@supabase/server 0.1.1-rc.27 → 0.1.1-rc.28

package/dist/adapters/hono/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_create_supabase_context = require('../../create-supabase-context-BO7DGfth.cjs');
+const require_create_supabase_context = require('../../create-supabase-context-DDIAxA8h.cjs');
 let hono_http_exception = require("hono/http-exception");
 let hono_factory = require("hono/factory");
 

package/dist/adapters/hono/index.d.cts

@@ -1,4 +1,4 @@
-import { l as WithSupabaseConfig, o as SupabaseContext } from "../../types-CnKoFCMX.cjs";
+import { f as WithSupabaseConfig, l as SupabaseContext } from "../../types-X7xYi2LN.cjs";
 import * as hono_types0 from "hono/types";
 
 //#region src/adapters/hono/middleware.d.ts

package/dist/adapters/hono/index.d.mts

@@ -1,4 +1,4 @@
-import { l as WithSupabaseConfig, o as SupabaseContext } from "../../types-ClmJ8pi8.mjs";
+import { f as WithSupabaseConfig, l as SupabaseContext } from "../../types-BmWSIuH7.mjs";
 import * as hono_types0 from "hono/types";
 
 //#region src/adapters/hono/middleware.d.ts

package/dist/adapters/hono/index.mjs

@@ -1,4 +1,4 @@
-import { t as createSupabaseContext } from "../../create-supabase-context--JXiHT_N.mjs";
+import { t as createSupabaseContext } from "../../create-supabase-context-Bmwyha9p.mjs";
 import { HTTPException } from "hono/http-exception";
 import { createMiddleware } from "hono/factory";
 

package/dist/core/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_verify_auth = require('../verify-auth-BjIehuNM.cjs');
+const require_verify_auth = require('../verify-auth-DrgvEuKo.cjs');
 
 exports.createAdminClient = require_verify_auth.createAdminClient;
 exports.createContextClient = require_verify_auth.createContextClient;

package/dist/core/index.d.cts

@@ -1,4 +1,4 @@
-import { i as Credentials, n as AllowWithKey, r as AuthResult, s as SupabaseEnv } from "../types-CnKoFCMX.cjs";
+import { a as CreateAdminClientOptions, i as ClientAuth, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, u as SupabaseEnv } from "../types-X7xYi2LN.cjs";
 import { i as EnvError, t as AuthError } from "../errors-O2ugIMec.cjs";
 import { SupabaseClient } from "@supabase/supabase-js";
 
@@ -154,34 +154,28 @@ declare function verifyAuth(request: Request, options: VerifyAuthOptions): Promi
  * Creates a Supabase client scoped to the caller's context.
  *
  * Configured with a publishable key and (optionally) the caller's JWT,
- * so Row-Level Security policies apply. Session persistence is disabled
- * (stateless, one client per request).
+ * so Row-Level Security policies apply. Stateless — one client per request.
  *
- * @param token - The caller's JWT, or `null` for anonymous access.
- * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
- * @param keyName - Name of the publishable key to use. Falls back to `"default"`, then first available.
- * @returns A configured {@link SupabaseClient} with RLS enforced.
  * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified publishable key is not found.
  *
  * @example
  * ```ts
  * const { data: auth } = await verifyAuth(request, { allow: 'user' })
- * const supabase = createContextClient(auth.token)
+ * const supabase = createContextClient({
+ *   auth: { token: auth.token, keyName: auth.keyName },
+ * })
  * const { data } = await supabase.rpc('get_my_items')
  * ```
  */
-declare function createContextClient<Database = unknown>(token?: string | null, env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+declare function createContextClient<Database = unknown>(options?: CreateContextClientOptions): SupabaseClient<Database>;
 //#endregion
 //#region src/core/create-admin-client.d.ts
 /**
  * Creates an admin Supabase client that bypasses Row-Level Security.
  *
  * Uses a secret key for authentication, giving full access to all data.
- * Session persistence is disabled (stateless, one client per request).
+ * Stateless — one client per request.
  *
- * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
- * @param keyName - Name of the secret key to use. Falls back to `"default"`, then first available.
- * @returns A configured {@link SupabaseClient} with admin (service-role) privileges.
  * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified secret key is not found.
  *
  * @example
@@ -190,6 +184,6 @@ declare function createContextClient<Database = unknown>(token?: string | null,
  * const { data } = await supabaseAdmin.from('audit_log').insert({ action: 'user_login' })
  * ```
  */
-declare function createAdminClient<Database = unknown>(env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+declare function createAdminClient<Database = unknown>(options?: CreateAdminClientOptions): SupabaseClient<Database>;
 //#endregion
-export { createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };
+export { type ClientAuth, type CreateAdminClientOptions, type CreateContextClientOptions, createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };

package/dist/core/index.d.mts

@@ -1,4 +1,4 @@
-import { i as Credentials, n as AllowWithKey, r as AuthResult, s as SupabaseEnv } from "../types-ClmJ8pi8.mjs";
+import { a as CreateAdminClientOptions, i as ClientAuth, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, u as SupabaseEnv } from "../types-BmWSIuH7.mjs";
 import { i as EnvError, t as AuthError } from "../errors-CAH-RRA3.mjs";
 import { SupabaseClient } from "@supabase/supabase-js";
 
@@ -154,34 +154,28 @@ declare function verifyAuth(request: Request, options: VerifyAuthOptions): Promi
  * Creates a Supabase client scoped to the caller's context.
  *
  * Configured with a publishable key and (optionally) the caller's JWT,
- * so Row-Level Security policies apply. Session persistence is disabled
- * (stateless, one client per request).
+ * so Row-Level Security policies apply. Stateless — one client per request.
  *
- * @param token - The caller's JWT, or `null` for anonymous access.
- * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
- * @param keyName - Name of the publishable key to use. Falls back to `"default"`, then first available.
- * @returns A configured {@link SupabaseClient} with RLS enforced.
  * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified publishable key is not found.
  *
  * @example
  * ```ts
  * const { data: auth } = await verifyAuth(request, { allow: 'user' })
- * const supabase = createContextClient(auth.token)
+ * const supabase = createContextClient({
+ *   auth: { token: auth.token, keyName: auth.keyName },
+ * })
  * const { data } = await supabase.rpc('get_my_items')
  * ```
  */
-declare function createContextClient<Database = unknown>(token?: string | null, env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+declare function createContextClient<Database = unknown>(options?: CreateContextClientOptions): SupabaseClient<Database>;
 //#endregion
 //#region src/core/create-admin-client.d.ts
 /**
  * Creates an admin Supabase client that bypasses Row-Level Security.
  *
  * Uses a secret key for authentication, giving full access to all data.
- * Session persistence is disabled (stateless, one client per request).
+ * Stateless — one client per request.
  *
- * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
- * @param keyName - Name of the secret key to use. Falls back to `"default"`, then first available.
- * @returns A configured {@link SupabaseClient} with admin (service-role) privileges.
  * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified secret key is not found.
  *
  * @example
@@ -190,6 +184,6 @@ declare function createContextClient<Database = unknown>(token?: string | null,
  * const { data } = await supabaseAdmin.from('audit_log').insert({ action: 'user_login' })
  * ```
  */
-declare function createAdminClient<Database = unknown>(env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+declare function createAdminClient<Database = unknown>(options?: CreateAdminClientOptions): SupabaseClient<Database>;
 //#endregion
-export { createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };
+export { type ClientAuth, type CreateAdminClientOptions, type CreateContextClientOptions, createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };

package/dist/core/index.mjs

@@ -1,3 +1,3 @@
-import { a as createAdminClient, i as createContextClient, n as verifyCredentials, o as resolveEnv, r as extractCredentials, t as verifyAuth } from "../verify-auth-mePXRNu9.mjs";
+import { a as createAdminClient, i as createContextClient, n as verifyCredentials, o as resolveEnv, r as extractCredentials, t as verifyAuth } from "../verify-auth-Bt2uGltH.mjs";
 
 export { createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };

package/dist/{create-supabase-context--JXiHT_N.mjs → create-supabase-context-Bmwyha9p.mjs}

@@ -1,4 +1,4 @@
-import { a as createAdminClient, f as Errors, i as createContextClient, l as CreateSupabaseClientError, s as AuthError, t as verifyAuth, u as EnvError } from "./verify-auth-mePXRNu9.mjs";
+import { a as createAdminClient, f as Errors, i as createContextClient, l as CreateSupabaseClientError, s as AuthError, t as verifyAuth, u as EnvError } from "./verify-auth-Bt2uGltH.mjs";
 
 //#region src/create-supabase-context.ts
 /**
@@ -31,12 +31,23 @@ async function createSupabaseContext(request, options) {
 		error
 	};
 	try {
-		const supabase = createContextClient(auth.token, options?.env, auth.keyName);
-		const adminKeyName = auth.authType === "secret" ? auth.keyName : void 0;
+		const config = {
+			env: options?.env,
+			supabaseOptions: options?.supabaseOptions
+		};
 		return {
 			data: {
-				supabase,
-				supabaseAdmin: createAdminClient(options?.env, adminKeyName),
+				supabase: createContextClient({
+					auth: {
+						token: auth.token,
+						keyName: auth.keyName
+					},
+					...config
+				}),
+				supabaseAdmin: createAdminClient({
+					auth: { keyName: auth.authType === "secret" ? auth.keyName : void 0 },
+					...config
+				}),
 				userClaims: auth.userClaims,
 				claims: auth.claims,
 				authType: auth.authType

package/dist/{create-supabase-context-BO7DGfth.cjs → create-supabase-context-DDIAxA8h.cjs}

@@ -1,4 +1,4 @@
-const require_verify_auth = require('./verify-auth-BjIehuNM.cjs');
+const require_verify_auth = require('./verify-auth-DrgvEuKo.cjs');
 
 //#region src/create-supabase-context.ts
 /**
@@ -31,12 +31,23 @@ async function createSupabaseContext(request, options) {
 		error
 	};
 	try {
-		const supabase = require_verify_auth.createContextClient(auth.token, options?.env, auth.keyName);
-		const adminKeyName = auth.authType === "secret" ? auth.keyName : void 0;
+		const config = {
+			env: options?.env,
+			supabaseOptions: options?.supabaseOptions
+		};
 		return {
 			data: {
-				supabase,
-				supabaseAdmin: require_verify_auth.createAdminClient(options?.env, adminKeyName),
+				supabase: require_verify_auth.createContextClient({
+					auth: {
+						token: auth.token,
+						keyName: auth.keyName
+					},
+					...config
+				}),
+				supabaseAdmin: require_verify_auth.createAdminClient({
+					auth: { keyName: auth.authType === "secret" ? auth.keyName : void 0 },
+					...config
+				}),
 				userClaims: auth.userClaims,
 				claims: auth.claims,
 				authType: auth.authType

package/dist/index.cjs

@@ -1,6 +1,6 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_verify_auth = require('./verify-auth-BjIehuNM.cjs');
-const require_create_supabase_context = require('./create-supabase-context-BO7DGfth.cjs');
+const require_verify_auth = require('./verify-auth-DrgvEuKo.cjs');
+const require_create_supabase_context = require('./create-supabase-context-DDIAxA8h.cjs');
 let _supabase_supabase_js_cors = require("@supabase/supabase-js/cors");
 
 //#region src/cors.ts

package/dist/index.d.cts

@@ -1,4 +1,4 @@
-import { a as JWTClaims, c as UserClaims, i as Credentials, l as WithSupabaseConfig, n as AllowWithKey, o as SupabaseContext, r as AuthResult, s as SupabaseEnv, t as Allow } from "./types-CnKoFCMX.cjs";
+import { a as CreateAdminClientOptions, c as JWTClaims, d as UserClaims, f as WithSupabaseConfig, i as ClientAuth, l as SupabaseContext, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, t as Allow, u as SupabaseEnv } from "./types-X7xYi2LN.cjs";
 import { a as EnvGenericError, c as MissingDefaultPublishableKeyError, d as MissingSecretKeyError, f as MissingSupabaseURLError, i as EnvError, l as MissingDefaultSecretKeyError, n as AuthGenericError, o as Errors, r as CreateSupabaseClientError, s as InvalidCredentialsError, t as AuthError, u as MissingPublishableKeyError } from "./errors-O2ugIMec.cjs";
 
 //#region src/with-supabase.d.ts
@@ -56,4 +56,4 @@ declare function createSupabaseContext<Database = unknown>(request: Request, opt
   error: AuthError;
 }>;
 //#endregion
-export { type Allow, type AllowWithKey, AuthError, AuthGenericError, type AuthResult, CreateSupabaseClientError, type Credentials, EnvError, EnvGenericError, Errors, InvalidCredentialsError, type JWTClaims, MissingDefaultPublishableKeyError, MissingDefaultSecretKeyError, MissingPublishableKeyError, MissingSecretKeyError, MissingSupabaseURLError, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };
+export { type Allow, type AllowWithKey, AuthError, AuthGenericError, type AuthResult, type ClientAuth, type CreateAdminClientOptions, type CreateContextClientOptions, CreateSupabaseClientError, type Credentials, EnvError, EnvGenericError, Errors, InvalidCredentialsError, type JWTClaims, MissingDefaultPublishableKeyError, MissingDefaultSecretKeyError, MissingPublishableKeyError, MissingSecretKeyError, MissingSupabaseURLError, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };

package/dist/index.d.mts

@@ -1,4 +1,4 @@
-import { a as JWTClaims, c as UserClaims, i as Credentials, l as WithSupabaseConfig, n as AllowWithKey, o as SupabaseContext, r as AuthResult, s as SupabaseEnv, t as Allow } from "./types-ClmJ8pi8.mjs";
+import { a as CreateAdminClientOptions, c as JWTClaims, d as UserClaims, f as WithSupabaseConfig, i as ClientAuth, l as SupabaseContext, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, t as Allow, u as SupabaseEnv } from "./types-BmWSIuH7.mjs";
 import { a as EnvGenericError, c as MissingDefaultPublishableKeyError, d as MissingSecretKeyError, f as MissingSupabaseURLError, i as EnvError, l as MissingDefaultSecretKeyError, n as AuthGenericError, o as Errors, r as CreateSupabaseClientError, s as InvalidCredentialsError, t as AuthError, u as MissingPublishableKeyError } from "./errors-CAH-RRA3.mjs";
 
 //#region src/with-supabase.d.ts
@@ -56,4 +56,4 @@ declare function createSupabaseContext<Database = unknown>(request: Request, opt
   error: AuthError;
 }>;
 //#endregion
-export { type Allow, type AllowWithKey, AuthError, AuthGenericError, type AuthResult, CreateSupabaseClientError, type Credentials, EnvError, EnvGenericError, Errors, InvalidCredentialsError, type JWTClaims, MissingDefaultPublishableKeyError, MissingDefaultSecretKeyError, MissingPublishableKeyError, MissingSecretKeyError, MissingSupabaseURLError, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };
+export { type Allow, type AllowWithKey, AuthError, AuthGenericError, type AuthResult, type ClientAuth, type CreateAdminClientOptions, type CreateContextClientOptions, CreateSupabaseClientError, type Credentials, EnvError, EnvGenericError, Errors, InvalidCredentialsError, type JWTClaims, MissingDefaultPublishableKeyError, MissingDefaultSecretKeyError, MissingPublishableKeyError, MissingSecretKeyError, MissingSupabaseURLError, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };

package/dist/index.mjs

@@ -1,5 +1,5 @@
-import { _ as MissingSecretKeyError, c as AuthGenericError, d as EnvGenericError, f as Errors, g as MissingPublishableKeyError, h as MissingDefaultSecretKeyError, l as CreateSupabaseClientError, m as MissingDefaultPublishableKeyError, p as InvalidCredentialsError, s as AuthError, u as EnvError, v as MissingSupabaseURLError } from "./verify-auth-mePXRNu9.mjs";
-import { t as createSupabaseContext } from "./create-supabase-context--JXiHT_N.mjs";
+import { _ as MissingSecretKeyError, c as AuthGenericError, d as EnvGenericError, f as Errors, g as MissingPublishableKeyError, h as MissingDefaultSecretKeyError, l as CreateSupabaseClientError, m as MissingDefaultPublishableKeyError, p as InvalidCredentialsError, s as AuthError, u as EnvError, v as MissingSupabaseURLError } from "./verify-auth-Bt2uGltH.mjs";
+import { t as createSupabaseContext } from "./create-supabase-context-Bmwyha9p.mjs";
 import { corsHeaders } from "@supabase/supabase-js/cors";
 
 //#region src/cors.ts

package/dist/{types-ClmJ8pi8.d.mts → types-BmWSIuH7.d.mts}

@@ -1,4 +1,4 @@
-import { SupabaseClient } from "@supabase/supabase-js";
+import { SupabaseClient, SupabaseClientOptions } from "@supabase/supabase-js";
 
 //#region src/types.d.ts
 /**
@@ -204,6 +204,50 @@ interface WithSupabaseConfig {
    * @defaultValue `true`
    */
   cors?: boolean | Record<string, string>;
+  /**
+   * Options forwarded to both internal `createClient()` calls.
+   *
+   * `accessToken` is stripped, and auth settings (`persistSession`, `autoRefreshToken`,
+   * `detectSessionInUrl`) are force-overwritten to server-safe values.
+   *
+   * @example
+   * ```ts
+   * withSupabase({
+   *   allow: 'user',
+   *   supabaseOptions: { db: { schema: 'api' } },
+   * }, handler)
+   * ```
+   */
+  supabaseOptions?: SupabaseClientOptions<string>;
+}
+/**
+ * Auth identity for client creation functions.
+ *
+ * @see {@link verifyAuth}, {@link verifyCredentials}
+ */
+interface ClientAuth {
+  /** The caller's JWT, or `null` for anonymous access. */
+  token?: string | null;
+  /** Name of the API key to use. Falls back to `"default"`, then first available. */
+  keyName?: string | null;
+}
+/** Options for {@link createContextClient}. */
+interface CreateContextClientOptions {
+  /** Auth identity — token and key name from the verified request. */
+  auth?: ClientAuth;
+  /** Override auto-detected environment variables. */
+  env?: Partial<SupabaseEnv>;
+  /** Options forwarded to `createClient()`. `accessToken` is stripped; auth settings are force-overwritten. */
+  supabaseOptions?: SupabaseClientOptions<string>;
+}
+/** Options for {@link createAdminClient}. */
+interface CreateAdminClientOptions {
+  /** Auth identity — key name from the verified request. */
+  auth?: Pick<ClientAuth, 'keyName'>;
+  /** Override auto-detected environment variables. */
+  env?: Partial<SupabaseEnv>;
+  /** Options forwarded to `createClient()`. `accessToken` is stripped; auth settings are force-overwritten. */
+  supabaseOptions?: SupabaseClientOptions<string>;
 }
 /**
  * The Supabase context created for each authenticated request.
@@ -224,4 +268,4 @@ interface SupabaseContext<Database = unknown> {
   authType: Allow;
 }
 //#endregion
-export { JWTClaims as a, UserClaims as c, Credentials as i, WithSupabaseConfig as l, AllowWithKey as n, SupabaseContext as o, AuthResult as r, SupabaseEnv as s, Allow as t };
+export { CreateAdminClientOptions as a, JWTClaims as c, UserClaims as d, WithSupabaseConfig as f, ClientAuth as i, SupabaseContext as l, AllowWithKey as n, CreateContextClientOptions as o, AuthResult as r, Credentials as s, Allow as t, SupabaseEnv as u };

package/dist/{types-CnKoFCMX.d.cts → types-X7xYi2LN.d.cts}

@@ -1,4 +1,4 @@
-import { SupabaseClient } from "@supabase/supabase-js";
+import { SupabaseClient, SupabaseClientOptions } from "@supabase/supabase-js";
 
 //#region src/types.d.ts
 /**
@@ -204,6 +204,50 @@ interface WithSupabaseConfig {
    * @defaultValue `true`
    */
   cors?: boolean | Record<string, string>;
+  /**
+   * Options forwarded to both internal `createClient()` calls.
+   *
+   * `accessToken` is stripped, and auth settings (`persistSession`, `autoRefreshToken`,
+   * `detectSessionInUrl`) are force-overwritten to server-safe values.
+   *
+   * @example
+   * ```ts
+   * withSupabase({
+   *   allow: 'user',
+   *   supabaseOptions: { db: { schema: 'api' } },
+   * }, handler)
+   * ```
+   */
+  supabaseOptions?: SupabaseClientOptions<string>;
+}
+/**
+ * Auth identity for client creation functions.
+ *
+ * @see {@link verifyAuth}, {@link verifyCredentials}
+ */
+interface ClientAuth {
+  /** The caller's JWT, or `null` for anonymous access. */
+  token?: string | null;
+  /** Name of the API key to use. Falls back to `"default"`, then first available. */
+  keyName?: string | null;
+}
+/** Options for {@link createContextClient}. */
+interface CreateContextClientOptions {
+  /** Auth identity — token and key name from the verified request. */
+  auth?: ClientAuth;
+  /** Override auto-detected environment variables. */
+  env?: Partial<SupabaseEnv>;
+  /** Options forwarded to `createClient()`. `accessToken` is stripped; auth settings are force-overwritten. */
+  supabaseOptions?: SupabaseClientOptions<string>;
+}
+/** Options for {@link createAdminClient}. */
+interface CreateAdminClientOptions {
+  /** Auth identity — key name from the verified request. */
+  auth?: Pick<ClientAuth, 'keyName'>;
+  /** Override auto-detected environment variables. */
+  env?: Partial<SupabaseEnv>;
+  /** Options forwarded to `createClient()`. `accessToken` is stripped; auth settings are force-overwritten. */
+  supabaseOptions?: SupabaseClientOptions<string>;
 }
 /**
  * The Supabase context created for each authenticated request.
@@ -224,4 +268,4 @@ interface SupabaseContext<Database = unknown> {
   authType: Allow;
 }
 //#endregion
-export { JWTClaims as a, UserClaims as c, Credentials as i, WithSupabaseConfig as l, AllowWithKey as n, SupabaseContext as o, AuthResult as r, SupabaseEnv as s, Allow as t };
+export { CreateAdminClientOptions as a, JWTClaims as c, UserClaims as d, WithSupabaseConfig as f, ClientAuth as i, SupabaseContext as l, AllowWithKey as n, CreateContextClientOptions as o, AuthResult as r, Credentials as s, Allow as t, SupabaseEnv as u };

package/dist/{verify-auth-mePXRNu9.mjs → verify-auth-Bt2uGltH.mjs}

@@ -199,11 +199,8 @@ function resolveEnv(overrides) {
 * Creates an admin Supabase client that bypasses Row-Level Security.
 *
 * Uses a secret key for authentication, giving full access to all data.
-* Session persistence is disabled (stateless, one client per request).
+* Stateless — one client per request.
 *
-* @param env - Optional environment overrides (passed through to {@link resolveEnv}).
-* @param keyName - Name of the secret key to use. Falls back to `"default"`, then first available.
-* @returns A configured {@link SupabaseClient} with admin (service-role) privileges.
 * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified secret key is not found.
 *
 * @example
@@ -212,18 +209,32 @@ function resolveEnv(overrides) {
 * const { data } = await supabaseAdmin.from('audit_log').insert({ action: 'user_login' })
 * ```
 */
-function createAdminClient(env, keyName) {
-	const { data: resolved, error } = resolveEnv(env);
+function createAdminClient(options) {
+	const { data: resolved, error } = resolveEnv(options?.env);
 	if (error) throw error;
+	const keyName = options?.auth?.keyName;
+	const supabaseOptions = options?.supabaseOptions;
 	const name = keyName ?? "default";
 	const keys = resolved.secretKeys;
 	const secretKey = keys[name] ?? (keyName == null ? Object.values(keys)[0] : void 0);
 	if (!secretKey) throw name === "default" ? Errors[MissingDefaultSecretKeyError]() : Errors[MissingSecretKeyError](name);
-	return createClient(resolved.url, secretKey, { auth: {
-		persistSession: false,
-		autoRefreshToken: false,
-		detectSessionInUrl: false
-	} });
+	const safeHeaders = { ...supabaseOptions?.global?.headers };
+	delete safeHeaders.Authorization;
+	delete safeHeaders.apikey;
+	return createClient(resolved.url, secretKey, {
+		...supabaseOptions,
+		accessToken: void 0,
+		global: {
+			...supabaseOptions?.global,
+			headers: safeHeaders
+		},
+		auth: {
+			...supabaseOptions?.auth,
+			persistSession: false,
+			autoRefreshToken: false,
+			detectSessionInUrl: false
+		}
+	});
 }
 
 //#endregion
@@ -232,32 +243,44 @@ function createAdminClient(env, keyName) {
 * Creates a Supabase client scoped to the caller's context.
 *
 * Configured with a publishable key and (optionally) the caller's JWT,
-* so Row-Level Security policies apply. Session persistence is disabled
-* (stateless, one client per request).
+* so Row-Level Security policies apply. Stateless — one client per request.
 *
-* @param token - The caller's JWT, or `null` for anonymous access.
-* @param env - Optional environment overrides (passed through to {@link resolveEnv}).
-* @param keyName - Name of the publishable key to use. Falls back to `"default"`, then first available.
-* @returns A configured {@link SupabaseClient} with RLS enforced.
 * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified publishable key is not found.
 *
 * @example
 * ```ts
 * const { data: auth } = await verifyAuth(request, { allow: 'user' })
-* const supabase = createContextClient(auth.token)
+* const supabase = createContextClient({
+*   auth: { token: auth.token, keyName: auth.keyName },
+* })
 * const { data } = await supabase.rpc('get_my_items')
 * ```
 */
-function createContextClient(token, env, keyName) {
-	const { data: resolved, error } = resolveEnv(env);
+function createContextClient(options) {
+	const { data: resolved, error } = resolveEnv(options?.env);
 	if (error) throw error;
+	const token = options?.auth?.token;
+	const keyName = options?.auth?.keyName;
+	const supabaseOptions = options?.supabaseOptions;
 	const name = keyName ?? "default";
 	const keys = resolved.publishableKeys;
 	const anonKey = keys[name] ?? (keyName == null ? Object.values(keys)[0] : void 0);
 	if (!anonKey) throw name === "default" ? Errors[MissingDefaultPublishableKeyError]() : Errors[MissingPublishableKeyError](name);
+	const safeHeaders = { ...supabaseOptions?.global?.headers };
+	delete safeHeaders.Authorization;
+	delete safeHeaders.apikey;
 	return createClient(resolved.url, anonKey, {
-		global: { headers: token ? { Authorization: `Bearer ${token}` } : {} },
+		...supabaseOptions,
+		accessToken: void 0,
+		global: {
+			...supabaseOptions?.global,
+			headers: {
+				...safeHeaders,
+				...token ? { Authorization: `Bearer ${token}` } : {}
+			}
+		},
 		auth: {
+			...supabaseOptions?.auth,
 			persistSession: false,
 			autoRefreshToken: false,
 			detectSessionInUrl: false

package/dist/{verify-auth-BjIehuNM.cjs → verify-auth-DrgvEuKo.cjs}

@@ -199,11 +199,8 @@ function resolveEnv(overrides) {
 * Creates an admin Supabase client that bypasses Row-Level Security.
 *
 * Uses a secret key for authentication, giving full access to all data.
-* Session persistence is disabled (stateless, one client per request).
+* Stateless — one client per request.
 *
-* @param env - Optional environment overrides (passed through to {@link resolveEnv}).
-* @param keyName - Name of the secret key to use. Falls back to `"default"`, then first available.
-* @returns A configured {@link SupabaseClient} with admin (service-role) privileges.
 * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified secret key is not found.
 *
 * @example
@@ -212,18 +209,32 @@ function resolveEnv(overrides) {
 * const { data } = await supabaseAdmin.from('audit_log').insert({ action: 'user_login' })
 * ```
 */
-function createAdminClient(env, keyName) {
-	const { data: resolved, error } = resolveEnv(env);
+function createAdminClient(options) {
+	const { data: resolved, error } = resolveEnv(options?.env);
 	if (error) throw error;
+	const keyName = options?.auth?.keyName;
+	const supabaseOptions = options?.supabaseOptions;
 	const name = keyName ?? "default";
 	const keys = resolved.secretKeys;
 	const secretKey = keys[name] ?? (keyName == null ? Object.values(keys)[0] : void 0);
 	if (!secretKey) throw name === "default" ? Errors[MissingDefaultSecretKeyError]() : Errors[MissingSecretKeyError](name);
-	return (0, _supabase_supabase_js.createClient)(resolved.url, secretKey, { auth: {
-		persistSession: false,
-		autoRefreshToken: false,
-		detectSessionInUrl: false
-	} });
+	const safeHeaders = { ...supabaseOptions?.global?.headers };
+	delete safeHeaders.Authorization;
+	delete safeHeaders.apikey;
+	return (0, _supabase_supabase_js.createClient)(resolved.url, secretKey, {
+		...supabaseOptions,
+		accessToken: void 0,
+		global: {
+			...supabaseOptions?.global,
+			headers: safeHeaders
+		},
+		auth: {
+			...supabaseOptions?.auth,
+			persistSession: false,
+			autoRefreshToken: false,
+			detectSessionInUrl: false
+		}
+	});
 }
 
 //#endregion
@@ -232,32 +243,44 @@ function createAdminClient(env, keyName) {
 * Creates a Supabase client scoped to the caller's context.
 *
 * Configured with a publishable key and (optionally) the caller's JWT,
-* so Row-Level Security policies apply. Session persistence is disabled
-* (stateless, one client per request).
+* so Row-Level Security policies apply. Stateless — one client per request.
 *
-* @param token - The caller's JWT, or `null` for anonymous access.
-* @param env - Optional environment overrides (passed through to {@link resolveEnv}).
-* @param keyName - Name of the publishable key to use. Falls back to `"default"`, then first available.
-* @returns A configured {@link SupabaseClient} with RLS enforced.
 * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified publishable key is not found.
 *
 * @example
 * ```ts
 * const { data: auth } = await verifyAuth(request, { allow: 'user' })
-* const supabase = createContextClient(auth.token)
+* const supabase = createContextClient({
+*   auth: { token: auth.token, keyName: auth.keyName },
+* })
 * const { data } = await supabase.rpc('get_my_items')
 * ```
 */
-function createContextClient(token, env, keyName) {
-	const { data: resolved, error } = resolveEnv(env);
+function createContextClient(options) {
+	const { data: resolved, error } = resolveEnv(options?.env);
 	if (error) throw error;
+	const token = options?.auth?.token;
+	const keyName = options?.auth?.keyName;
+	const supabaseOptions = options?.supabaseOptions;
 	const name = keyName ?? "default";
 	const keys = resolved.publishableKeys;
 	const anonKey = keys[name] ?? (keyName == null ? Object.values(keys)[0] : void 0);
 	if (!anonKey) throw name === "default" ? Errors[MissingDefaultPublishableKeyError]() : Errors[MissingPublishableKeyError](name);
+	const safeHeaders = { ...supabaseOptions?.global?.headers };
+	delete safeHeaders.Authorization;
+	delete safeHeaders.apikey;
 	return (0, _supabase_supabase_js.createClient)(resolved.url, anonKey, {
-		global: { headers: token ? { Authorization: `Bearer ${token}` } : {} },
+		...supabaseOptions,
+		accessToken: void 0,
+		global: {
+			...supabaseOptions?.global,
+			headers: {
+				...safeHeaders,
+				...token ? { Authorization: `Bearer ${token}` } : {}
+			}
+		},
 		auth: {
+			...supabaseOptions?.auth,
 			persistSession: false,
 			autoRefreshToken: false,
 			detectSessionInUrl: false

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@supabase/server",
-  "version": "0.1.1-rc.27",
+  "version": "0.1.1-rc.28",
   "description": "Server-side utilities for Supabase. Handles auth, client creation, and context injection so you write business logic, not boilerplate.",
   "keywords": [
     "edge",