_config#[Beta] Enable or disable a Supabase project's just-in-time (JIT) temporary database access feature. When disabled, existing JIT role mappings stop granting access. The response reports whether the change applied successfully, or an unavailable state (e.g. postgres_upgrade_required) if it could not be applied.2 params
[Beta] Enable or disable a Supabase project's just-in-time (JIT) temporary database access feature. When disabled, existing JIT role mappings stop granting access. The response reports whether the change applied successfully, or an unavailable state (e.g. postgres_upgrade_required) if it could not be applied.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.statestringrequiredDesired state of the JIT temporary access feature for this project.supabase_update_network_restrictions#[Beta] Apply network restrictions (database allowed CIDR ranges) to a Supabase project. Replaces the project's current dbAllowedCidrs and dbAllowedCidrsV6 lists with the values provided. Omit a field to leave that list unchanged. Requires the project ref. Returns the applied/pending configuration along with entitlement and status.3 params
[Beta] Apply network restrictions (database allowed CIDR ranges) to a Supabase project. Replaces the project's current dbAllowedCidrs and dbAllowedCidrsV6 lists with the values provided. Omit a field to leave that list unchanged. Requires the project ref. Returns the applied/pending configuration along with entitlement and status.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.dbAllowedCidrsarrayoptionalIPv4 CIDR ranges allowed to connect to the project's Postgres database. Example: ["203.0.113.0/24"]. Pass an empty array to remove all IPv4 restrictions (allow all).dbAllowedCidrsV6arrayoptionalIPv6 CIDR ranges allowed to connect to the project's Postgres database. Example: ["2001:db8::/32"]. Pass an empty array to remove all IPv6 restrictions (allow all).supabase_update_pgsodium_config#[Beta] Update the pgsodium encryption root_key for a Supabase project. Warning: rotating the root_key can cause all data previously encrypted with the older key to become permanently inaccessible. Requires the project ref and the new root_key value. Returns the updated pgsodium config.2 params
[Beta] Update the pgsodium encryption root_key for a Supabase project. Warning: rotating the root_key can cause all data previously encrypted with the older key to become permanently inaccessible. Requires the project ref and the new root_key value. Returns the updated pgsodium config.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.root_keystringrequiredThe new pgsodium root_key to set for the project, typically a base64-encoded string. Warning: changing this makes data encrypted with the previous key unreadable.supabase_update_pooler_config#Update a Supabase project's Supavisor connection pooler configuration — the default pool size (max database connections per pool) and/or the pooler mode (transaction or session). Only the fields you provide are changed; omit a field to leave it unchanged.3 params
Update a Supabase project's Supavisor connection pooler configuration — the default pool size (max database connections per pool) and/or the pooler mode (transaction or session). Only the fields you provide are changed; omit a field to leave it unchanged.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.default_pool_sizeintegeroptionalDefault number of database connections per pool, between 0 and 3000. Pass null or omit to leave unchanged.pool_modestringoptionalDedicated pooler mode for the project: 'transaction' (connections returned to pool after each transaction) or 'session' (connection held for the client's whole session). Pass null or omit to leave unchanged.supabase_update_postgres_config#Update a Supabase project's Postgres database configuration (postgresql.conf-style settings), such as connection limits, memory allocation (shared_buffers, work_mem, maintenance_work_mem), logging behavior, replication/WAL parameters, and parallel worker limits. Only the fields you provide are changed; all fields are optional. Some settings require a database restart to take effect — set restart_database to true to apply them immediately, or leave false to apply on the next scheduled restart.40 params
Update a Supabase project's Postgres database configuration (postgresql.conf-style settings), such as connection limits, memory allocation (shared_buffers, work_mem, maintenance_work_mem), logging behavior, replication/WAL parameters, and parallel worker limits. Only the fields you provide are changed; all fields are optional. Some settings require a database restart to take effect — set restart_database to true to apply them immediately, or leave false to apply on the next scheduled restart.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.checkpoint_timeoutstringoptionalMaximum time between automatic WAL checkpoints. Default unit: s. Optional — pass null or omit to leave the current value unchanged.cron_log_statementbooleanoptionalMaps to the Postgres GUC 'cron.log_statement'. Controls whether pg_cron logs each job's SQL statement before executing it. Optional — pass null or omit to leave the current value unchanged.effective_cache_sizestringoptionalPlanner's estimate of the effective size of the disk cache available to a single query (e.g. '4GB'). Accepts a size with unit. Optional — pass null or omit to leave the current value unchanged.hot_standby_feedbackbooleanoptionalSends feedback from a hot standby to prevent query conflicts on the primary. Optional — pass null or omit to leave the current value unchanged.log_autovacuum_min_durationstringoptionalLogs autovacuum activity that runs longer than this duration (e.g. '10s'). Default unit: ms. Optional — pass null or omit to leave the current value unchanged.log_checkpointsbooleanoptionalLogs each checkpoint. Optional — pass null or omit to leave the current value unchanged.log_connectionsbooleanoptionalLogs each successful connection. Optional — pass null or omit to leave the current value unchanged.log_disconnectionsbooleanoptionalLogs the end of each session, including duration. Optional — pass null or omit to leave the current value unchanged.log_durationbooleanoptionalLogs the duration of each completed statement. Optional — pass null or omit to leave the current value unchanged.log_lock_waitsbooleanoptionalLogs long lock waits. Optional — pass null or omit to leave the current value unchanged.log_recovery_conflict_waitsbooleanoptionalLogs recovery conflict waits longer than deadlock_timeout. Optional — pass null or omit to leave the current value unchanged.log_replication_commandsbooleanoptionalLogs each replication command. Optional — pass null or omit to leave the current value unchanged.log_startup_progress_intervalstringoptionalTime between progress updates for long-running startup operations (e.g. '10s'). Default unit: ms. Optional — pass null or omit to leave the current value unchanged.log_temp_filesstringoptionalLogs the use of temporary files larger than this size. Optional — pass null or omit to leave the current value unchanged.logical_decoding_work_memstringoptionalAmount of memory used by logical decoding, before some data is written to local disk (e.g. '64MB'). Optional — pass null or omit to leave the current value unchanged.maintenance_work_memstringoptionalMaximum memory used for maintenance operations such as VACUUM and CREATE INDEX (e.g. '64MB'). Optional — pass null or omit to leave the current value unchanged.max_connectionsintegeroptionalMaximum number of concurrent database connections. Optional — pass null or omit to leave the current value unchanged.max_locks_per_transactionintegeroptionalMaximum number of locks per transaction. Optional — pass null or omit to leave the current value unchanged.max_logical_replication_workersintegeroptionalMaximum number of logical replication workers. Optional — pass null or omit to leave the current value unchanged.max_parallel_maintenance_workersintegeroptionalMaximum number of parallel workers for maintenance operations. Optional — pass null or omit to leave the current value unchanged.max_parallel_workersintegeroptionalMaximum number of workers for parallel operations. Optional — pass null or omit to leave the current value unchanged.max_parallel_workers_per_gatherintegeroptionalMaximum number of parallel workers per gather node. Optional — pass null or omit to leave the current value unchanged.max_replication_slotsintegeroptionalMaximum number of replication slots. Optional — pass null or omit to leave the current value unchanged.max_slot_wal_keep_sizestringoptionalMaximum WAL size retained by replication slots (e.g. '1GB'). Optional — pass null or omit to leave the current value unchanged.max_standby_archive_delaystringoptionalMaximum delay before canceling queries on a standby due to conflicts from archived WAL. Optional — pass null or omit to leave the current value unchanged.max_standby_streaming_delaystringoptionalMaximum delay before canceling queries on a standby due to conflicts from streamed WAL. Optional — pass null or omit to leave the current value unchanged.max_sync_workers_per_subscriptionintegeroptionalMaximum number of table synchronization workers per subscription. Optional — pass null or omit to leave the current value unchanged.max_wal_sendersintegeroptionalMaximum number of concurrent connections from standby servers or streaming backup clients. Optional — pass null or omit to leave the current value unchanged.max_wal_sizestringoptionalMaximum size WAL is allowed to grow to between automatic checkpoints (e.g. '1GB'). Optional — pass null or omit to leave the current value unchanged.max_worker_processesintegeroptionalMaximum number of background processes the system can support. Optional — pass null or omit to leave the current value unchanged.restart_databasebooleanoptionalWhether to restart the database immediately to apply configuration changes that require a restart. If false, such changes apply on the next scheduled restart. Optional — pass null or omit to leave the current value unchanged.session_replication_rolestringoptionalControls firing of replication-related triggers and rules for the current session. Optional — pass null or omit to leave the current value unchanged.shared_buffersstringoptionalAmount of memory used for shared memory buffers (e.g. '256MB'). Optional — pass null or omit to leave the current value unchanged.statement_timeoutstringoptionalAbort any statement that takes more than this duration. Default unit: ms. Optional — pass null or omit to leave the current value unchanged.track_activity_query_sizestringoptionalSize reserved for pg_stat_activity.query, in bytes (e.g. '1024'). Optional — pass null or omit to leave the current value unchanged.track_commit_timestampbooleanoptionalRecords commit time of transactions. Optional — pass null or omit to leave the current value unchanged.wal_keep_sizestringoptionalMinimum size of past WAL files retained for standby servers (e.g. '1GB'). Optional — pass null or omit to leave the current value unchanged.wal_sender_timeoutstringoptionalTerminate replication connections inactive for longer than this duration. Default unit: ms. Optional — pass null or omit to leave the current value unchanged.work_memstringoptionalAmount of memory used for query working space before writing to temporary disk files (e.g. '4MB'). Optional — pass null or omit to leave the current value unchanged.supabase_update_postgrest_service_config#Update a Supabase project's PostgREST (Data API) service configuration, identified by its project ref. All fields are optional — only the fields you provide are changed. Configure the exposed schema(s), extra search path, max rows per request, and database connection pool settings. Returns the updated configuration.6 params
Update a Supabase project's PostgREST (Data API) service configuration, identified by its project ref. All fields are optional — only the fields you provide are changed. Configure the exposed schema(s), extra search path, max rows per request, and database connection pool settings. Returns the updated configuration.
refstringrequiredThe project ref to update the PostgREST config for. A 20-character lowercase string that uniquely identifies a Supabase project. Example: 'abcdefghijklmnopqrst'.db_extra_search_pathstringoptionalExtra schemas to add to the search_path of every request, comma-separated.db_poolintegeroptionalNumber of connections PostgREST keeps open to the database. Between 0 and 1000. If omitted, automatically configured based on compute size.db_pool_acquisition_timeoutintegeroptionalSeconds PostgREST waits to acquire a database connection before erroring. Between 0 and 60. If omitted, defaults to 10.db_schemastringoptionalComma-separated list of schema(s) to expose via the Data API, e.g. 'public,storage'.max_rowsintegeroptionalMaximum number of rows returned from a view, table, or stored procedure. Between 0 and 1000000.supabase_update_project#Update a Supabase project's name, identified by its project ref. Currently the only updatable field is the project name (1-256 characters). Returns the project ref on success.2 params
Update a Supabase project's name, identified by its project ref. Currently the only updatable field is the project name (1-256 characters). Returns the project ref on success.
namestringrequiredNew name for the project. Between 1 and 256 characters.refstringrequiredThe project ref to update. A 20-character lowercase string that uniquely identifies a Supabase project. Example: 'abcdefghijklmnopqrst'.supabase_update_project_api_key#Update the name, description, or secret JWT template of an existing API key for a Supabase project. Identify the key by its UUID id. At least one of name, description, or secret_jwt_template should be provided.6 params
Update the name, description, or secret JWT template of an existing API key for a Supabase project. Identify the key by its UUID id. At least one of name, description, or secret_jwt_template should be provided.
idstringrequiredThe UUID of the API key to update.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.descriptionstringoptionalNew human-readable description for the API key. Pass null to clear an existing description.namestringoptionalNew name for the API key. Must be 4-64 characters, lowercase letters/digits/underscores, starting with a letter or underscore (pattern ^[a-z_][a-z0-9_]+$).revealbooleanoptionalWhether to reveal the actual secret value of the API key in the response. Defaults to false (redacted) when omitted.secret_jwt_templateobjectoptionalOptional JWT template object controlling custom claims embedded when this key mints JWTs. Pass null to clear an existing template.supabase_update_project_signing_key#Update a JWT signing key for a Supabase project, mainly to change its status (e.g., promote a standby key to in_use, or revoke a key). Requires the project ref and the signing key's UUID. Returns the updated signing key object including id, algorithm, status, public_jwk, created_at, and updated_at.3 params
Update a JWT signing key for a Supabase project, mainly to change its status (e.g., promote a standby key to in_use, or revoke a key). Requires the project ref and the signing key's UUID. Returns the updated signing key object including id, algorithm, status, public_jwk, created_at, and updated_at.
idstringrequiredUUID of the signing key to update.refstringrequiredProject reference ID (the 20-character lowercase project ref shown in the Supabase dashboard URL).statusstringrequiredNew status for the signing key. One of: in_use, previously_used, revoked, standby. Example: standby.supabase_update_ssl_enforcement_config#[Beta] Update a Supabase project's SSL enforcement configuration for the database. Set database to true to require SSL for all direct Postgres connections. Requires the project ref. Returns the currentConfig after the change and whether it was appliedSuccessfully.2 params
[Beta] Update a Supabase project's SSL enforcement configuration for the database. Set database to true to require SSL for all direct Postgres connections. Requires the project ref. Returns the currentConfig after the change and whether it was appliedSuccessfully.
databasebooleanrequiredWhether to enforce SSL for direct Postgres database connections. Set to true to require SSL; false to allow non-SSL connections.refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.supabase_update_sso_provider#Update an existing SAML SSO provider on a Supabase project, identified by its UUID. All body fields are optional — only the fields you provide are updated. Supports updating the SAML metadata (via metadata_xml or metadata_url), allowed email domains, attribute mapping, and the SAML name ID format. Returns the updated provider configuration. Requires SAML 2.0 to already be enabled for the project.7 params
Update an existing SAML SSO provider on a Supabase project, identified by its UUID. All body fields are optional — only the fields you provide are updated. Supports updating the SAML metadata (via metadata_xml or metadata_url), allowed email domains, attribute mapping, and the SAML name ID format. Returns the updated provider configuration. Requires SAML 2.0 to already be enabled for the project.
provider_idstringrequiredUUID of the SSO provider to update.refstringrequiredProject reference ID (the 20-character lowercase project ref shown in the Supabase dashboard URL).attribute_mappingobjectoptionalObject mapping SAML assertion attributes to Supabase user fields. Shape: {"keys": {"<field>": {"name": "<saml-attribute-name>", "names": ["alt-name"], "default": <value>, "array": false}}}. Example: {"keys": {"email": {"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"}}}domainsarrayoptionalArray of email domains that should be routed to this SSO provider. Example: ["acme.com", "contractors.acme.com"].metadata_urlstringoptionalURL where the SAML IdP metadata XML can be fetched. Example: https://sso.acme.com/metadata.xml. Provide either metadata_url or metadata_xml, not both.metadata_xmlstringoptionalRaw SAML IdP metadata XML content. Provide either metadata_xml or metadata_url, not both.name_id_formatstringoptionalSAML NameID format to use. One of the four standard SAML NameID format URNs. Example: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.supabase_upgrade_postgres_version#[Beta, DESTRUCTIVE] Initiate an in-place upgrade of a Supabase project's Postgres major version. This is an infrastructure-level operation: the project's database is taken offline for a period during the upgrade, all active connections are dropped, and the upgrade cannot be cancelled once it starts. Always ensure a recent backup exists before calling this. On success the API returns a tracking_id that can be used to monitor the upgrade's progress; it does not mean the upgrade has completed. Requires the project ref and the target Postgres version.3 params
[Beta, DESTRUCTIVE] Initiate an in-place upgrade of a Supabase project's Postgres major version. This is an infrastructure-level operation: the project's database is taken offline for a period during the upgrade, all active connections are dropped, and the upgrade cannot be cancelled once it starts. Always ensure a recent backup exists before calling this. On success the API returns a tracking_id that can be used to monitor the upgrade's progress; it does not mean the upgrade has completed. Requires the project ref and the target Postgres version.
refstringrequiredThe 20-character project reference ID (lowercase letters only) of the project whose Postgres version will be upgraded. Found in the project's Supabase dashboard URL or Settings > General.target_versionstringrequiredThe target Postgres major version number to upgrade the project to. Example: "17".release_channelstringoptionalOptional release channel to source the target Postgres version from. One of: internal, alpha, beta, ga, withdrawn, preview. If omitted, Supabase uses its default channel for the target version.supabase_upsert_migration#Upsert an entry into a Supabase project's database migration history without actually applying the SQL. Only available to selected partner OAuth apps and may return a 403 for other apps. Requires the project ref and the migration SQL query; name and rollback SQL are optional. Optionally pass an Idempotency-Key header value to ensure the same migration is tracked only once.5 params
Upsert an entry into a Supabase project's database migration history without actually applying the SQL. Only available to selected partner OAuth apps and may return a 403 for other apps. Requires the project ref and the migration SQL query; name and rollback SQL are optional. Optionally pass an Idempotency-Key header value to ensure the same migration is tracked only once.
querystringrequiredThe SQL statement(s) that make up this migration. Example: create table public.widgets(id bigint primary key);refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.idempotency_keystringoptionalOptional value for the Idempotency-Key header, ensuring the same migration is tracked only once even if this request is retried.namestringoptionalOptional human-readable name for the migration entry, used to build the migration filename.rollbackstringoptionalOptional SQL statement(s) to roll back this migration. Example: drop table if exists public.widgets;supabase_verify_dns_config#[Beta] Attempt to verify the DNS configuration for a Supabase project's custom hostname. Call this after the required DNS records (from Update Custom Hostname Config) have been added to your domain's DNS provider. Requires only the project ref. Returns the current hostname configuration status and detail once verification is attempted.1 param
[Beta] Attempt to verify the DNS configuration for a Supabase project's custom hostname. Call this after the required DNS records (from Update Custom Hostname Config) have been added to your domain's DNS provider. Requires only the project ref. Returns the current hostname configuration status and detail once verification is attempted.
refstringrequiredThe 20-character project reference ID (lowercase letters only). Found in the project's Supabase dashboard URL or Settings > General.