supabase
feat: supabase public url
What kind of change does this PR introduce?
Feature - Enables local development and testing of OAuth-protected Edge Functions (like MCP servers).
What is the current behavior?
When building OAuth-protected Edge Functions locally, there are two issues:
-
No OAuth Protected Resource discovery: There's no way for OAuth clients to discover the authorization server for a protected Edge Function resource via the standard
/.well-known/oauth-protected-resourcepath. -
Internal Docker URLs exposed:
SUPABASE_URLis set tohttp://kong:8000(internal Docker network), which external OAuth clients cannot resolve. This breaks OAuth metadata responses that need client-facing URLs.
What is the new behavior?
1. OAuth Protected Resource Metadata Endpoint
Added Kong route that redirects:
/.well-known/oauth-protected-resource/functions/v1/<function-name>/*
→ /<function-name>/.well-known/oauth-protected-resource
This enables OAuth clients to discover the authorization server for any Edge Function per RFC 9728.
2. SUPABASE_PUBLIC_URL Environment Variable
Added a new environment variable passed to Edge Functions containing the external-facing URL (e.g., http://127.0.0.1:54321).
Edge Functions can use:
-
SUPABASE_URL→ for internal API calls (server-to-server within Docker) -
SUPABASE_PUBLIC_URL→ for client-facing URLs (OAuth metadata, redirects)
Example usage:
const supabaseUrl = Deno.env.get('SUPABASE_URL')! // Internal calls
const publicUrl = Deno.env.get('SUPABASE_PUBLIC_URL') ?? supabaseUrl // Client-facing
// OAuth metadata uses public URL
const resourceUrl = `${publicUrl}/functions/v1/${functionName}`
// Internal API calls use internal URL
const supabase = createClient(supabaseUrl, anonKey)
Production compatibility: In production, SUPABASE_PUBLIC_URL won't exist, so Edge Functions fall back to SUPABASE_URL (which is already the public URL).
Closes https://linear.app/supabase/issue/DEVWF-940/add-supabase-public-url-environment-variable-to-edge-functions
Related issue: https://linear.app/supabase/issue/AI-311/add-oauth-authentication-section-to-byom-one-pager-docs
Pull Request Test Coverage Report for Build 20369862521
Warning: This coverage report may be inaccurate.
This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
- For more information on this, see Tracking coverage changes with pull request builds.
- To avoid this issue with future PRs, see these Recommended CI Configurations.
- For a quick fix, rebase this PR at GitHub. Your next report should be accurate.
Details
- 1 of 1 (100.0%) changed or added relevant line in 1 file are covered.
- 68 unchanged lines in 6 files lost coverage.
- Overall coverage decreased (-0.2%) to 56.046%
| Files with Coverage Reduction | New Missed Lines | % |
|---|---|---|
| internal/gen/types/types.go | 1 | 97.53% |
| internal/gen/keys/keys.go | 5 | 12.9% |
| cmd/gen.go | 9 | 0.0% |
| internal/functions/new/new.go | 12 | 68.18% |
| cmd/init.go | 19 | 0.0% |
| internal/init/init.go | 22 | 78.9% |
| <!-- | Total: | 68 |
| Totals | |
|---|---|
| Change from base Build 20098526635: | -0.2% |
| Covered Lines: | 6813 |
| Relevant Lines: | 12156 |
