@supabase/server 0.2.0 → 1.0.0

package/dist/core/index.d.mts

@@ -1,5 +1,5 @@
-import { a as CreateAdminClientOptions, i as ClientAuth, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, u as SupabaseEnv } from "../types-DKe8uOwI.mjs";
-import { i as EnvError, t as AuthError } from "../errors-m42mkqhD.mjs";
+import { a as AuthResult, c as CreateContextClientOptions, f as SupabaseEnv, i as AuthModeWithKey, l as Credentials, o as ClientAuth, s as CreateAdminClientOptions } from "../types-B2yXZjmG.mjs";
+import { i as EnvError, t as AuthError } from "../errors-0dbzn5gA.mjs";
 import { SupabaseClient } from "@supabase/supabase-js";
 
 //#region src/core/resolve-env.d.ts
@@ -63,9 +63,17 @@ interface VerifyCredentialsOptions {
   /**
    * Auth mode(s) to try. Modes are attempted in order — the first match wins.
    *
-   * @see {@link AllowWithKey} for the full syntax including named keys.
+   * @see {@link AuthModeWithKey} for the full syntax including named keys.
+   *
+   * @defaultValue `"user"`
+   */
+  auth?: AuthModeWithKey | AuthModeWithKey[];
+  /**
+   * @deprecated Use {@link VerifyCredentialsOptions.auth} instead. Kept for
+   * backward compatibility; will be removed in a future major release. When
+   * both are provided, `auth` wins.
    */
-  allow: AllowWithKey | AllowWithKey[];
+  allow?: AuthModeWithKey | AuthModeWithKey[];
   /** Optional environment overrides (passed through to {@link resolveEnv}). */
   env?: Partial<SupabaseEnv>;
 }
@@ -86,7 +94,7 @@ interface VerifyCredentialsOptions {
  * ```ts
  * const credentials = extractCredentials(request)
  * const { data: auth, error } = await verifyCredentials(credentials, {
- *   allow: ['user', 'public'],
+ *   auth: ['user', 'publishable'],
  * })
  * if (error) {
  *   return Response.json({ message: error.message }, { status: error.status })
@@ -109,9 +117,17 @@ interface VerifyAuthOptions {
   /**
    * Auth mode(s) to try. Modes are attempted in order — the first match wins.
    *
-   * @see {@link AllowWithKey} for the full syntax including named keys.
+   * @see {@link AuthModeWithKey} for the full syntax including named keys.
+   *
+   * @defaultValue `"user"`
+   */
+  auth?: AuthModeWithKey | AuthModeWithKey[];
+  /**
+   * @deprecated Use {@link VerifyAuthOptions.auth} instead. Kept for backward
+   * compatibility; will be removed in a future major release. When both are
+   * provided, `auth` wins.
    */
-  allow: AllowWithKey | AllowWithKey[];
+  allow?: AuthModeWithKey | AuthModeWithKey[];
   /** Optional environment overrides (passed through to {@link resolveEnv}). */
   env?: Partial<SupabaseEnv>;
 }
@@ -134,7 +150,7 @@ interface VerifyAuthOptions {
  * import { verifyAuth } from '@supabase/server/core'
  *
  * const { data: auth, error } = await verifyAuth(request, {
- *   allow: 'user',
+ *   auth: 'user',
  * })
  *
  * if (error) {
@@ -163,7 +179,7 @@ declare function verifyAuth(request: Request, options: VerifyAuthOptions): Promi
  *
  * @example
  * ```ts
- * const { data: auth } = await verifyAuth(request, { allow: 'user' })
+ * const { data: auth } = await verifyAuth(request, { auth: 'user' })
  * const supabase = createContextClient({
  *   auth: { token: auth.token, keyName: auth.keyName },
  * })

package/dist/core/index.mjs

@@ -1,3 +1,3 @@
-import { a as createAdminClient, i as createContextClient, n as verifyCredentials, o as resolveEnv, r as extractCredentials, t as verifyAuth } from "../verify-auth-CxFZy9rl.mjs";
+import { a as createAdminClient, i as createContextClient, n as verifyCredentials, o as resolveEnv, r as extractCredentials, t as verifyAuth } from "../verify-auth-CZQd36s0.mjs";
 
 export { createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };

package/dist/{create-supabase-context-C_8SbO5w.cjs → create-supabase-context-B-2NDJhL.cjs}

@@ -1,4 +1,4 @@
-const require_verify_auth = require('./verify-auth-C4zqDlfj.cjs');
+const require_verify_auth = require('./verify-auth-BKZK83Y8.cjs');
 
 //#region src/create-supabase-context.ts
 /**
@@ -14,7 +14,7 @@ const require_verify_auth = require('./verify-auth-C4zqDlfj.cjs');
 *
 * @example
 * ```ts
-* const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+* const { data: ctx, error } = await createSupabaseContext(request, { auth: 'user' })
 * if (error) {
 *   return Response.json({ message: error.message }, { status: error.status })
 * }
@@ -23,7 +23,8 @@ const require_verify_auth = require('./verify-auth-C4zqDlfj.cjs');
 */
 async function createSupabaseContext(request, options) {
 	const { data: auth, error } = await require_verify_auth.verifyAuth(request, {
-		allow: options?.allow ?? "user",
+		auth: options?.auth,
+		allow: options?.allow,
 		env: options?.env
 	});
 	if (error) return {
@@ -35,24 +36,24 @@ async function createSupabaseContext(request, options) {
 			env: options?.env,
 			supabaseOptions: options?.supabaseOptions
 		};
-		const publicKeyName = auth.authType === "public" ? auth.keyName : void 0;
+		const publishableKeyName = auth.authMode === "publishable" ? auth.keyName : void 0;
 		return {
 			data: {
 				supabase: require_verify_auth.createContextClient({
 					auth: {
 						token: auth.token,
-						keyName: publicKeyName
+						keyName: publishableKeyName
 					},
 					...config
 				}),
 				supabaseAdmin: require_verify_auth.createAdminClient({
-					auth: { keyName: auth.authType === "secret" ? auth.keyName : void 0 },
+					auth: { keyName: auth.authMode === "secret" ? auth.keyName : void 0 },
 					...config
 				}),
 				userClaims: auth.userClaims,
-				claims: auth.claims,
-				authType: auth.authType,
-				authKeyName: auth.keyName
+				jwtClaims: auth.jwtClaims,
+				authMode: auth.authMode,
+				authKeyName: auth.keyName ?? void 0
 			},
 			error: null
 		};

package/dist/{create-supabase-context-DXD5rxi1.mjs → create-supabase-context-BBZtr3D2.mjs}

@@ -1,4 +1,4 @@
-import { a as createAdminClient, f as Errors, i as createContextClient, l as CreateSupabaseClientError, s as AuthError, t as verifyAuth, u as EnvError } from "./verify-auth-CxFZy9rl.mjs";
+import { a as createAdminClient, f as Errors, i as createContextClient, l as CreateSupabaseClientError, s as AuthError, t as verifyAuth, u as EnvError } from "./verify-auth-CZQd36s0.mjs";
 
 //#region src/create-supabase-context.ts
 /**
@@ -14,7 +14,7 @@ import { a as createAdminClient, f as Errors, i as createContextClient, l as Cre
 *
 * @example
 * ```ts
-* const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+* const { data: ctx, error } = await createSupabaseContext(request, { auth: 'user' })
 * if (error) {
 *   return Response.json({ message: error.message }, { status: error.status })
 * }
@@ -23,7 +23,8 @@ import { a as createAdminClient, f as Errors, i as createContextClient, l as Cre
 */
 async function createSupabaseContext(request, options) {
 	const { data: auth, error } = await verifyAuth(request, {
-		allow: options?.allow ?? "user",
+		auth: options?.auth,
+		allow: options?.allow,
 		env: options?.env
 	});
 	if (error) return {
@@ -35,24 +36,24 @@ async function createSupabaseContext(request, options) {
 			env: options?.env,
 			supabaseOptions: options?.supabaseOptions
 		};
-		const publicKeyName = auth.authType === "public" ? auth.keyName : void 0;
+		const publishableKeyName = auth.authMode === "publishable" ? auth.keyName : void 0;
 		return {
 			data: {
 				supabase: createContextClient({
 					auth: {
 						token: auth.token,
-						keyName: publicKeyName
+						keyName: publishableKeyName
 					},
 					...config
 				}),
 				supabaseAdmin: createAdminClient({
-					auth: { keyName: auth.authType === "secret" ? auth.keyName : void 0 },
+					auth: { keyName: auth.authMode === "secret" ? auth.keyName : void 0 },
 					...config
 				}),
 				userClaims: auth.userClaims,
-				claims: auth.claims,
-				authType: auth.authType,
-				authKeyName: auth.keyName
+				jwtClaims: auth.jwtClaims,
+				authMode: auth.authMode,
+				authKeyName: auth.keyName ?? void 0
 			},
 			error: null
 		};

package/dist/{errors-Dyj5Cjt6.d.cts → errors-0dbzn5gA.d.mts}

@@ -53,7 +53,7 @@ declare const MissingDefaultSecretKeyError = "MISSING_DEFAULT_SECRET_KEY";
  * ```ts
  * import { AuthError, createSupabaseContext } from '@supabase/server'
  *
- * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * const { data: ctx, error } = await createSupabaseContext(request, { auth: 'user' })
  * if (error) {
  *   // error is an AuthError
  *   return Response.json(

package/dist/{errors-m42mkqhD.d.mts → errors-CZFEYnV_.d.cts}

@@ -53,7 +53,7 @@ declare const MissingDefaultSecretKeyError = "MISSING_DEFAULT_SECRET_KEY";
  * ```ts
  * import { AuthError, createSupabaseContext } from '@supabase/server'
  *
- * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * const { data: ctx, error } = await createSupabaseContext(request, { auth: 'user' })
  * if (error) {
  *   // error is an AuthError
  *   return Response.json(

package/dist/index.cjs

@@ -1,6 +1,6 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_verify_auth = require('./verify-auth-C4zqDlfj.cjs');
-const require_create_supabase_context = require('./create-supabase-context-C_8SbO5w.cjs');
+const require_verify_auth = require('./verify-auth-BKZK83Y8.cjs');
+const require_create_supabase_context = require('./create-supabase-context-B-2NDJhL.cjs');
 let _supabase_supabase_js_cors = require("@supabase/supabase-js/cors");
 
 //#region src/cors.ts
@@ -55,7 +55,7 @@ function addCorsHeaders(response, config) {
 * import { withSupabase } from '@supabase/server'
 *
 * export default {
-*   fetch: withSupabase({ allow: 'user' }, async (req, ctx) => {
+*   fetch: withSupabase({ auth: 'user' }, async (req, ctx) => {
 *     const { data } = await ctx.supabase.rpc('get_my_profile')
 *     return Response.json(data)
 *   }),

package/dist/index.d.cts

@@ -1,5 +1,5 @@
-import { a as CreateAdminClientOptions, c as JWTClaims, d as UserClaims, f as WithSupabaseConfig, i as ClientAuth, l as SupabaseContext, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, t as Allow, u as SupabaseEnv } from "./types-DqhOaSlC.cjs";
-import { a as EnvGenericError, c as MissingDefaultPublishableKeyError, d as MissingSecretKeyError, f as MissingSupabaseURLError, i as EnvError, l as MissingDefaultSecretKeyError, n as AuthGenericError, o as Errors, r as CreateSupabaseClientError, s as InvalidCredentialsError, t as AuthError, u as MissingPublishableKeyError } from "./errors-Dyj5Cjt6.cjs";
+import { a as AuthResult, c as CreateContextClientOptions, d as SupabaseContext, f as SupabaseEnv, i as AuthModeWithKey, l as Credentials, m as WithSupabaseConfig, n as AllowWithKey, o as ClientAuth, p as UserClaims, r as AuthMode, s as CreateAdminClientOptions, t as Allow, u as JWTClaims } from "./types-u7fYLtzC.cjs";
+import { a as EnvGenericError, c as MissingDefaultPublishableKeyError, d as MissingSecretKeyError, f as MissingSupabaseURLError, i as EnvError, l as MissingDefaultSecretKeyError, n as AuthGenericError, o as Errors, r as CreateSupabaseClientError, s as InvalidCredentialsError, t as AuthError, u as MissingPublishableKeyError } from "./errors-CZFEYnV_.cjs";
 
 //#region src/with-supabase.d.ts
 /**
@@ -18,7 +18,7 @@ import { a as EnvGenericError, c as MissingDefaultPublishableKeyError, d as Miss
  * import { withSupabase } from '@supabase/server'
  *
  * export default {
- *   fetch: withSupabase({ allow: 'user' }, async (req, ctx) => {
+ *   fetch: withSupabase({ auth: 'user' }, async (req, ctx) => {
  *     const { data } = await ctx.supabase.rpc('get_my_profile')
  *     return Response.json(data)
  *   }),
@@ -41,7 +41,7 @@ declare function withSupabase<Database = unknown>(config: WithSupabaseConfig, ha
  *
  * @example
  * ```ts
- * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * const { data: ctx, error } = await createSupabaseContext(request, { auth: 'user' })
  * if (error) {
  *   return Response.json({ message: error.message }, { status: error.status })
  * }
@@ -56,4 +56,4 @@ declare function createSupabaseContext<Database = unknown>(request: Request, opt
   error: AuthError;
 }>;
 //#endregion
-export { type Allow, type AllowWithKey, AuthError, AuthGenericError, type AuthResult, type ClientAuth, type CreateAdminClientOptions, type CreateContextClientOptions, CreateSupabaseClientError, type Credentials, EnvError, EnvGenericError, Errors, InvalidCredentialsError, type JWTClaims, MissingDefaultPublishableKeyError, MissingDefaultSecretKeyError, MissingPublishableKeyError, MissingSecretKeyError, MissingSupabaseURLError, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };
+export { type Allow, type AllowWithKey, AuthError, AuthGenericError, type AuthMode, type AuthModeWithKey, type AuthResult, type ClientAuth, type CreateAdminClientOptions, type CreateContextClientOptions, CreateSupabaseClientError, type Credentials, EnvError, EnvGenericError, Errors, InvalidCredentialsError, type JWTClaims, MissingDefaultPublishableKeyError, MissingDefaultSecretKeyError, MissingPublishableKeyError, MissingSecretKeyError, MissingSupabaseURLError, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { a as CreateAdminClientOptions, c as JWTClaims, d as UserClaims, f as WithSupabaseConfig, i as ClientAuth, l as SupabaseContext, n as AllowWithKey, o as CreateContextClientOptions, r as AuthResult, s as Credentials, t as Allow, u as SupabaseEnv } from "./types-DKe8uOwI.mjs";
-import { a as EnvGenericError, c as MissingDefaultPublishableKeyError, d as MissingSecretKeyError, f as MissingSupabaseURLError, i as EnvError, l as MissingDefaultSecretKeyError, n as AuthGenericError, o as Errors, r as CreateSupabaseClientError, s as InvalidCredentialsError, t as AuthError, u as MissingPublishableKeyError } from "./errors-m42mkqhD.mjs";
+import { a as AuthResult, c as CreateContextClientOptions, d as SupabaseContext, f as SupabaseEnv, i as AuthModeWithKey, l as Credentials, m as WithSupabaseConfig, n as AllowWithKey, o as ClientAuth, p as UserClaims, r as AuthMode, s as CreateAdminClientOptions, t as Allow, u as JWTClaims } from "./types-B2yXZjmG.mjs";
+import { a as EnvGenericError, c as MissingDefaultPublishableKeyError, d as MissingSecretKeyError, f as MissingSupabaseURLError, i as EnvError, l as MissingDefaultSecretKeyError, n as AuthGenericError, o as Errors, r as CreateSupabaseClientError, s as InvalidCredentialsError, t as AuthError, u as MissingPublishableKeyError } from "./errors-0dbzn5gA.mjs";
 
 //#region src/with-supabase.d.ts
 /**
@@ -18,7 +18,7 @@ import { a as EnvGenericError, c as MissingDefaultPublishableKeyError, d as Miss
  * import { withSupabase } from '@supabase/server'
  *
  * export default {
- *   fetch: withSupabase({ allow: 'user' }, async (req, ctx) => {
+ *   fetch: withSupabase({ auth: 'user' }, async (req, ctx) => {
  *     const { data } = await ctx.supabase.rpc('get_my_profile')
  *     return Response.json(data)
  *   }),
@@ -41,7 +41,7 @@ declare function withSupabase<Database = unknown>(config: WithSupabaseConfig, ha
  *
  * @example
  * ```ts
- * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * const { data: ctx, error } = await createSupabaseContext(request, { auth: 'user' })
  * if (error) {
  *   return Response.json({ message: error.message }, { status: error.status })
  * }
@@ -56,4 +56,4 @@ declare function createSupabaseContext<Database = unknown>(request: Request, opt
   error: AuthError;
 }>;
 //#endregion
-export { type Allow, type AllowWithKey, AuthError, AuthGenericError, type AuthResult, type ClientAuth, type CreateAdminClientOptions, type CreateContextClientOptions, CreateSupabaseClientError, type Credentials, EnvError, EnvGenericError, Errors, InvalidCredentialsError, type JWTClaims, MissingDefaultPublishableKeyError, MissingDefaultSecretKeyError, MissingPublishableKeyError, MissingSecretKeyError, MissingSupabaseURLError, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };
+export { type Allow, type AllowWithKey, AuthError, AuthGenericError, type AuthMode, type AuthModeWithKey, type AuthResult, type ClientAuth, type CreateAdminClientOptions, type CreateContextClientOptions, CreateSupabaseClientError, type Credentials, EnvError, EnvGenericError, Errors, InvalidCredentialsError, type JWTClaims, MissingDefaultPublishableKeyError, MissingDefaultSecretKeyError, MissingPublishableKeyError, MissingSecretKeyError, MissingSupabaseURLError, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };

package/dist/index.mjs

@@ -1,5 +1,5 @@
-import { _ as MissingSecretKeyError, c as AuthGenericError, d as EnvGenericError, f as Errors, g as MissingPublishableKeyError, h as MissingDefaultSecretKeyError, l as CreateSupabaseClientError, m as MissingDefaultPublishableKeyError, p as InvalidCredentialsError, s as AuthError, u as EnvError, v as MissingSupabaseURLError } from "./verify-auth-CxFZy9rl.mjs";
-import { t as createSupabaseContext } from "./create-supabase-context-DXD5rxi1.mjs";
+import { _ as MissingSecretKeyError, c as AuthGenericError, d as EnvGenericError, f as Errors, g as MissingPublishableKeyError, h as MissingDefaultSecretKeyError, l as CreateSupabaseClientError, m as MissingDefaultPublishableKeyError, p as InvalidCredentialsError, s as AuthError, u as EnvError, v as MissingSupabaseURLError } from "./verify-auth-CZQd36s0.mjs";
+import { t as createSupabaseContext } from "./create-supabase-context-BBZtr3D2.mjs";
 import { corsHeaders } from "@supabase/supabase-js/cors";
 
 //#region src/cors.ts
@@ -54,7 +54,7 @@ function addCorsHeaders(response, config) {
 * import { withSupabase } from '@supabase/server'
 *
 * export default {
-*   fetch: withSupabase({ allow: 'user' }, async (req, ctx) => {
+*   fetch: withSupabase({ auth: 'user' }, async (req, ctx) => {
 *     const { data } = await ctx.supabase.rpc('get_my_profile')
 *     return Response.json(data)
 *   }),

package/dist/{types-DKe8uOwI.d.mts → types-B2yXZjmG.d.mts}

@@ -4,44 +4,52 @@ import { SupabaseClient, SupabaseClientOptions } from "@supabase/supabase-js";
 /**
  * Authentication mode that determines what credentials a request must provide.
  *
- * - `"always"` — No credentials required. Every request is accepted.
- * - `"public"` — Requires a valid publishable key in the `apikey` header.
+ * - `"none"` — No credentials required. Every request is accepted.
+ * - `"publishable"` — Requires a valid publishable key in the `apikey` header.
  * - `"secret"` — Requires a valid secret key in the `apikey` header (timing-safe comparison).
  * - `"user"` — Requires a valid JWT in the `Authorization: Bearer <token>` header.
  *
  * @example
  * ```ts
  * // Single mode
- * withSupabase({ allow: 'user' }, handler)
+ * withSupabase({ auth: 'user' }, handler)
  *
  * // Multiple modes — the first match wins.
  * // A mode is tried only when its credential is present; a JWT that is
  * // present but fails verification rejects immediately rather than falling
  * // through to the next mode.
- * withSupabase({ allow: ['user', 'public'] }, handler)
+ * withSupabase({ auth: ['user', 'publishable'] }, handler)
  * ```
  */
-type Allow = 'always' | 'public' | 'secret' | 'user';
+type AuthMode = 'none' | 'publishable' | 'secret' | 'user';
+/**
+ * @deprecated Use {@link AuthMode} instead. Will be removed in a future major release.
+ */
+type Allow = AuthMode;
 /**
  * Extended auth mode that supports targeting a specific named key.
  *
- * Use the colon syntax (`"public:web_app"`) to require a specific named key
+ * Use the colon syntax (`"publishable:web_app"`) to require a specific named key
  * from the `SUPABASE_PUBLISHABLE_KEYS` or `SUPABASE_SECRET_KEYS` JSON object.
- * Use `"public:*"` or `"secret:*"` to accept any key in the set.
+ * Use `"publishable:*"` or `"secret:*"` to accept any key in the set.
  *
  * @example
  * ```ts
  * // Accept only the "mobile" publishable key
- * withSupabase({ allow: 'public:mobile' }, handler)
+ * withSupabase({ auth: 'publishable:mobile' }, handler)
  *
  * // Accept any secret key
- * withSupabase({ allow: 'secret:*' }, handler)
+ * withSupabase({ auth: 'secret:*' }, handler)
  *
  * // Mix named keys with other modes
- * withSupabase({ allow: ['user', 'public:web_app'] }, handler)
+ * withSupabase({ auth: ['user', 'publishable:web_app'] }, handler)
  * ```
  */
-type AllowWithKey = Allow | `public:${string}` | `secret:${string}`;
+type AuthModeWithKey = AuthMode | `publishable:${string}` | `secret:${string}`;
+/**
+ * @deprecated Use {@link AuthModeWithKey} instead. Will be removed in a future major release.
+ */
+type AllowWithKey = AuthModeWithKey;
 /**
  * Resolved Supabase environment configuration.
  *
@@ -104,13 +112,13 @@ interface Credentials {
  */
 interface AuthResult {
   /** The auth mode that was successfully matched. */
-  authType: Allow;
+  authMode: AuthMode;
   /** The verified JWT, or `null` for non-user auth modes. */
   token: string | null;
   /** Normalized user identity derived from the JWT, or `null` when no JWT is present. */
   userClaims: UserClaims | null;
   /** Raw JWT payload, or `null` when no JWT is present. */
-  claims: JWTClaims | null;
+  jwtClaims: JWTClaims | null;
   /** Name of the matched key (e.g. `"default"`, `"mobile"`), or `null` for `"user"` / `"always"` modes. */
   keyName?: string | null;
 }
@@ -170,16 +178,16 @@ interface UserClaims {
  * @example
  * ```ts
  * // Require authenticated users, auto-CORS enabled (default)
- * const config: WithSupabaseConfig = { allow: 'user' }
+ * const config: WithSupabaseConfig = { auth: 'user' }
  *
  * // Accept users or service-to-service calls, custom CORS headers
  * const config: WithSupabaseConfig = {
- *   allow: ['user', 'secret'],
+ *   auth: ['user', 'secret'],
  *   cors: { 'Access-Control-Allow-Origin': 'https://myapp.com' },
  * }
  *
  * // No auth required, CORS disabled
- * const config: WithSupabaseConfig = { allow: 'always', cors: false }
+ * const config: WithSupabaseConfig = { auth: 'none', cors: false }
  * ```
  */
 interface WithSupabaseConfig {
@@ -190,7 +198,13 @@ interface WithSupabaseConfig {
    *
    * @defaultValue `"user"`
    */
-  allow?: AllowWithKey | AllowWithKey[];
+  auth?: AuthModeWithKey | AuthModeWithKey[];
+  /**
+   * @deprecated Use {@link WithSupabaseConfig.auth} instead. The `allow` option
+   * is kept for backward compatibility and will be removed in a future major release.
+   * When both `auth` and `allow` are provided, `auth` takes precedence.
+   */
+  allow?: AuthModeWithKey | AuthModeWithKey[];
   /**
    * Override auto-detected environment variables. Useful for testing
    * or when running in environments without standard env var support.
@@ -218,7 +232,7 @@ interface WithSupabaseConfig {
    * @example
    * ```ts
    * withSupabase({
-   *   allow: 'user',
+   *   auth: 'user',
    *   supabaseOptions: { db: { schema: 'api' } },
    * }, handler)
    * ```
@@ -268,11 +282,14 @@ interface SupabaseContext<Database = unknown> {
   /** JWT-derived identity. For the full Supabase User object, call `supabase.auth.getUser()`. */
   userClaims: UserClaims | null;
   /** Raw JWT payload. `null` for non-user auth modes. */
-  claims: JWTClaims | null;
+  jwtClaims: JWTClaims | null;
   /** The auth mode that was used for this request. */
-  authType: Allow;
-  /** The auth key name of the API key that was used for this request. */
-  authKeyName?: string | null;
+  authMode: AuthMode;
+  /**
+   * The auth key name of the API key that was used for this request.
+   * Omitted for `'user'` and `'none'` modes, which don't match a named key.
+   */
+  authKeyName?: string;
 }
 //#endregion
-export { CreateAdminClientOptions as a, JWTClaims as c, UserClaims as d, WithSupabaseConfig as f, ClientAuth as i, SupabaseContext as l, AllowWithKey as n, CreateContextClientOptions as o, AuthResult as r, Credentials as s, Allow as t, SupabaseEnv as u };
+export { AuthResult as a, CreateContextClientOptions as c, SupabaseContext as d, SupabaseEnv as f, AuthModeWithKey as i, Credentials as l, WithSupabaseConfig as m, AllowWithKey as n, ClientAuth as o, UserClaims as p, AuthMode as r, CreateAdminClientOptions as s, Allow as t, JWTClaims as u };

package/dist/{types-DqhOaSlC.d.cts → types-u7fYLtzC.d.cts}

@@ -4,44 +4,52 @@ import { SupabaseClient, SupabaseClientOptions } from "@supabase/supabase-js";
 /**
  * Authentication mode that determines what credentials a request must provide.
  *
- * - `"always"` — No credentials required. Every request is accepted.
- * - `"public"` — Requires a valid publishable key in the `apikey` header.
+ * - `"none"` — No credentials required. Every request is accepted.
+ * - `"publishable"` — Requires a valid publishable key in the `apikey` header.
  * - `"secret"` — Requires a valid secret key in the `apikey` header (timing-safe comparison).
  * - `"user"` — Requires a valid JWT in the `Authorization: Bearer <token>` header.
  *
  * @example
  * ```ts
  * // Single mode
- * withSupabase({ allow: 'user' }, handler)
+ * withSupabase({ auth: 'user' }, handler)
  *
  * // Multiple modes — the first match wins.
  * // A mode is tried only when its credential is present; a JWT that is
  * // present but fails verification rejects immediately rather than falling
  * // through to the next mode.
- * withSupabase({ allow: ['user', 'public'] }, handler)
+ * withSupabase({ auth: ['user', 'publishable'] }, handler)
  * ```
  */
-type Allow = 'always' | 'public' | 'secret' | 'user';
+type AuthMode = 'none' | 'publishable' | 'secret' | 'user';
+/**
+ * @deprecated Use {@link AuthMode} instead. Will be removed in a future major release.
+ */
+type Allow = AuthMode;
 /**
  * Extended auth mode that supports targeting a specific named key.
  *
- * Use the colon syntax (`"public:web_app"`) to require a specific named key
+ * Use the colon syntax (`"publishable:web_app"`) to require a specific named key
  * from the `SUPABASE_PUBLISHABLE_KEYS` or `SUPABASE_SECRET_KEYS` JSON object.
- * Use `"public:*"` or `"secret:*"` to accept any key in the set.
+ * Use `"publishable:*"` or `"secret:*"` to accept any key in the set.
  *
  * @example
  * ```ts
  * // Accept only the "mobile" publishable key
- * withSupabase({ allow: 'public:mobile' }, handler)
+ * withSupabase({ auth: 'publishable:mobile' }, handler)
  *
  * // Accept any secret key
- * withSupabase({ allow: 'secret:*' }, handler)
+ * withSupabase({ auth: 'secret:*' }, handler)
  *
  * // Mix named keys with other modes
- * withSupabase({ allow: ['user', 'public:web_app'] }, handler)
+ * withSupabase({ auth: ['user', 'publishable:web_app'] }, handler)
  * ```
  */
-type AllowWithKey = Allow | `public:${string}` | `secret:${string}`;
+type AuthModeWithKey = AuthMode | `publishable:${string}` | `secret:${string}`;
+/**
+ * @deprecated Use {@link AuthModeWithKey} instead. Will be removed in a future major release.
+ */
+type AllowWithKey = AuthModeWithKey;
 /**
  * Resolved Supabase environment configuration.
  *
@@ -104,13 +112,13 @@ interface Credentials {
  */
 interface AuthResult {
   /** The auth mode that was successfully matched. */
-  authType: Allow;
+  authMode: AuthMode;
   /** The verified JWT, or `null` for non-user auth modes. */
   token: string | null;
   /** Normalized user identity derived from the JWT, or `null` when no JWT is present. */
   userClaims: UserClaims | null;
   /** Raw JWT payload, or `null` when no JWT is present. */
-  claims: JWTClaims | null;
+  jwtClaims: JWTClaims | null;
   /** Name of the matched key (e.g. `"default"`, `"mobile"`), or `null` for `"user"` / `"always"` modes. */
   keyName?: string | null;
 }
@@ -170,16 +178,16 @@ interface UserClaims {
  * @example
  * ```ts
  * // Require authenticated users, auto-CORS enabled (default)
- * const config: WithSupabaseConfig = { allow: 'user' }
+ * const config: WithSupabaseConfig = { auth: 'user' }
  *
  * // Accept users or service-to-service calls, custom CORS headers
  * const config: WithSupabaseConfig = {
- *   allow: ['user', 'secret'],
+ *   auth: ['user', 'secret'],
  *   cors: { 'Access-Control-Allow-Origin': 'https://myapp.com' },
  * }
  *
  * // No auth required, CORS disabled
- * const config: WithSupabaseConfig = { allow: 'always', cors: false }
+ * const config: WithSupabaseConfig = { auth: 'none', cors: false }
  * ```
  */
 interface WithSupabaseConfig {
@@ -190,7 +198,13 @@ interface WithSupabaseConfig {
    *
    * @defaultValue `"user"`
    */
-  allow?: AllowWithKey | AllowWithKey[];
+  auth?: AuthModeWithKey | AuthModeWithKey[];
+  /**
+   * @deprecated Use {@link WithSupabaseConfig.auth} instead. The `allow` option
+   * is kept for backward compatibility and will be removed in a future major release.
+   * When both `auth` and `allow` are provided, `auth` takes precedence.
+   */
+  allow?: AuthModeWithKey | AuthModeWithKey[];
   /**
    * Override auto-detected environment variables. Useful for testing
    * or when running in environments without standard env var support.
@@ -218,7 +232,7 @@ interface WithSupabaseConfig {
    * @example
    * ```ts
    * withSupabase({
-   *   allow: 'user',
+   *   auth: 'user',
    *   supabaseOptions: { db: { schema: 'api' } },
    * }, handler)
    * ```
@@ -268,11 +282,14 @@ interface SupabaseContext<Database = unknown> {
   /** JWT-derived identity. For the full Supabase User object, call `supabase.auth.getUser()`. */
   userClaims: UserClaims | null;
   /** Raw JWT payload. `null` for non-user auth modes. */
-  claims: JWTClaims | null;
+  jwtClaims: JWTClaims | null;
   /** The auth mode that was used for this request. */
-  authType: Allow;
-  /** The auth key name of the API key that was used for this request. */
-  authKeyName?: string | null;
+  authMode: AuthMode;
+  /**
+   * The auth key name of the API key that was used for this request.
+   * Omitted for `'user'` and `'none'` modes, which don't match a named key.
+   */
+  authKeyName?: string;
 }
 //#endregion
-export { CreateAdminClientOptions as a, JWTClaims as c, UserClaims as d, WithSupabaseConfig as f, ClientAuth as i, SupabaseContext as l, AllowWithKey as n, CreateContextClientOptions as o, AuthResult as r, Credentials as s, Allow as t, SupabaseEnv as u };
+export { AuthResult as a, CreateContextClientOptions as c, SupabaseContext as d, SupabaseEnv as f, AuthModeWithKey as i, Credentials as l, WithSupabaseConfig as m, AllowWithKey as n, ClientAuth as o, UserClaims as p, AuthMode as r, CreateAdminClientOptions as s, Allow as t, JWTClaims as u };