docs: clarify bare auth mode matches only the default key#104
Open
tomaspozo wants to merge 1 commit into
Open
Conversation
Bare `auth: 'publishable'` / `auth: 'secret'` match only the `default` key in SUPABASE_PUBLISHABLE_KEYS / SUPABASE_SECRET_KEYS. This was documented inconsistently — two spots wrongly claimed bare `secret` accepts any key, and most tables/TSDoc omitted the detail entirely. - Fix incorrect "accepts any secret key" statements in security.md and the supabase-server skill (bare = default; `secret:*` = any) - Name the `default` key directly in every auth-mode table (README, auth-modes.md, security.md, src/index.ts TSDoc) - Add the default-key sentence to the Secret mode section to match Publishable, and clarify AuthMode / AuthModeWithKey TSDoc in types.ts
commit: |
mandarini
reviewed
Jul 15, 2026
mandarini
left a comment
Collaborator
There was a problem hiding this comment.
LGTM overall. One small asymmetry that's still open, given the PR's own goal of reconciling the publishable/secret docs: in docs/auth-modes.md, the new sentence under Secret mode now calls out the wildcard
Use named key syntax to target a specific key or secret:* to accept any key (see below).
but the parallel sentence under Publishable mode (line 82, not touched by this PR) still doesn't mention publishable:*:
Use named key syntax to target a specific key (see below).
Since publishable:* is equally valid (per src/types.ts and docs/security.md), and this PR exists specifically to close this kind of gap, could we add the same wildcard callout there too? Non-blocking for sure.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Makes it explicit everywhere that bare
auth: 'publishable'/auth: 'secret'match only thedefaultkey inSUPABASE_PUBLISHABLE_KEYS/SUPABASE_SECRET_KEYS. To target another key usesecret:<name>; to accept any key use the wildcardsecret:*.Why
This behavior was documented inconsistently. Two spots were factually wrong — they claimed bare
secretaccepts any key — and most tables/TSDoc omitted the detail entirely, soauth: 'secret'reads as "any secret key" unless you dig into the logic (src/core/verify-credentials.ts,const name = keyName ?? 'default').Changes (docs/TSDoc only — no runtime change)
secretaccepts any key:docs/security.md,skills/supabase-server/SKILL.md.defaultkey in every auth-mode table:README.md,docs/auth-modes.md,docs/security.md,src/index.tsTSDoc.AuthMode/AuthModeWithKeyinsrc/types.tsnow state the bare form resolvesdefault.Verification
pnpm typecheckpasses.:*wildcard.🤖 Generated with Claude Code