Home

Managing Secrets and Environment Variables

It's common that you will need to use sensitive information or environment-specific variables inside your Edge Functions. You can access these using Deno's built-in handler


_10
Deno.env.get(MY_SECRET_NAME)

Local Development#

When developing functions locally, you will be able to load environment variables in two ways:

  1. Through a default .env file placed at supabase/functions/.env, which will get loaded on supabase start
  2. Through the --env-file option for supabase functions serve, for example: supabase functions serve --env-file ./path/to/.env-file

To perform a one-time setup of your local development secrets, use the first option to create the .env file that will apply to all functions.

Default secrets#

By default, Edge Functions have access to these secrets:

  • SUPABASE_URL: The API gateway for your Supabase project.
  • SUPABASE_ANON_KEY: The anon key for your Supabase API. This is safe to use in a browser when you have Row Level Security enabled.
  • SUPABASE_SERVICE_ROLE_KEY: The service_role key for your Supabase API. This is safe to use in Edge Functions, but it should NEVER be used in a browser. This key will bypass Row Level Security.
  • SUPABASE_DB_URL: The URL for your PostgreSQL database. You can use this to connect directly to your database.

Local secrets#

Let's create a local file for storing our secrets, and inside it we can store a secret MY_NAME:


_10
echo "MY_NAME=Yoda" >> ./supabase/.env.local

This creates a new file ./supabase/.env.local for storing your local development secrets.

caution

Never check your .env files into Git!

Now let's access this environment variable MY_NAME inside our Function. Anywhere in your function, add this line:


_10
console.log(Deno.env.get('MY_NAME'))

Now we can invoke our function locally, by serving it with our new .env.local file:


_10
supabase functions serve --env-file ./supabase/.env.local

When the function starts you should see the name “Yoda” output to the terminal.

Production secrets#

Let's create a .env for production. In this case we'll just use the same as our local secrets:


_10
cp ./supabase/.env.local ./supabase/.env

This creates a new file ./supabase/.env for storing your production secrets.

caution

Never check your .env files into Git!

Let's push all the secrets from the .env file to our remote project using supabase secrets set:


_10
supabase secrets set --env-file ./supabase/.env
_10
_10
# You can also set secrets individually using:
_10
supabase secrets set MY_NAME=Chewbacca

You don't need to re-deploy after setting your secrets.

To see all the secrets which you have set remotely, use supabase secrets list:


_10
supabase secrets list

© Supabase IncContributingAuthor StyleguideOpen SourceSupaSquad