Supabase

2.105.4 (2026-05-08)

🩹 Fixes

• auth: return null from getItemAsync on JSON parse failure (#2336)
• postgrest: restore non-Error abort detection in fetch catch (#2335)
• realtime: guard sessionStorage access in restricted-storage browsers (#2339)

Connect your Supabase projects to ChatGPT and manage your database infrastructure by telling ChatGPT what you need.

Here's everything that happened with Supabase in the last month:

Custom OAuth/OIDC providers for Supabase Auth

Connect any OAuth2 or OpenID Connect identity provider to your Supabase project, including GitHub Enterprise, regional IdPs, and any standards-compliant provider, with PKCE enabled by default.

[Blog]

New tables in the public schema are no longer auto-exposed to the Data API

Starting April 28, new Supabase projects can opt out of automatic Data API exposure for public schema tables. Explicit Postgres grants are now required to make a table reachable via PostgREST or GraphQL. This becomes the default for all new projects on May 30.

[GitHub Discussion]

Supabase is now ISO 27001 certified

Supabase is certified to ISO/IEC 27001:2022, covering the information security management system across the entire platform.

[Blog]

Stripe Sync Engine moves to Stripe

The Stripe Sync Engine, originally built by Supabase, is now part of the Stripe GitHub org. It is open source and maintained by Stripe going forward.

[Blog]

Supabase brand survey

Help shape the direction of Supabase. The brand survey takes a few minutes and closes soon.

[Take the survey]

@supabase/server

A new SDK that handles auth, client creation, CORS, and context injection across runtimes. Works on Edge Functions, Vercel Functions, Deno, Bun, and Cloudflare Workers.

[Blog] [Docs]

Quick Product Announcements

• The Supabase app in the Stripe Marketplace is now generally available. [Stripe Marketplace]
• Branching without Git is now the default. Create branches directly from the dashboard without a GitHub integration. [Blog]
• Data API settings revamped: new per-table and per-function toggles let you control which tables are exposed to PostgREST and GraphQL, with a default-privileges switch at project creation. [Docs]
• The Supabase changelog now has RSS feeds, tag filtering, and a .md feed, plus links to copy any entry as Markdown or ask Claude/ChatGPT. [Changelog]
• Wrappers v0.6.0 ships with a new OpenAPI FDW, Snowflake timeout support, Clerk CRUD, and several bug fixes. [GitHub] [Docs]
• Supabase Agent Skills: an open-source set of instructions that teach AI coding agents how to build on Supabase correctly. [Blog]
• Terraform Provider v1.9.0 adds Edge Functions resource, Edge Function secrets resource, and a network bans data source. [Docs]

Made with Supabase

• Replist: Track your repertoire, sharpen your practice, and connect with the musicians you play with. [Website]
• Grepture: Trace, evaluate, and protect every LLM call. Drop-in SDK. 80+ detection rules. [Website]
• Causo: Agents that connect you with best fit partners at VCs. [Website]
• Screenfully: An app demo creator on your phone. No need to connect to a Mac. [Website]
• Anamap: Cartos by Anamap is an AI agent that investigates your dashboards, site behavior, and code releases to find the root cause of metric drops in plain English. [Website]
• Crewform: Build your AI team with Crewform. Orchestrate specialized, autonomous agents to collaborate on complex tasks and connect outputs to your stack. [GitHub]

Community Highlights

• The Supabase GitHub repo hit 100K stars and 8 million developers. [Blog]
• Introducing the OSSCAR: An index of the fastest-growing open-source orgs. [Blog]
• The State of Startups 2026 survey is still open. [Survey]
• How I Scaled My NextJS + Supabase App to 25,000 Users [YouTube]
• Stop Building Custom Auth — Auth0 vs Supabase: One Saved Us 3 Months of Engineering Work [Blog]

Stateless auth, RLS-scoped clients, and CORS on the server, without the boilerplate.

Changelog

Bug fixes

• e4a7ace0226dfd7ee8886ebc550a4b5c476c047e: fix: mailer links regression (#5166) (@jgoux)

Others

• 893c2840996c7ec8cfaa38a2907b973a7859957c: chore: sync API types from infrastructure (#5160) (@supabase-cli-releaser[bot])
• 9da7facef2f648ef2a58b61731327c3ba2ce31af: fix (@7ttp)
• f6c1529132e6d3f5d397db6e2830771966133e4a: test (@7ttp)

Both Supabase Realtime and Supabase ETL read changes from your Postgres database using logical replication. But they solve very different problems. Here is how to pick the right one.

2.105.3 (2026-05-04)

🩹 Fixes

• auth: narrow OAuth/CustomProvider types to fix downstream consumer typecheck (#2326)

2.105.2 (2026-05-04)

🩹 Fixes

• auth: forward lockAcquireTimeout to SupabaseAuthClient (#2309)
• auth: add toJSON to WebAuthnError for correct JSON serialization (#2317)
• misc: widen enum-like unions with (string & {}) for forward compat (#2303)
• misc: reduce any usage across packages (#2314)
• postgrest: unify insert/upsert signatures (#2315)

❤️ Thank You

• Muzzaiyyan Hussain @MuzzaiyyanHussain

Changelog

Bug fixes

• b89a94567975321f9eb58a487825fb2a35f11188: fix: skip bucket seeding (#5158) (@7ttp)

Branching without Git is now the default for all Supabase projects.

Changelog

Others

• 0dc6a4755da01e01ab75f34b955ccc01904afe35: feat(pg-delta): enhance pg-delta version handling (#5154) (@avallete)

Changelog

Features

• 3f01508fd6ac3278470938108bef739b03f229ac: feat: emit Claude Code plugin hint from CLI (#5153) (@Rodriguespn)

Changelog

Features

• cd3c3d3fccb49eaac7e9541afda95acb7bb05541: feat: add SUPABASE_HOSTNAME env var to override local service host (#4947) (@kanaka)

Changelog

Bug fixes

• a11f261c5b5c350a12d931d48c8afeded31ef25c: fix(functions): set nofile ulimit for Edge Runtime container (#5152) (@wucm667)

Others

• 73148544d2b1e4e2536577c4ec5fa51a3e614a7d: Update Dockerfile (#5144) (@joshenlim)

Changelog

Bug fixes

• be971cd991e3eeeca8ca9f0d1a7d83f5a9ebf375: fix: encode auth external url explicitly (#5092) (@jgoux)

Others

• 7285baba6eb272f3d3b63756030353f424022279: chore: update codegen api (#5143) (@avallete)

2.189.0 (2026-04-23)

Features

• add PKCE support for /resend (#2401) (2af904a)
• improve parallelization in github workflows and Makefile (#2436) (9d0c4b3)
• passkeys: add CAPTCHA to options endpoint for authentication (#2416) (c7b58be)
• support live reloading of individual rate limits (#2469) (d03d796)

Bug Fixes

• ensure identities are returned in a consistent order across DB engines (#2465) (e49a3e5)
• ensure SSO providers tests are order-independent (#2466) (983ade6)
• exempt PKCE recovery sessions from require-current-password check (#2502) (7f88985)
• indexworker: skip index creation on OrioleDB (#2481) (dd56ae9)
• passkeys: modify the passkeys request and response shapes (#2475) (2d8f2b6)
• prevent reuse of flow state (#2483) (88dcb2d)
• return JSON response for unmatched routes instead of plain text (#2457) (7337e21)

Checksums

SHA1

auth-v2.189.0-arm64.tar.gz:

9bb215f5f58d8d7427fb624fb8fef9c88ed087e3

auth-v2.189.0-darwin-arm64.tar.gz:

61376c3b1acdaecd9d905d6a4451ca253f283e15

auth-v2.189.0-x86.tar.gz:

3d9c625505b504b9cddc2bec429a37000846f84d

auth-v2.189.0-arm64.tar.xz:

28dd64d897f49e681d19bd13ff1ff08291556ce5

SHA256

auth-v2.189.0-arm64.tar.gz:

7019493550fec34332dcdbb7ab39cb489def5a9e78e3491f43710496bef9e41f

auth-v2.189.0-darwin-arm64.tar.gz:

26fbe679486cf8e3bd3e3f5e7acb8009a7be0b0b8db5eb08281b7447a27babdf

auth-v2.189.0-x86.tar.gz:

5d077774a7e0614d39d17e67b31dc4e39895af9b20fd42a282c97b8f4d4b1db4

auth-v2.189.0-arm64.tar.xz:

0d2d6c0cdb9e4d2cf0b485327c9a3e403a8029a3434446320a2c24c97e461589

2.105.1 (2026-04-28)

🩹 Fixes

• postgrest: query reassignment regression (#2292)
• realtime: surface real Error on transport-level CHANNEL_ERROR (#2299)

❤️ Thank You

• Vaibhav @7ttp

Announcing the OSSCAR Index: a quarterly ranking of the fastest-growing open source organizations. The site, the data, and the scoring code are all open source.

2.105.0 (2026-04-27)

🚀 Features

• auth: add passkey support with WebAuthn registration, authentication, and management (#2283)
• realtime: Realtime deferred disconnect (#2282)

🩹 Fixes

• postgrest: narrow column types after not(column, is, null) (#2264)
• realtime: annotate Timer/Vsn getters to avoid deep phoenix imports (#2284)
• storage: apply metadata, headers, and cacheControl dedupe to uploadToSignedUrl (#2275)
• storage: forward duplex option for stream uploads via uploadToSignedUrl (#2289)

❤️ Thank You

• Katerina Skroumpelou @mandarini
• oniani1

Changelog

Bug fixes

• d7a05f56e516a7e1f9bf393cfabb8140fc611d43: fix(windows): json unmarshal errors in telemetry and pg-delta declarative sync (#5128) (@avallete)