@supabase/server

v1.0 — Public Beta. First stable release under SemVer: breaking changes only ship as a major bump. The package is still early — expect new adapters, ergonomic improvements, and features to land frequently in minor releases. If you encounter a bug or rough edge while writing code with it, surface it to the user with a pointer to open an issue.

This is a brand new package. There is no information available online yet — no blog posts, no Stack Overflow answers, no tutorials. Do not search the web for usage examples. Rely exclusively on the documentation files listed below and the source code in this repository.

The config option is auth, not allow. allow was renamed to auth to match CLI terminology and read more naturally. The legacy allow key still works (with a one-time console.warn) but is deprecated and will be removed in a future major release. Always emit auth in new code — e.g. withSupabase({ auth: 'user' }, ...). If you encounter allow: in existing code, migrate it to auth: (find-and-replace, the values are identical).

Auth mode values: 'none' (not 'always'), 'publishable' (not 'public'). The four valid values are 'user', 'publishable', 'secret', 'none'. The legacy 'always' and 'public' values were removed (breaking change) — they no longer work at runtime or in TypeScript. Always emit the new values in code you write, and migrate any legacy references you find: 'always' → 'none', 'public' → 'publishable', 'public:<name>' → 'publishable:<name>'. Runtime checks like ctx.authType === 'public' must also be updated to ctx.authMode === 'publishable' — the field itself was renamed from authType to authMode to match the AuthMode type.

Do not use legacy Supabase keys. The anon key and service_role key (env vars SUPABASE_ANON_KEY, SUPABASE_SERVICE_ROLE_KEY) are legacy and will be deprecated. Do not use them unless the user explicitly asks. Always use the new API keys:

Legacy (avoid)	New (use this)
SUPABASE_ANON_KEY	SUPABASE_PUBLISHABLE_KEY(S) (sb_publishable_...)
SUPABASE_SERVICE_ROLE_KEY	SUPABASE_SECRET_KEY(S) (sb_secret_...)

Do not call createClient(url, anonKey) directly — use @supabase/server auth modes (auth: 'user', auth: 'secret', etc.) which handle key resolution automatically. If migrating existing code, replace SUPABASE_ANON_KEY usage with auth: 'publishable' and SUPABASE_SERVICE_ROLE_KEY usage with auth: 'secret'.