Environment Variables
Manage sensitive data securely across environments.
Default secrets
Edge Functions have access to these secrets by default:
SUPABASE_URL: The API gateway for your Supabase projectSUPABASE_ANON_KEY: Theanonkey for your Supabase API. This is safe to use in a browser when you have Row Level Security enabledSUPABASE_SERVICE_ROLE_KEY: Theservice_rolekey for your Supabase API. This is safe to use in Edge Functions, but it should NEVER be used in a browser. This key will bypass Row Level SecuritySUPABASE_DB_URL: The URL for your Postgres database. You can use this to connect directly to your database
In a hosted environment, functions have access to the following environment variables:
SB_REGION: The region function was invokedSB_EXECUTION_ID: A UUID of function instance (isolate)DENO_DEPLOYMENT_ID: Version of the function code ({project_ref}_{function_id}_{version})
Accessing environment variables
You can access environment variables using Deno's built-in handler, and passing it the name of the environment variable you’d like to access.
1Deno.env.get('NAME_OF_SECRET')For example, in a function:
12345678910111213import { createClient } from 'npm:@supabase/supabase-js@2'// For user-facing operations (respects RLS)const supabase = createClient( Deno.env.get('SUPABASE_URL')!, Deno.env.get('SUPABASE_ANON_KEY')!)// For admin operations (bypasses RLS)const supabaseAdmin = createClient( Deno.env.get('SUPABASE_URL')!, Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!)Local secrets
In development, you can load environment variables in two ways:
- Through an
.envfile placed atsupabase/functions/.env, which is automatically loaded onsupabase start - Through the
--env-fileoption forsupabase functions serve. This allows you to use custom file names like.env.localto distinguish between different environments.
1supabase functions serve --env-file .env.localNever check your .env files into Git! Instead, add the path to this file to your .gitignore.
We can automatically access the secrets in our Edge Functions through Deno’s handler
1const secretKey = Deno.env.get('STRIPE_SECRET_KEY')Now we can invoke our function locally. If you're using the default .env file at supabase/functions/.env, it's automatically loaded:
1supabase functions serve hello-worldOr you can specify a custom .env file with the --env-file flag:
1supabase functions serve hello-world --env-file .env.localThis is useful for managing different environments (development, staging, etc.).
Production secrets
You will also need to set secrets for your production Edge Functions. You can do this via the Dashboard or using the CLI.
Using the Dashboard:
- Visit Edge Function Secrets Management page in your Dashboard.
- Add the Key and Value for your secret and press Save
Note that you can paste multiple secrets at a time.
Using the CLI
You can create a .env file to help deploy your secrets to production
12# .envSTRIPE_SECRET_KEY=sk_live_...Never check your .env files into Git! Instead, add the path to this file to your .gitignore.
You can push all the secrets from the .env file to your remote project using supabase secrets set. This makes the environment visible in the dashboard as well.
1supabase secrets set --env-file .envAlternatively, this command also allows you to set production secrets individually rather than storing them in a .env file.
1supabase secrets set STRIPE_SECRET_KEY=sk_live_...To see all the secrets which you have set remotely, you can use supabase secrets list
1supabase secrets listYou don't need to re-deploy after setting your secrets. They're available immediately in your functions.