@supabase/server 0.1.1 → 0.1.2-rc.32

package/README.md

@@ -22,11 +22,22 @@ One import. One line of config. Auth is validated, clients are scoped, CORS is h
 ## Installation
 
 ```bash
-# Deno
-import { withSupabase } from "npm:@supabase/server";
-
 # npm
+npm install @supabase/server
+
+# pnpm
 pnpm add @supabase/server
+
+# Deno / Supabase Edge Functions (no install — import directly)
+import { withSupabase } from "npm:@supabase/server";
+```
+
+### AI coding skills
+
+Install the skill so your AI coding agent (Claude Code, Cursor, etc.) knows how to use this package:
+
+```bash
+npx skills add supabase/server
 ```
 
 ## Quick Start
@@ -84,6 +95,34 @@ export default {
 }
 ```
 
+### Server-to-server
+
+```ts
+// Only accept the "automations" named secret key
+export default {
+  fetch: withSupabase({ allow: 'secret:automations' }, async (req, ctx) => {
+    const body = await req.json()
+    const { data } = await ctx.supabaseAdmin
+      .from('scheduled_tasks')
+      .insert({ name: body.taskName })
+    return Response.json({ success: true, data })
+  }),
+}
+```
+
+The caller sends the secret key in the `apikey` header:
+
+```ts
+await fetch('https://<project>.supabase.co/functions/v1/my-function', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json',
+    apikey: 'sb_secret_...', // the "automations" secret key
+  },
+  body: JSON.stringify({ taskName: 'cleanup' }),
+})
+```
+
 ## Auth Modes
 
 | Mode               | Credential            | Use case                                            |
@@ -95,7 +134,14 @@ export default {
 
 Array syntax (`allow: ["user", "secret"]`) accepts multiple auth methods — first match wins.
 
-Named key validation: `allow: "public:web_app"` validates against a specific named key in `SUPABASE_PUBLISHABLE_KEYS`.
+Named key validation: `allow: "public:web_app"` or `allow: "secret:automations"` validates against a specific named key in `SUPABASE_PUBLISHABLE_KEYS` or `SUPABASE_SECRET_KEYS`.
+
+> **Supabase Edge Functions:** By default, the platform requires a valid JWT on every request. If your function uses `allow: 'public'`, `allow: 'secret'`, or `allow: 'always'`, disable the platform-level JWT check in `supabase/config.toml`:
+>
+> ```toml
+> [functions.my-function]
+> verify_jwt = false
+> ```
 
 ## Context
 
@@ -281,7 +327,15 @@ Also supported (for local dev, self-hosted, or other runtimes):
 
 When both singular and plural forms are set, plural takes priority.
 
-For other environments, pass overrides via the `env` config option or `resolveEnv()`.
+For other environments, pass overrides via the `env` config option or `resolveEnv()`. See [`docs/environment-variables.md`](docs/environment-variables.md) for details.
+
+## Runtimes
+
+- **Supabase Edge Functions** — environment variables are auto-injected. Zero config.
+- **Deno / Bun** — works out of the box with the `export default { fetch }` pattern.
+- **Node.js** — use the [Hono adapter](#hono) or [core primitives](#primitives) with your framework of choice.
+- **Cloudflare Workers** — enable `nodejs_compat` in `wrangler.toml` or pass env overrides via the `env` config option.
+- **Next.js / Nuxt / SvelteKit / Remix** — use core primitives to build a cookie-based auth adapter. See [`docs/ssr-frameworks.md`](docs/ssr-frameworks.md).
 
 ## Exports
 
@@ -289,9 +343,22 @@ For other environments, pass overrides via the `env` config option or `resolveEn
 | -------------------------------- | ----------------------------------------------------------------------------------------------------------------- |
 | `@supabase/server`               | `withSupabase`, `createSupabaseContext`                                                                           |
 | `@supabase/server/core`          | `verifyAuth`, `verifyCredentials`, `extractCredentials`, `createContextClient`, `createAdminClient`, `resolveEnv` |
-| `@supabase/server/wrappers`      | `verifyWebhookSignature`                                                                                          |
 | `@supabase/server/adapters/hono` | `withSupabase` (Hono middleware)                                                                                  |
 
+## Documentation
+
+| Question                                                 | Doc file                                                         |
+| -------------------------------------------------------- | ---------------------------------------------------------------- |
+| How do I create a basic endpoint?                        | [`docs/getting-started.md`](docs/getting-started.md)             |
+| What auth modes are available? Array syntax? Named keys? | [`docs/auth-modes.md`](docs/auth-modes.md)                       |
+| How do I use this with Hono?                             | [`docs/hono-adapter.md`](docs/hono-adapter.md)                   |
+| How do I use low-level primitives for custom flows?      | [`docs/core-primitives.md`](docs/core-primitives.md)             |
+| How do environment variables work across runtimes?       | [`docs/environment-variables.md`](docs/environment-variables.md) |
+| How do I handle errors? What codes exist?                | [`docs/error-handling.md`](docs/error-handling.md)               |
+| How do I get typed database queries?                     | [`docs/typescript-generics.md`](docs/typescript-generics.md)     |
+| How do I use this in Next.js, Nuxt, SvelteKit, or Remix? | [`docs/ssr-frameworks.md`](docs/ssr-frameworks.md)               |
+| What's the complete API surface?                         | [`docs/api-reference.md`](docs/api-reference.md)                 |
+
 ## Development
 
 ```bash

package/SKILL.md

@@ -0,0 +1,415 @@
+---
+name: supabase-server
+description: Use when writing server-side code with Supabase — Edge Functions, Hono apps, webhook handlers, or any backend that needs Supabase auth and client creation. Trigger whenever the user imports from `@supabase/server`, mentions Supabase Edge Functions, or needs server-side auth (JWT verification, API key validation, CORS handling) with Supabase. Also trigger when you see legacy patterns in existing code — `Deno.serve`, `createClient(Deno.env.get('SUPABASE_URL'))`, imports from `esm.sh/@supabase`, `deno.land/std` serve, or usage of `SUPABASE_ANON_KEY` / `SUPABASE_SERVICE_ROLE_KEY` — these indicate code that should be migrated to this package.
+---
+
+# @supabase/server
+
+> **This is a brand new package.** There is no information available online yet — no blog posts, no Stack Overflow answers, no tutorials. Do not search the web for usage examples. Rely exclusively on the documentation files listed below and the source code in this repository.
+
+> **Do not use legacy Supabase keys.** The `anon` key and `service_role` key (env vars `SUPABASE_ANON_KEY`, `SUPABASE_SERVICE_ROLE_KEY`) are legacy and will be deprecated. Do not use them unless the user explicitly asks. Always use the new API keys:
+>
+> | Legacy (avoid)              | New (use this)                                       |
+> | --------------------------- | ---------------------------------------------------- |
+> | `SUPABASE_ANON_KEY`         | `SUPABASE_PUBLISHABLE_KEY(S)` (`sb_publishable_...`) |
+> | `SUPABASE_SERVICE_ROLE_KEY` | `SUPABASE_SECRET_KEY(S)` (`sb_secret_...`)           |
+>
+> Do not call `createClient(url, anonKey)` directly — use `@supabase/server` auth modes (`allow: 'user'`, `allow: 'secret'`, etc.) which handle key resolution automatically. If migrating existing code, replace `SUPABASE_ANON_KEY` usage with `allow: 'public'` and `SUPABASE_SERVICE_ROLE_KEY` usage with `allow: 'secret'`.
+
+Server-side utilities for Supabase. Handles auth, client creation, and context injection so you write business logic, not boilerplate.
+
+## What this package does
+
+- Wraps fetch handlers with credential verification, CORS, and pre-configured Supabase clients
+- Supports 4 auth modes: `user` (JWT), `public` (publishable key), `secret` (secret key), `always` (none)
+- Provides composable core primitives for custom auth flows and framework integration
+- Includes a Hono adapter for per-route auth
+
+## Entry points
+
+| Import                           | Deno / Edge Functions                | Provides                                                                                                          |
+| -------------------------------- | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------- |
+| `@supabase/server`               | `npm:@supabase/server`               | `withSupabase`, `createSupabaseContext`, types, errors                                                            |
+| `@supabase/server/core`          | `npm:@supabase/server/core`          | `verifyAuth`, `verifyCredentials`, `extractCredentials`, `resolveEnv`, `createContextClient`, `createAdminClient` |
+| `@supabase/server/adapters/hono` | `npm:@supabase/server/adapters/hono` | `withSupabase` (Hono middleware variant)                                                                          |
+
+## Quick starts
+
+> **Supabase Edge Functions: disable `verify_jwt` for non-user auth.** By default, Supabase Edge Functions require a valid JWT on every request. If your function uses `allow: 'public'`, `allow: 'secret'`, or `allow: 'always'`, you must disable the platform-level JWT check in `supabase/config.toml`, otherwise the request will be rejected before it reaches your handler:
+>
+> ```toml
+> [functions.my-function]
+> verify_jwt = false
+> ```
+>
+> Functions using `allow: 'user'` can leave `verify_jwt` enabled (the default) since callers already provide a valid JWT.
+
+### Supabase Edge Functions (Deno)
+
+Environment variables are auto-injected by the platform — zero config. **All imports must use the `npm:` specifier.**
+
+```ts
+// withSupabase — high-level wrapper
+import { withSupabase } from 'npm:@supabase/server'
+
+export default {
+  fetch: withSupabase({ allow: 'user' }, async (_req, ctx) => {
+    const { data } = await ctx.supabase.from('todos').select()
+    return Response.json(data)
+  }),
+}
+```
+
+```ts
+// createSupabaseContext — returns { data, error } for custom response control
+import { createSupabaseContext } from 'npm:@supabase/server'
+
+export default {
+  fetch: async (req: Request) => {
+    const { data: ctx, error } = await createSupabaseContext(req, {
+      allow: 'user',
+    })
+    if (error) {
+      return Response.json(
+        { message: error.message, code: error.code },
+        { status: error.status },
+      )
+    }
+    const { data } = await ctx.supabase.from('todos').select()
+    return Response.json(data)
+  },
+}
+```
+
+### Cloudflare Workers
+
+Requires `nodejs_compat` compatibility flag in `wrangler.toml`, or pass env overrides via the `env` config option. See `docs/environment-variables.md`.
+
+```ts
+import { withSupabase } from '@supabase/server'
+
+export default {
+  fetch: withSupabase({ allow: 'user' }, async (_req, ctx) => {
+    const { data } = await ctx.supabase.from('todos').select()
+    return Response.json(data)
+  }),
+}
+```
+
+### Hono
+
+CORS is not handled by the adapter — use `hono/cors` middleware. See `docs/hono-adapter.md`.
+
+```ts
+// Node.js / Bun
+import { Hono } from 'hono'
+import { withSupabase } from '@supabase/server/adapters/hono'
+
+const app = new Hono()
+app.use('*', withSupabase({ allow: 'user' }))
+
+app.get('/todos', async (c) => {
+  const { supabase } = c.var.supabaseContext
+  const { data } = await supabase.from('todos').select()
+  return c.json(data)
+})
+
+export default app
+```
+
+```ts
+// Deno / Supabase Edge Functions
+import { Hono } from 'npm:hono'
+import { withSupabase } from 'npm:@supabase/server/adapters/hono'
+
+const app = new Hono()
+app.use('*', withSupabase({ allow: 'user' }))
+
+app.get('/todos', async (c) => {
+  const { supabase } = c.var.supabaseContext
+  const { data } = await supabase.from('todos').select()
+  return c.json(data)
+})
+
+export default { fetch: app.fetch }
+```
+
+### SSR Frameworks (Next.js, Nuxt, SvelteKit, Remix)
+
+In SSR frameworks the JWT lives in session cookies, not the `Authorization` header. Use `@supabase/server/core` primitives to build a framework adapter. The pattern: extract token from cookies, call `verifyCredentials`, then `createContextClient`. See `docs/ssr-frameworks.md` for the full adapter pattern.
+
+```ts
+// Key imports for building the adapter
+import {
+  verifyCredentials,
+  createContextClient,
+  createAdminClient,
+} from '@supabase/server/core'
+```
+
+### Server-to-server (secret key auth)
+
+For internal services, cron jobs, or automation calling your Edge Function. The caller sends the secret key in the `apikey` header. See `docs/auth-modes.md` for named key syntax.
+
+**Edge Function (Deno):**
+
+```ts
+import { withSupabase } from 'npm:@supabase/server'
+
+// Only accept the "automations" named secret key
+export default {
+  fetch: withSupabase({ allow: 'secret:automations' }, async (req, ctx) => {
+    const body = await req.json()
+    const { data } = await ctx.supabaseAdmin
+      .from('scheduled_tasks')
+      .insert({ name: body.taskName, scheduled_at: body.scheduledAt })
+    return Response.json({ success: true, data })
+  }),
+}
+```
+
+**Caller (external service):**
+
+```ts
+await fetch('https://<project>.supabase.co/functions/v1/my-function', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json',
+    apikey: 'sb_secret_automations_...', // the named secret key
+  },
+  body: JSON.stringify({
+    taskName: 'cleanup',
+    scheduledAt: new Date().toISOString(),
+  }),
+})
+```
+
+Use `allow: 'secret'` to accept any secret key, or `allow: 'secret:name'` to require a specific named key.
+
+## When to use `allow: 'always'`
+
+> **`allow: 'always'` disables all authentication.** The handler runs for every request with no credential checks. Only use it when auth is genuinely unnecessary — health checks, public status pages, or endpoints with no sensitive data and no side effects.
+
+**Before using `allow: 'always'`, confirm with the user whether the endpoint is truly public.** If not, propose an alternative:
+
+- **Another service or cron job calls this function** — use `allow: 'secret'` or `allow: 'secret:<name>'` instead. The caller sends the secret key in the `apikey` header.
+- **An external webhook provider calls this function** — use `allow: 'secret'` and have the provider send the secret key, or implement the provider's own signature verification inside the handler.
+
+**Never use `allow: 'always'` for endpoints that read or write user data without verifying who the caller is.**
+
+## Edge Function recipes
+
+### Function-to-function calls
+
+One Edge Function can call another using the admin client. The called function uses `allow: 'secret'` and the caller invokes it via `ctx.supabaseAdmin.functions.invoke()`.
+
+**Config** (`supabase/config.toml`):
+
+```toml
+[functions.process-order]
+verify_jwt = false  # called with secret key, not a user JWT
+```
+
+**Called function** (`supabase/functions/process-order/index.ts`):
+
+```ts
+import { withSupabase } from 'npm:@supabase/server'
+
+export default {
+  fetch: withSupabase({ allow: 'secret' }, async (req, ctx) => {
+    const { orderId } = await req.json()
+    const { data } = await ctx.supabaseAdmin
+      .from('orders')
+      .update({ status: 'processing' })
+      .eq('id', orderId)
+      .select()
+      .single()
+    return Response.json(data)
+  }),
+}
+```
+
+**Calling function** (`supabase/functions/checkout/index.ts`):
+
+```ts
+import { withSupabase } from 'npm:@supabase/server'
+
+export default {
+  fetch: withSupabase({ allow: 'user' }, async (req, ctx) => {
+    const { orderId } = await req.json()
+
+    // Calls process-order with the secret key automatically
+    const { data, error } = await ctx.supabaseAdmin.functions.invoke(
+      'process-order',
+      { body: { orderId } },
+    )
+
+    if (error) {
+      return Response.json({ error: error.message }, { status: 500 })
+    }
+    return Response.json(data)
+  }),
+}
+```
+
+### Calling from database with pg_net
+
+Use `pg_net` to call Edge Functions directly from SQL. The secret key is stored in Vault so it never appears in queries.
+
+**Prerequisites:**
+
+```sql
+-- 1. Enable the pg_net extension
+create extension if not exists pg_net with schema extensions;
+
+-- 2. Store your secret key in Vault
+select vault.create_secret(
+  'sb_secret_...',        -- your secret key value
+  'supabase_secret_key'   -- a name to reference it by
+);
+```
+
+**Call the function:**
+
+```sql
+select net.http_post(
+  url := 'https://<project-ref>.supabase.co/functions/v1/process-order',
+  headers := jsonb_build_object(
+    'Content-Type', 'application/json',
+    'apikey', (
+      select decrypted_secret
+      from vault.decrypted_secrets
+      where name = 'supabase_secret_key'
+    )
+  ),
+  body := jsonb_build_object('orderId', 'order_123')
+);
+```
+
+The receiving function uses `allow: 'secret'` (see example above). `pg_net` is asynchronous — the HTTP request is queued and executed in the background. Check `net._http_response` for results.
+
+### Stripe webhook
+
+External webhook providers like Stripe cannot send your Supabase API keys. Use `allow: 'always'` to skip credential checks, then verify the webhook signature inside the handler.
+
+**Config** (`supabase/config.toml`):
+
+```toml
+[functions.stripe-webhook]
+verify_jwt = false
+```
+
+**Set secrets:**
+
+```bash
+supabase secrets set STRIPE_SECRET_KEY=sk_live_...
+supabase secrets set STRIPE_WEBHOOK_SECRET=whsec_...
+```
+
+**Function** (`supabase/functions/stripe-webhook/index.ts`):
+
+```ts
+import { withSupabase } from 'npm:@supabase/server'
+import Stripe from 'npm:stripe'
+
+const stripe = new Stripe(Deno.env.get('STRIPE_SECRET_KEY')!)
+
+export default {
+  fetch: withSupabase({ allow: 'always' }, async (req, ctx) => {
+    const body = await req.text()
+    const sig = req.headers.get('stripe-signature')!
+
+    let event: Stripe.Event
+    try {
+      event = await stripe.webhooks.constructEventAsync(
+        body,
+        sig,
+        Deno.env.get('STRIPE_WEBHOOK_SECRET')!,
+      )
+    } catch {
+      return Response.json({ error: 'Invalid signature' }, { status: 401 })
+    }
+
+    switch (event.type) {
+      case 'checkout.session.completed': {
+        const session = event.data.object as Stripe.Checkout.Session
+        await ctx.supabaseAdmin
+          .from('orders')
+          .update({ status: 'paid' })
+          .eq('stripe_session_id', session.id)
+        break
+      }
+    }
+
+    return Response.json({ received: true })
+  }),
+}
+```
+
+### Migrating legacy Edge Functions
+
+If you encounter code using `SUPABASE_ANON_KEY`, `SUPABASE_SERVICE_ROLE_KEY`, `Deno.serve`, imports from `esm.sh/@supabase` or `deno.land/std`, suggest migrating to `@supabase/server`. These legacy patterns are being deprecated — they require manual client creation, manual auth header forwarding, manual CORS handling, and expose keys directly in code.
+
+**How to recognize legacy code:**
+
+- `import { serve } from "https://deno.land/std/..."` — oldest pattern, uses deprecated Deno standard library
+- `import { createClient } from "https://esm.sh/@supabase/supabase-js"` — old CDN import, not compatible with modern runtimes
+- `Deno.serve(async (req) => { ... })` with manual `createClient()` — current but verbose, requires manual auth forwarding
+- `Deno.env.get('SUPABASE_ANON_KEY')` or `SUPABASE_SERVICE_ROLE_KEY` — legacy keys that will be removed
+
+**Before** (legacy — manual client, manual auth forwarding):
+
+Legacy keys will be removed, making this code stop working. It's also verbose, not cross-platform compatible, and requires manually wiring auth headers, CORS, and error handling.
+
+```ts
+import { createClient } from 'npm:@supabase/supabase-js@2'
+
+Deno.serve(async (req: Request) => {
+  const supabaseClient = createClient(
+    Deno.env.get('SUPABASE_URL') ?? '',
+    Deno.env.get('SUPABASE_ANON_KEY') ?? '',
+    {
+      global: { headers: { Authorization: req.headers.get('Authorization')! } },
+    },
+  )
+  const { data } = await supabaseClient.from('orders').select('*')
+  return Response.json(data)
+})
+```
+
+**After** (new — auth, clients, and CORS handled automatically):
+
+Uses the latest API keys, works across runtimes (Deno, Node.js, Cloudflare), and handles auth verification, client creation, and CORS in a single line.
+
+```ts
+import { withSupabase } from 'npm:@supabase/server'
+
+export default {
+  fetch: withSupabase({ allow: 'user' }, async (_req, ctx) => {
+    const { data } = await ctx.supabase.from('orders').select('*')
+    return Response.json(data)
+  }),
+}
+```
+
+The migration mapping: `SUPABASE_ANON_KEY` with manual auth header → `allow: 'user'`, `SUPABASE_ANON_KEY` without auth → `allow: 'public'`. For `SUPABASE_SERVICE_ROLE_KEY`, it depends on intent: if the legacy code validates the incoming key to protect the endpoint (e.g., `req.headers.get('apikey') === serviceRoleKey`), use `allow: 'secret'`. If it only uses the key to create an admin client for elevated DB access, no specific auth mode is needed — `ctx.supabaseAdmin` is always available regardless of auth mode.
+
+## Documentation
+
+The full documentation lives in the `docs/` directory of the `@supabase/server` package. To read a doc, find the package location first:
+
+- **If working inside the SDK repo:** `docs/` is at the project root.
+- **If the package is installed as a dependency:** look in `node_modules/@supabase/server/docs/`.
+
+| Question                                                 | Doc file                        |
+| -------------------------------------------------------- | ------------------------------- |
+| How do I create a basic endpoint?                        | `docs/getting-started.md`       |
+| What auth modes are available? Array syntax? Named keys? | `docs/auth-modes.md`            |
+| How do I use this with Hono?                             | `docs/hono-adapter.md`          |
+| How do I use low-level primitives for custom flows?      | `docs/core-primitives.md`       |
+| How do environment variables work across runtimes?       | `docs/environment-variables.md` |
+| How do I handle errors? What codes exist?                | `docs/error-handling.md`        |
+| How do I get typed database queries?                     | `docs/typescript-generics.md`   |
+| How do I use this in Next.js, Nuxt, SvelteKit, or Remix? | `docs/ssr-frameworks.md`        |
+| What's the complete API surface?                         | `docs/api-reference.md`         |
+| What security decisions does this package make?          | `docs/security.md`              |

package/dist/adapters/hono/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_create_supabase_context = require('../../create-supabase-context-DDIAxA8h.cjs');
+const require_create_supabase_context = require('../../create-supabase-context--VqMJpDu.cjs');
 let hono_http_exception = require("hono/http-exception");
 let hono_factory = require("hono/factory");
 

package/dist/adapters/hono/index.d.cts

@@ -1,4 +1,4 @@
-import { f as WithSupabaseConfig, l as SupabaseContext } from "../../types-X7xYi2LN.cjs";
+import { f as WithSupabaseConfig, l as SupabaseContext } from "../../types-DxTr0Qum.cjs";
 import * as hono_types0 from "hono/types";
 
 //#region src/adapters/hono/middleware.d.ts

package/dist/adapters/hono/index.d.mts

@@ -1,4 +1,4 @@
-import { f as WithSupabaseConfig, l as SupabaseContext } from "../../types-BmWSIuH7.mjs";
+import { f as WithSupabaseConfig, l as SupabaseContext } from "../../types-CbC-wBUe.mjs";
 import * as hono_types0 from "hono/types";
 
 //#region src/adapters/hono/middleware.d.ts

package/dist/adapters/hono/index.mjs

@@ -1,4 +1,4 @@
-import { t as createSupabaseContext } from "../../create-supabase-context-Bmwyha9p.mjs";
+import { t as createSupabaseContext } from "../../create-supabase-context-B3Uzt_3I.mjs";
 import { HTTPException } from "hono/http-exception";
 import { createMiddleware } from "hono/factory";
 

package/dist/core/index.d.cts

@@ -1,4 +1,4 @@
-import { a as CreateAdminClientOptions, i as ClientAuth, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, u as SupabaseEnv } from "../types-X7xYi2LN.cjs";
+import { a as CreateAdminClientOptions, i as ClientAuth, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, u as SupabaseEnv } from "../types-DxTr0Qum.cjs";
 import { i as EnvError, t as AuthError } from "../errors-O2ugIMec.cjs";
 import { SupabaseClient } from "@supabase/supabase-js";
 

package/dist/core/index.d.mts

@@ -1,4 +1,4 @@
-import { a as CreateAdminClientOptions, i as ClientAuth, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, u as SupabaseEnv } from "../types-BmWSIuH7.mjs";
+import { a as CreateAdminClientOptions, i as ClientAuth, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, u as SupabaseEnv } from "../types-CbC-wBUe.mjs";
 import { i as EnvError, t as AuthError } from "../errors-CAH-RRA3.mjs";
 import { SupabaseClient } from "@supabase/supabase-js";
 

package/dist/{create-supabase-context-DDIAxA8h.cjs → create-supabase-context--VqMJpDu.cjs}

@@ -35,12 +35,13 @@ async function createSupabaseContext(request, options) {
 			env: options?.env,
 			supabaseOptions: options?.supabaseOptions
 		};
+		const publicKeyName = auth.authType === "public" ? auth.keyName : void 0;
 		return {
 			data: {
 				supabase: require_verify_auth.createContextClient({
 					auth: {
 						token: auth.token,
-						keyName: auth.keyName
+						keyName: publicKeyName
 					},
 					...config
 				}),
@@ -50,7 +51,8 @@ async function createSupabaseContext(request, options) {
 				}),
 				userClaims: auth.userClaims,
 				claims: auth.claims,
-				authType: auth.authType
+				authType: auth.authType,
+				authKeyName: auth.keyName
 			},
 			error: null
 		};

package/dist/{create-supabase-context-Bmwyha9p.mjs → create-supabase-context-B3Uzt_3I.mjs}

@@ -35,12 +35,13 @@ async function createSupabaseContext(request, options) {
 			env: options?.env,
 			supabaseOptions: options?.supabaseOptions
 		};
+		const publicKeyName = auth.authType === "public" ? auth.keyName : void 0;
 		return {
 			data: {
 				supabase: createContextClient({
 					auth: {
 						token: auth.token,
-						keyName: auth.keyName
+						keyName: publicKeyName
 					},
 					...config
 				}),
@@ -50,7 +51,8 @@ async function createSupabaseContext(request, options) {
 				}),
 				userClaims: auth.userClaims,
 				claims: auth.claims,
-				authType: auth.authType
+				authType: auth.authType,
+				authKeyName: auth.keyName
 			},
 			error: null
 		};

package/dist/index.cjs

@@ -1,6 +1,6 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_verify_auth = require('./verify-auth-DrgvEuKo.cjs');
-const require_create_supabase_context = require('./create-supabase-context-DDIAxA8h.cjs');
+const require_create_supabase_context = require('./create-supabase-context--VqMJpDu.cjs');
 let _supabase_supabase_js_cors = require("@supabase/supabase-js/cors");
 
 //#region src/cors.ts

package/dist/index.d.cts

@@ -1,4 +1,4 @@
-import { a as CreateAdminClientOptions, c as JWTClaims, d as UserClaims, f as WithSupabaseConfig, i as ClientAuth, l as SupabaseContext, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, t as Allow, u as SupabaseEnv } from "./types-X7xYi2LN.cjs";
+import { a as CreateAdminClientOptions, c as JWTClaims, d as UserClaims, f as WithSupabaseConfig, i as ClientAuth, l as SupabaseContext, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, t as Allow, u as SupabaseEnv } from "./types-DxTr0Qum.cjs";
 import { a as EnvGenericError, c as MissingDefaultPublishableKeyError, d as MissingSecretKeyError, f as MissingSupabaseURLError, i as EnvError, l as MissingDefaultSecretKeyError, n as AuthGenericError, o as Errors, r as CreateSupabaseClientError, s as InvalidCredentialsError, t as AuthError, u as MissingPublishableKeyError } from "./errors-O2ugIMec.cjs";
 
 //#region src/with-supabase.d.ts

package/dist/index.d.mts

@@ -1,4 +1,4 @@
-import { a as CreateAdminClientOptions, c as JWTClaims, d as UserClaims, f as WithSupabaseConfig, i as ClientAuth, l as SupabaseContext, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, t as Allow, u as SupabaseEnv } from "./types-BmWSIuH7.mjs";
+import { a as CreateAdminClientOptions, c as JWTClaims, d as UserClaims, f as WithSupabaseConfig, i as ClientAuth, l as SupabaseContext, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, t as Allow, u as SupabaseEnv } from "./types-CbC-wBUe.mjs";
 import { a as EnvGenericError, c as MissingDefaultPublishableKeyError, d as MissingSecretKeyError, f as MissingSupabaseURLError, i as EnvError, l as MissingDefaultSecretKeyError, n as AuthGenericError, o as Errors, r as CreateSupabaseClientError, s as InvalidCredentialsError, t as AuthError, u as MissingPublishableKeyError } from "./errors-CAH-RRA3.mjs";
 
 //#region src/with-supabase.d.ts

package/dist/index.mjs

@@ -1,5 +1,5 @@
 import { _ as MissingSecretKeyError, c as AuthGenericError, d as EnvGenericError, f as Errors, g as MissingPublishableKeyError, h as MissingDefaultSecretKeyError, l as CreateSupabaseClientError, m as MissingDefaultPublishableKeyError, p as InvalidCredentialsError, s as AuthError, u as EnvError, v as MissingSupabaseURLError } from "./verify-auth-Bt2uGltH.mjs";
-import { t as createSupabaseContext } from "./create-supabase-context-Bmwyha9p.mjs";
+import { t as createSupabaseContext } from "./create-supabase-context-B3Uzt_3I.mjs";
 import { corsHeaders } from "@supabase/supabase-js/cors";
 
 //#region src/cors.ts