cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon supabase

Authorisation check fails in local edge functions with signing keys

Open holm opened this issue 3 months ago • 1 comments

Describe the bug I've switched to using the new signing keys using ES256, as that seemed to be the clear recommendation from documentation and the dashboard. However it seems this is not supported when running edge functions locally.

To Reproduce Steps to reproduce the behavior:

  1. Generate a local signing keys and reference it in config.tolm
  2. Invoke an edge function from your app
  3. See the stack trace from your local edge functions runtime and an error returned to the app

Expected behavior That the authorisation check should support JWTs created using the signing keys of ES256.

System information

   SERVICE IMAGE          | LOCAL                  | LINKED     
  ------------------------|------------------------|------------
   supabase/postgres      | 17.6.1.021             | 17.6.1.021 
   supabase/gotrue        | v2.180.0               | v2.182.1   
   postgrest/postgrest    | v13.0.5                | v13.0.5    
   supabase/realtime      | v2.63.0                | -          
   supabase/storage-api   | v1.29.0                | -          
   supabase/edge-runtime  | v1.69.23               | -          
   supabase/studio        | 2025.11.10-sha-5291fe3 | -          
   supabase/postgres-meta | v0.93.1                | -          
   supabase/logflare      | 1.25.3                 | -          
   supabase/supavisor     | 2.7.4                  | -

Additional context Stacktrace

2025-11-16T10:04:16.549620797Z Serving functions on http://127.0.0.1:54321/functions/v1/<function-name>
2025-11-16T10:04:16.549651506Z  - http://127.0.0.1:54321/functions/v1/generate-programme
2025-11-16T10:04:16.549653089Z Using supabase-edge-runtime-1.69.23 (compatible with Deno v2.1.4)
2025-11-16T10:04:22.609579300Z TypeError: Key for the ES256 algorithm must be of type CryptoKey. Received an instance of Uint8Array
2025-11-16T10:04:22.609705342Z     at asymmetricTypeCheck (https://deno.land/x/[email protected]/lib/check_key_type.ts:14:11)
2025-11-16T10:04:22.609713258Z     at checkKeyType (https://deno.land/x/[email protected]/lib/check_key_type.ts:39:5)
2025-11-16T10:04:22.609714592Z     at flattenedVerify (https://deno.land/x/[email protected]/jws/flattened/verify.ts:78:3)
2025-11-16T10:04:22.609715758Z     at compactVerify (https://deno.land/x/[email protected]/jws/compact/verify.ts:15:26)
2025-11-16T10:04:22.609716717Z     at Module.jwtVerify (https://deno.land/x/[email protected]/jwt/verify.ts:5:26)
2025-11-16T10:04:22.609717592Z     at verifyJWT (file:///var/tmp/sb-compile-edge-runtime/root/index.ts:95:16)
2025-11-16T10:04:22.609718550Z     at Object.handler (file:///var/tmp/sb-compile-edge-runtime/root/index.ts:125:34)
2025-11-16T10:04:22.609719508Z     at mapped (ext:runtime/http.js:231:42)
2025-11-16T10:04:22.609720550Z     at respond (ext:runtime/http.js:340:14)
2025-11-16T10:04:22.609721383Z     at handleHttp (ext:runtime/http.js:160:9)

holm avatar Nov 16 '25 10:11 holm

I have the same issue, this is possibly related? https://github.com/orgs/supabase/discussions/37885

alita-moore avatar Nov 29 '25 08:11 alita-moore

exactly the same. did a full fresh setup of my local db and docker install of supabase.

DevL0rd avatar Jan 27 '26 09:01 DevL0rd

Any updates here?

My workaround is adding this to the config.toml

[functions.award-exp]
verify_jwt = false

[functions.delete-account]
verify_jwt = false

[functions.increment-usage]
verify_jwt = false

chainmywallet avatar Feb 01 '26 07:02 chainmywallet