Does Edge Function JWT Verification assure valid token? #28754

skiunke · 2024-08-19T23:30:47Z

skiunke
Aug 19, 2024

By default, Edge Functions require a JWT Token to invoke a function. Does this have to be a JWT token issued by Supabase or any valid JWT token?

I'm asking this, because I use custom claims in JWT token and check the user_role in the token. I do not verify the token in any other way and just read the user_role.

If supabase would not verify the token anyone could temper a token with any user_role and exploit the edge function. Does supabase do this automatically or do I need to call the following code as stated in the documentation to retrieve a session?

  const supabaseClient = createClient(
    Deno.env.get('SUPABASE_URL') ?? '',
    Deno.env.get('SUPABASE_ANON_KEY') ?? '',
    { global: { headers: { Authorization: authHeader } } }
  )

Answered by GaryAustin1

Aug 19, 2024

If the jwt option is on, the edge function validates there is a jwt signed by your jwt secret.

View full answer

GaryAustin1 · 2024-08-19T23:57:54Z

GaryAustin1
Aug 19, 2024
Maintainer

If the jwt option is on, the edge function validates there is a jwt signed by your jwt secret.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Supabase

Does Edge Function JWT Verification assure valid token? #28754

{{title}}

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Supabase

Does Edge Function JWT Verification assure valid token? #28754

skiunke Aug 19, 2024

Replies: 1 comment

GaryAustin1 Aug 19, 2024 Maintainer

skiunke
Aug 19, 2024

GaryAustin1
Aug 19, 2024
Maintainer