@supabase/server 0.2.0 → 1.0.0-rc.53

package/README.md

@@ -3,8 +3,11 @@
 [![License](https://img.shields.io/npm/l/nx.svg?style=flat-square)](./LICENSE)
 [![Package](https://img.shields.io/npm/v/@supabase/server)](https://www.npmjs.com/package/@supabase/server)
 [![pkg.pr.new](https://pkg.pr.new/badge/supabase/server)](https://pkg.pr.new/~/supabase/server)
+[![Docs](https://img.shields.io/badge/docs-supabase.github.io-3ECF8E?logo=readthedocs&logoColor=white)](https://supabase.github.io/server/)
 
-> **Beta:** This package is under active development. APIs and documentation may change. If you find a bug or have a feature request, please [open an issue](https://github.com/supabase/server/issues) or [submit a PR](https://github.com/supabase/server/blob/main/CONTRIBUTING.md).
+> **v1.0 — Public Beta.** First stable release under SemVer: breaking changes only ship as a major bump. The package is still early — expect new adapters, ergonomic improvements, and features to land frequently in minor releases. Found a rough edge? [Open an issue](https://github.com/supabase/server/issues) or [submit a PR](https://github.com/supabase/server/blob/main/CONTRIBUTING.md).
+
+> **Coming from a `0.x` release?** See [MIGRATION.md](MIGRATION.md) for the v0 → v1 rename map (`allow` → `auth`, `'public'` → `'publishable'`, `authType` → `authMode`, `claims` → `jwtClaims`, …).
 
 `@supabase/server` gives you batteries included access to the
 [supabase-js SDK](https://github.com/supabase/supabase-js), including client
@@ -15,7 +18,7 @@ Edge Functions and APIs.
 import { withSupabase } from '@supabase/server'
 
 export default {
-  fetch: withSupabase({ allow: 'user' }, async (_req, ctx) => {
+  fetch: withSupabase({ auth: 'user' }, async (_req, ctx) => {
     // RLS-scoped — this user only sees their own favorites
     const { data: myGames } = await ctx.supabase.from('favorite_games').select()
     return Response.json(myGames)
@@ -48,20 +51,20 @@ npx skills add supabase/server
 
 ## Quick Start
 
-Imagine you're building an app where users track their favorite games. They sign in and manage their own list. An admin dashboard curates featured titles. A cron job refreshes the "popular this week" rankings. Here's how each piece looks:
+Imagine you're building an app where users track their favorite games. They sign in and manage their own list. Pre-login screens browse the public catalog. An admin dashboard curates featured titles. A cron job refreshes the "popular this week" rankings. Here's how each piece looks:
 
 ### Authenticated endpoint
 
 ```ts
 // A signed-in user fetches their favorite games.
 export default {
-  fetch: withSupabase({ allow: 'user' }, async (_req, ctx) => {
-    const { supabase, supabaseAdmin, userClaims, claims, authType } = ctx
+  fetch: withSupabase({ auth: 'user' }, async (_req, ctx) => {
+    const { supabase, supabaseAdmin, userClaims, jwtClaims, authMode } = ctx
     // supabase       — RLS-scoped to the authenticated user
     // supabaseAdmin  — bypasses RLS (service role)
     // userClaims     — user identity from JWT (id, email, role)
-    // claims         — full JWT claims
-    // authType       — which auth mode matched
+    // jwtClaims      — full JWT claims
+    // authMode       — which auth mode matched
 
     // RLS-scoped — this user only sees their own favorites
     const { data: myGames } = await supabase.from('favorite_games').select()
@@ -74,21 +77,51 @@ export default {
 
 ```ts
 // The frontend hits this before showing the login screen.
-// allow: 'always' means no credentials required.
+// auth: 'none' means no credentials required.
 export default {
-  fetch: withSupabase({ allow: 'always' }, async (_req, _ctx) => {
+  fetch: withSupabase({ auth: 'none' }, async (_req, _ctx) => {
     return Response.json({ status: 'ok' })
   }),
 }
 ```
 
+### Publishable-key endpoint
+
+```ts
+// The mobile app browses the game catalog before the user signs in.
+// auth: 'publishable' validates the apikey header against a publishable key —
+// gating the endpoint to your own clients while staying anonymous to the DB.
+export default {
+  fetch: withSupabase({ auth: 'publishable' }, async (_req, ctx) => {
+    // ctx.supabase  — anonymous (anon role); RLS still applies
+    // ctx.userClaims, ctx.jwtClaims — null (no JWT)
+    // ctx.authMode === 'publishable', ctx.authKeyName === 'default'
+    const { data: catalog } = await ctx.supabase
+      .from('games')
+      .select('id, name, cover_url')
+    return Response.json(catalog)
+  }),
+}
+```
+
+The mobile app sends the publishable key in the `apikey` header:
+
+```ts
+const catalogEndpoint = 'https://<project>.supabase.co/functions/v1/catalog'
+const publishableKey = 'sb_publishable_...'
+
+await fetch(catalogEndpoint, { headers: { apikey: publishableKey } })
+```
+
+> Unlike `auth: 'secret'`, the `supabase` client here is anonymous, not admin — RLS is the source of truth for what's visible. The publishable key acts as a coarse "this request came from a known client" gate; it isn't a user identity.
+
 ### API key protected
 
 ```ts
 // An admin dashboard fetches the list of featured games to curate.
 // Secret key auth (not a user JWT) — supabaseAdmin bypasses RLS.
 export default {
-  fetch: withSupabase({ allow: 'secret' }, async (_req, ctx) => {
+  fetch: withSupabase({ auth: 'secret' }, async (_req, ctx) => {
     const { data: featuredGames } = await ctx.supabaseAdmin
       .from('featured_games')
       .select()
@@ -103,8 +136,8 @@ export default {
 // Users view their own play stats from the app (JWT).
 // A backend service pulls stats for any user (secret key + user_id in body).
 export default {
-  fetch: withSupabase({ allow: ['user', 'secret'] }, async (req, ctx) => {
-    const callerIsUser = ctx.authType === 'user'
+  fetch: withSupabase({ auth: ['user', 'secret'] }, async (req, ctx) => {
+    const callerIsUser = ctx.authMode === 'user'
 
     if (callerIsUser) {
       // RLS-scoped — the database enforces "own stats only"
@@ -129,7 +162,7 @@ export default {
 // A cron job refreshes the "popular this week" list every hour.
 // Named key ("cron") so it can be rotated without touching other services.
 export default {
-  fetch: withSupabase({ allow: 'secret:cron' }, async (_req, ctx) => {
+  fetch: withSupabase({ auth: 'secret:cron' }, async (_req, ctx) => {
     const oneWeekAgo = new Date(Date.now() - 7 * 24 * 60 * 60 * 1000)
     const { data: popularThisWeek } = await ctx.supabaseAdmin.rpc(
       'get_most_favorited_since',
@@ -163,15 +196,15 @@ await fetch(refreshEndpoint, {
 | Mode               | Credential            | Use case                                            |
 | ------------------ | --------------------- | --------------------------------------------------- |
 | `"user"` (default) | Valid JWT             | Authenticated user endpoints                        |
-| `"public"`         | Valid publishable key | Client-facing, key-validated endpoints              |
+| `"publishable"`    | Valid publishable key | Client-facing, key-validated endpoints              |
 | `"secret"`         | Valid secret key      | Server-to-server, internal calls                    |
-| `"always"`         | None                  | Open endpoints, wrappers that handle their own auth |
+| `"none"`           | None                  | Open endpoints, wrappers that handle their own auth |
 
-Array syntax (`allow: ["user", "secret"]`) accepts multiple auth methods — first match wins. An absent credential falls through to the next mode; a present-but-invalid JWT rejects the request (no silent downgrade). See [`docs/auth-modes.md`](docs/auth-modes.md).
+Array syntax (`auth: ["user", "secret"]`) accepts multiple auth methods — first match wins. An absent credential falls through to the next mode; a present-but-invalid JWT rejects the request (no silent downgrade). See [`docs/auth-modes.md`](docs/auth-modes.md).
 
-Named key validation: `allow: "public:web_app"` or `allow: "secret:automations"` validates against a specific named key in `SUPABASE_PUBLISHABLE_KEYS` or `SUPABASE_SECRET_KEYS`.
+Named key validation: `auth: "publishable:web_app"` or `auth: "secret:automations"` validates against a specific named key in `SUPABASE_PUBLISHABLE_KEYS` or `SUPABASE_SECRET_KEYS`.
 
-> **Supabase Edge Functions:** By default, the platform requires a valid JWT on every request. If your function uses `allow: 'public'`, `allow: 'secret'`, or `allow: 'always'`, disable the platform-level JWT check in `supabase/config.toml`:
+> **Supabase Edge Functions:** By default, the platform requires a valid JWT on every request. If your function uses `auth: 'publishable'`, `auth: 'secret'`, or `auth: 'none'`, disable the platform-level JWT check in `supabase/config.toml`:
 >
 > ```toml
 > [functions.my-function]
@@ -187,13 +220,13 @@ interface SupabaseContext {
   supabase: SupabaseClient // RLS-scoped (user or anon depending on auth)
   supabaseAdmin: SupabaseClient // Bypasses RLS
   userClaims: UserClaims | null // JWT-derived identity (for full User, call supabase.auth.getUser())
-  claims: JWTClaims | null // Present when auth is JWT
-  authType: Allow // Which auth mode matched
-  authKeyName?: string | null // Auth key name of the API key that was used for this request
+  jwtClaims: JWTClaims | null // Present when auth is JWT
+  authMode: AuthMode // Which auth mode matched
+  authKeyName?: string // Auth key name of the API key that was used for this request (omitted for `'user'` / `'none'`)
 }
 ```
 
-`supabase` is always the safe client — it respects RLS. When `authType` is `"user"`, it's scoped to that user's permissions. Otherwise, it's initialized as anonymous.
+`supabase` is always the safe client — it respects RLS. When `authMode` is `"user"`, it's scoped to that user's permissions. Otherwise, it's initialized as anonymous.
 
 `supabaseAdmin` always bypasses RLS. Use it for operations that need full database access.
 
@@ -202,7 +235,7 @@ interface SupabaseContext {
 ```ts
 withSupabase(
   {
-    allow: 'user', // who can call this function
+    auth: 'user', // who can call this function
     cors: false, // disable CORS (default: supabase-js CORS headers)
     env: { url: '...' }, // env overrides (optional)
   },
@@ -215,7 +248,7 @@ withSupabase(
 ```ts
 withSupabase(
   {
-    allow: 'user',
+    auth: 'user',
     cors: {
       'Access-Control-Allow-Origin': 'https://myapp.com',
       'Access-Control-Allow-Headers': 'authorization, content-type',
@@ -229,6 +262,13 @@ withSupabase(
 
 ## Framework Adapters
 
+Adapters wrap `withSupabase` for a specific framework's middleware contract. **All adapters are community-maintained** — both Hono and H3 originated as community contributions. They live in this repo and ship with the core package, so a single `npm install @supabase/server` covers the framework you're using. See [`src/adapters/README.md`](src/adapters/README.md) for the maintenance model and the requirements for contributing a new adapter.
+
+| Framework | Import                           | Framework version | Docs                                           |
+| --------- | -------------------------------- | ----------------- | ---------------------------------------------- |
+| Hono      | `@supabase/server/adapters/hono` | `^4.0.0`          | [docs/adapters/hono.md](docs/adapters/hono.md) |
+| H3 / Nuxt | `@supabase/server/adapters/h3`   | `^2.0.0`          | [docs/adapters/h3.md](docs/adapters/h3.md)     |
+
 ### Hono
 
 ```ts
@@ -236,21 +276,12 @@ import { Hono } from 'hono'
 import { withSupabase } from '@supabase/server/adapters/hono'
 
 const app = new Hono()
-
-// Protected — withSupabase middleware validates the JWT before the handler runs
-app.get('/games', withSupabase({ allow: 'user' }), async (c) => {
-  const { supabase } = c.var.supabaseContext
-  const { data: myGames } = await supabase.from('favorite_games').select()
-  return c.json(myGames)
-})
-
-// Public — no middleware means no auth
-app.get('/health', (c) => c.json({ status: 'ok' }))
+app.use('*', withSupabase({ auth: 'user' }))
 
 export default { fetch: app.fetch }
 ```
 
-The adapter does not handle CORS — use `hono/cors` for that. Per-route auth works naturally by applying the middleware to specific routes.
+See [docs/adapters/hono.md](docs/adapters/hono.md) for per-route auth, CORS, error handling, and other patterns.
 
 ### H3 / Nuxt
 
@@ -259,48 +290,12 @@ import { H3 } from 'h3'
 import { withSupabase } from '@supabase/server/adapters/h3'
 
 const app = new H3()
-
-// Protected — withSupabase validates the JWT before the handler runs
-app.use(withSupabase({ allow: 'user' }))
-
-app.get('/games', async (event) => {
-  const { supabase } = event.context.supabaseContext
-  const { data: myGames } = await supabase.from('favorite_games').select()
-  return myGames
-})
-
-// Public — no middleware means no auth
-app.get('/health', () => ({ status: 'ok' }))
+app.use(withSupabase({ auth: 'user' }))
 
 export default { fetch: app.fetch }
 ```
 
-For **Nuxt**, use `defineHandler` for file routes:
-
-```ts
-// server/api/games.get.ts
-import { defineHandler } from 'h3'
-import { withSupabase } from '@supabase/server/adapters/h3'
-
-export default defineHandler({
-  middleware: [withSupabase({ allow: 'user' })],
-  handler: async (event) => {
-    const { supabase } = event.context.supabaseContext
-    return supabase.from('favorite_games').select()
-  },
-})
-```
-
-For app-wide auth, register it as a server middleware:
-
-```ts
-// server/middleware/supabase.ts
-import { withSupabase } from '@supabase/server/adapters/h3'
-
-export default withSupabase({ allow: 'user' })
-```
-
-The adapter does not handle CORS — use H3's CORS utilities for that.
+See [docs/adapters/h3.md](docs/adapters/h3.md) for per-route auth, Nuxt server-middleware patterns, CORS, and more.
 
 ## Primitives
 
@@ -318,10 +313,10 @@ import {
 
 ### verifyAuth
 
-Extracts credentials from a Request and validates against the allow config.
+Extracts credentials from a Request and validates against the auth config.
 
 ```ts
-const { data: auth, error } = await verifyAuth(req, { allow: 'user' })
+const { data: auth, error } = await verifyAuth(req, { auth: 'user' })
 if (error) {
   return Response.json({ message: error.message }, { status: error.status })
 }
@@ -333,8 +328,8 @@ Low-level — works with raw credentials instead of a Request. Used by SSR adapt
 
 ```ts
 const credentials = { token: myToken, apikey: null }
-const { data: auth, error } = await verifyCredentials(credentials, {
-  allow: 'user',
+const { data: result, error } = await verifyCredentials(credentials, {
+  auth: 'user',
 })
 ```
 
@@ -351,7 +346,7 @@ const adminClient = createAdminClient() // bypasses RLS entirely
 Full context assembly from a Request — `verifyAuth` + client creation in one call.
 
 ```ts
-const { data: ctx, error } = await createSupabaseContext(req, { allow: 'user' })
+const { data: ctx, error } = await createSupabaseContext(req, { auth: 'user' })
 ```
 
 ### resolveEnv
@@ -382,14 +377,14 @@ export default {
 
     // Protected — verify the JWT, then create a user-scoped client
     if (url.pathname === '/games') {
-      const { data: auth, error } = await verifyAuth(req, { allow: 'user' })
+      const { data: result, error } = await verifyAuth(req, { auth: 'user' })
       if (error)
         return Response.json(
           { message: error.message },
           { status: error.status },
         )
 
-      const userScopedClient = createContextClient(auth.token)
+      const userScopedClient = createContextClient(result.token)
       const { data: myGames } = await userScopedClient
         .from('favorite_games')
         .select()
@@ -430,7 +425,11 @@ For other environments, pass overrides via the `env` config option or `resolveEn
 - **Node.js** — use the [Hono adapter](#hono), [H3 adapter](#h3--nuxt), or [core primitives](#primitives) with your framework of choice.
 - **Cloudflare Workers** — enable `nodejs_compat` in `wrangler.toml` or pass env overrides via the `env` config option.
 - **Nuxt** — use the [H3 adapter](#h3--nuxt) directly as a server middleware.
-- **Next.js / SvelteKit / Remix** — use core primitives to build a cookie-based auth adapter. See [`docs/ssr-frameworks.md`](docs/ssr-frameworks.md).
+- **Next.js / SvelteKit / Remix** — compose with [`@supabase/ssr`](https://github.com/supabase/ssr): `@supabase/ssr` owns cookies + refresh-token rotation, `@supabase/server` adds verified claims and typed RLS / admin clients on top. See [`docs/ssr-frameworks.md`](docs/ssr-frameworks.md).
+
+### Does this replace `@supabase/ssr`?
+
+No. `@supabase/ssr` handles cookie-based session management for frameworks like Next.js and SvelteKit. `@supabase/server` handles stateless, header-based auth for Edge Functions, Workers, and other backend runtimes. The composable primitives already work in SSR environments but require more setup — see [`docs/ssr-frameworks.md`](docs/ssr-frameworks.md) for the Next.js example. The two packages coexist and are not replacements for each other. Deeper integration with `@supabase/ssr` is on the roadmap.
 
 ## Exports
 
@@ -443,17 +442,19 @@ For other environments, pass overrides via the `env` config option or `resolveEn
 
 ## Documentation
 
-| Question                                                 | Doc file                                                         |
-| -------------------------------------------------------- | ---------------------------------------------------------------- |
-| How do I create a basic endpoint?                        | [`docs/getting-started.md`](docs/getting-started.md)             |
-| What auth modes are available? Array syntax? Named keys? | [`docs/auth-modes.md`](docs/auth-modes.md)                       |
-| How do I use this with Hono?                             | [`docs/hono-adapter.md`](docs/hono-adapter.md)                   |
-| How do I use low-level primitives for custom flows?      | [`docs/core-primitives.md`](docs/core-primitives.md)             |
-| How do environment variables work across runtimes?       | [`docs/environment-variables.md`](docs/environment-variables.md) |
-| How do I handle errors? What codes exist?                | [`docs/error-handling.md`](docs/error-handling.md)               |
-| How do I get typed database queries?                     | [`docs/typescript-generics.md`](docs/typescript-generics.md)     |
-| How do I use this in Next.js, Nuxt, SvelteKit, or Remix? | [`docs/ssr-frameworks.md`](docs/ssr-frameworks.md)               |
-| What's the complete API surface?                         | [`docs/api-reference.md`](docs/api-reference.md)                 |
+| Question                                                            | Doc file                                                         |
+| ------------------------------------------------------------------- | ---------------------------------------------------------------- |
+| How do I create a basic endpoint?                                   | [`docs/getting-started.md`](docs/getting-started.md)             |
+| What auth modes are available? Array syntax? Named keys?            | [`docs/auth-modes.md`](docs/auth-modes.md)                       |
+| Which framework adapters exist? How do I contribute one?            | [`src/adapters/README.md`](src/adapters/README.md)               |
+| How do I use this with Hono?                                        | [`docs/adapters/hono.md`](docs/adapters/hono.md)                 |
+| How do I use this with H3 / Nuxt?                                   | [`docs/adapters/h3.md`](docs/adapters/h3.md)                     |
+| How do I use low-level primitives for custom flows?                 | [`docs/core-primitives.md`](docs/core-primitives.md)             |
+| How do environment variables work across runtimes?                  | [`docs/environment-variables.md`](docs/environment-variables.md) |
+| How do I handle errors? What codes exist?                           | [`docs/error-handling.md`](docs/error-handling.md)               |
+| How do I get typed database queries?                                | [`docs/typescript-generics.md`](docs/typescript-generics.md)     |
+| How do I use this with `@supabase/ssr` (Next.js, SvelteKit, Remix)? | [`docs/ssr-frameworks.md`](docs/ssr-frameworks.md)               |
+| What's the complete API surface?                                    | [`docs/api-reference.md`](docs/api-reference.md)                 |
 
 ## Development
 

package/dist/adapters/h3/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_create_supabase_context = require('../../create-supabase-context-C_8SbO5w.cjs');
+const require_create_supabase_context = require('../../create-supabase-context-B-2NDJhL.cjs');
 let h3 = require("h3");
 
 //#region src/adapters/h3/middleware.ts
@@ -18,7 +18,7 @@ let h3 = require("h3");
 * import { withSupabase } from '@supabase/server/adapters/h3'
 *
 * const app = new H3()
-* app.use(withSupabase({ allow: 'user' }))
+* app.use(withSupabase({ auth: 'user' }))
 *
 * app.get('/games', async (event) => {
 *   const { supabase } = event.context.supabaseContext
@@ -34,7 +34,7 @@ let h3 = require("h3");
 * import { withSupabase } from '@supabase/server/adapters/h3'
 *
 * export default defineHandler({
-*   middleware: [withSupabase({ allow: 'user' })],
+*   middleware: [withSupabase({ auth: 'user' })],
 *   handler: async (event) => {
 *     const { supabase } = event.context.supabaseContext
 *     return supabase.from('favorite_games').select()

package/dist/adapters/h3/index.d.cts

@@ -1,4 +1,4 @@
-import { f as WithSupabaseConfig, l as SupabaseContext } from "../../types-DqhOaSlC.cjs";
+import { d as SupabaseContext, m as WithSupabaseConfig } from "../../types-u7fYLtzC.cjs";
 import { Middleware } from "h3";
 
 //#region src/adapters/h3/middleware.d.ts
@@ -17,7 +17,7 @@ import { Middleware } from "h3";
  * import { withSupabase } from '@supabase/server/adapters/h3'
  *
  * const app = new H3()
- * app.use(withSupabase({ allow: 'user' }))
+ * app.use(withSupabase({ auth: 'user' }))
  *
  * app.get('/games', async (event) => {
  *   const { supabase } = event.context.supabaseContext
@@ -33,7 +33,7 @@ import { Middleware } from "h3";
  * import { withSupabase } from '@supabase/server/adapters/h3'
  *
  * export default defineHandler({
- *   middleware: [withSupabase({ allow: 'user' })],
+ *   middleware: [withSupabase({ auth: 'user' })],
  *   handler: async (event) => {
  *     const { supabase } = event.context.supabaseContext
  *     return supabase.from('favorite_games').select()

package/dist/adapters/h3/index.d.mts

@@ -1,4 +1,4 @@
-import { f as WithSupabaseConfig, l as SupabaseContext } from "../../types-DKe8uOwI.mjs";
+import { d as SupabaseContext, m as WithSupabaseConfig } from "../../types-B2yXZjmG.mjs";
 import { Middleware } from "h3";
 
 //#region src/adapters/h3/middleware.d.ts
@@ -17,7 +17,7 @@ import { Middleware } from "h3";
  * import { withSupabase } from '@supabase/server/adapters/h3'
  *
  * const app = new H3()
- * app.use(withSupabase({ allow: 'user' }))
+ * app.use(withSupabase({ auth: 'user' }))
  *
  * app.get('/games', async (event) => {
  *   const { supabase } = event.context.supabaseContext
@@ -33,7 +33,7 @@ import { Middleware } from "h3";
  * import { withSupabase } from '@supabase/server/adapters/h3'
  *
  * export default defineHandler({
- *   middleware: [withSupabase({ allow: 'user' })],
+ *   middleware: [withSupabase({ auth: 'user' })],
  *   handler: async (event) => {
  *     const { supabase } = event.context.supabaseContext
  *     return supabase.from('favorite_games').select()

package/dist/adapters/h3/index.mjs

@@ -1,4 +1,4 @@
-import { t as createSupabaseContext } from "../../create-supabase-context-DXD5rxi1.mjs";
+import { t as createSupabaseContext } from "../../create-supabase-context-BBZtr3D2.mjs";
 import { HTTPError, defineMiddleware } from "h3";
 
 //#region src/adapters/h3/middleware.ts
@@ -17,7 +17,7 @@ import { HTTPError, defineMiddleware } from "h3";
 * import { withSupabase } from '@supabase/server/adapters/h3'
 *
 * const app = new H3()
-* app.use(withSupabase({ allow: 'user' }))
+* app.use(withSupabase({ auth: 'user' }))
 *
 * app.get('/games', async (event) => {
 *   const { supabase } = event.context.supabaseContext
@@ -33,7 +33,7 @@ import { HTTPError, defineMiddleware } from "h3";
 * import { withSupabase } from '@supabase/server/adapters/h3'
 *
 * export default defineHandler({
-*   middleware: [withSupabase({ allow: 'user' })],
+*   middleware: [withSupabase({ auth: 'user' })],
 *   handler: async (event) => {
 *     const { supabase } = event.context.supabaseContext
 *     return supabase.from('favorite_games').select()

package/dist/adapters/hono/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_create_supabase_context = require('../../create-supabase-context-C_8SbO5w.cjs');
+const require_create_supabase_context = require('../../create-supabase-context-B-2NDJhL.cjs');
 let hono_http_exception = require("hono/http-exception");
 let hono_factory = require("hono/factory");
 
@@ -19,7 +19,7 @@ let hono_factory = require("hono/factory");
 * import { withSupabase } from '@supabase/server/adapters/hono'
 *
 * const app = new Hono()
-* app.use('*', withSupabase({ allow: 'user' }))
+* app.use('*', withSupabase({ auth: 'user' }))
 *
 * app.get('/profile', async (c) => {
 *   const { supabase } = c.var.supabaseContext

package/dist/adapters/hono/index.d.cts

@@ -1,4 +1,4 @@
-import { f as WithSupabaseConfig, l as SupabaseContext } from "../../types-DqhOaSlC.cjs";
+import { d as SupabaseContext, m as WithSupabaseConfig } from "../../types-u7fYLtzC.cjs";
 import { MiddlewareHandler } from "hono";
 
 //#region src/adapters/hono/middleware.d.ts
@@ -17,7 +17,7 @@ import { MiddlewareHandler } from "hono";
  * import { withSupabase } from '@supabase/server/adapters/hono'
  *
  * const app = new Hono()
- * app.use('*', withSupabase({ allow: 'user' }))
+ * app.use('*', withSupabase({ auth: 'user' }))
  *
  * app.get('/profile', async (c) => {
  *   const { supabase } = c.var.supabaseContext

package/dist/adapters/hono/index.d.mts

@@ -1,4 +1,4 @@
-import { f as WithSupabaseConfig, l as SupabaseContext } from "../../types-DKe8uOwI.mjs";
+import { d as SupabaseContext, m as WithSupabaseConfig } from "../../types-B2yXZjmG.mjs";
 import { MiddlewareHandler } from "hono";
 
 //#region src/adapters/hono/middleware.d.ts
@@ -17,7 +17,7 @@ import { MiddlewareHandler } from "hono";
  * import { withSupabase } from '@supabase/server/adapters/hono'
  *
  * const app = new Hono()
- * app.use('*', withSupabase({ allow: 'user' }))
+ * app.use('*', withSupabase({ auth: 'user' }))
  *
  * app.get('/profile', async (c) => {
  *   const { supabase } = c.var.supabaseContext

package/dist/adapters/hono/index.mjs

@@ -1,4 +1,4 @@
-import { t as createSupabaseContext } from "../../create-supabase-context-DXD5rxi1.mjs";
+import { t as createSupabaseContext } from "../../create-supabase-context-BBZtr3D2.mjs";
 import { HTTPException } from "hono/http-exception";
 import { createMiddleware } from "hono/factory";
 
@@ -18,7 +18,7 @@ import { createMiddleware } from "hono/factory";
 * import { withSupabase } from '@supabase/server/adapters/hono'
 *
 * const app = new Hono()
-* app.use('*', withSupabase({ allow: 'user' }))
+* app.use('*', withSupabase({ auth: 'user' }))
 *
 * app.get('/profile', async (c) => {
 *   const { supabase } = c.var.supabaseContext

package/dist/core/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_verify_auth = require('../verify-auth-C4zqDlfj.cjs');
+const require_verify_auth = require('../verify-auth-BKZK83Y8.cjs');
 
 exports.createAdminClient = require_verify_auth.createAdminClient;
 exports.createContextClient = require_verify_auth.createContextClient;

package/dist/core/index.d.cts

@@ -1,5 +1,5 @@
-import { a as CreateAdminClientOptions, i as ClientAuth, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, u as SupabaseEnv } from "../types-DqhOaSlC.cjs";
-import { i as EnvError, t as AuthError } from "../errors-Dyj5Cjt6.cjs";
+import { a as AuthResult, c as CreateContextClientOptions, f as SupabaseEnv, i as AuthModeWithKey, l as Credentials, o as ClientAuth, s as CreateAdminClientOptions } from "../types-u7fYLtzC.cjs";
+import { i as EnvError, t as AuthError } from "../errors-CZFEYnV_.cjs";
 import { SupabaseClient } from "@supabase/supabase-js";
 
 //#region src/core/resolve-env.d.ts
@@ -63,9 +63,17 @@ interface VerifyCredentialsOptions {
   /**
    * Auth mode(s) to try. Modes are attempted in order — the first match wins.
    *
-   * @see {@link AllowWithKey} for the full syntax including named keys.
+   * @see {@link AuthModeWithKey} for the full syntax including named keys.
+   *
+   * @defaultValue `"user"`
+   */
+  auth?: AuthModeWithKey | AuthModeWithKey[];
+  /**
+   * @deprecated Use {@link VerifyCredentialsOptions.auth} instead. Kept for
+   * backward compatibility; will be removed in a future major release. When
+   * both are provided, `auth` wins.
    */
-  allow: AllowWithKey | AllowWithKey[];
+  allow?: AuthModeWithKey | AuthModeWithKey[];
   /** Optional environment overrides (passed through to {@link resolveEnv}). */
   env?: Partial<SupabaseEnv>;
 }
@@ -86,7 +94,7 @@ interface VerifyCredentialsOptions {
  * ```ts
  * const credentials = extractCredentials(request)
  * const { data: auth, error } = await verifyCredentials(credentials, {
- *   allow: ['user', 'public'],
+ *   auth: ['user', 'publishable'],
  * })
  * if (error) {
  *   return Response.json({ message: error.message }, { status: error.status })
@@ -109,9 +117,17 @@ interface VerifyAuthOptions {
   /**
    * Auth mode(s) to try. Modes are attempted in order — the first match wins.
    *
-   * @see {@link AllowWithKey} for the full syntax including named keys.
+   * @see {@link AuthModeWithKey} for the full syntax including named keys.
+   *
+   * @defaultValue `"user"`
+   */
+  auth?: AuthModeWithKey | AuthModeWithKey[];
+  /**
+   * @deprecated Use {@link VerifyAuthOptions.auth} instead. Kept for backward
+   * compatibility; will be removed in a future major release. When both are
+   * provided, `auth` wins.
    */
-  allow: AllowWithKey | AllowWithKey[];
+  allow?: AuthModeWithKey | AuthModeWithKey[];
   /** Optional environment overrides (passed through to {@link resolveEnv}). */
   env?: Partial<SupabaseEnv>;
 }
@@ -134,7 +150,7 @@ interface VerifyAuthOptions {
  * import { verifyAuth } from '@supabase/server/core'
  *
  * const { data: auth, error } = await verifyAuth(request, {
- *   allow: 'user',
+ *   auth: 'user',
  * })
  *
  * if (error) {
@@ -163,7 +179,7 @@ declare function verifyAuth(request: Request, options: VerifyAuthOptions): Promi
  *
  * @example
  * ```ts
- * const { data: auth } = await verifyAuth(request, { allow: 'user' })
+ * const { data: auth } = await verifyAuth(request, { auth: 'user' })
  * const supabase = createContextClient({
  *   auth: { token: auth.token, keyName: auth.keyName },
  * })