cannot authenticate supabase admin / service_role client with new api keys

Question

cannot authenticate supabase admin / service_role client with new api keys

Closed this issue 11 days ago · 4 comments

bmitzkus commented a month ago

Bug report

I confirm this is a bug with Supabase, not with my own application.
I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Creating an admin client with the new api keys fails.

To Reproduce

async function createAdminClient() {
  return createClient<Database>(
    process.env.NEXT_PUBLIC_SUPABASE_URL,
    process.env.SUPABASE_SECRET_KEY,
    {
      auth: {
        autoRefreshToken: false,
        persistSession: false,
      },
    },
  );
}

const adminClient = await createAdminClient();
await adminClient.auth.admin.createUser({
      email,
      password,
      app_metadata: {
        ...metadata
      },
    });

Expected behavior

The user should be created.

Actual behavior

[next]     at async signup (src/lib/supabase/actions.ts:32:22)
[next]   30 |
[next]   31 |   try {
[next] > 32 |     const { error } = await supabase.auth.admin.createUser({
[next]      |                      ^
[next]   33 |       ...data,
[next]   34 |       app_metadata: {
[next]   35 |         email,
[next]   __isAuthError: true,
[next]   status: 403,
[next]   code: 'bad_jwt'
[next] }

System information

Version of supabase-js: 2.57.4

Additional context

I believe that something goes wrong here: https://github.com/supabase/supabase-js/blob/cd8173e5564d44bb0241b1fd9cb4743618d5a441/src/SupabaseClient.ts#L300C1-L308C4 where the api key is inserted as authorization header fallback. This worked before, because the service_role_key actually was a valid JWT, but with the new api keys this fails.

Answer 1 · 2025-09-25T22:52:29.000Z

Same here I am getting an error trying to create the client

Supabase error: {
  code: 'PGRST301',
  details: null,
  hint: null,
  message: 'Expected 3 parts in JWT; got 1'
}

Answer 2 · 2025-09-26T10:50:50.000Z

I just ran into this too. When spinning up Supabase locally through Supabase CLI, you don't actually get the anon and service key returned anymore. The stdout just provides you with the publishable and secret key (as shown below), and these seem to be unusable currently when using @supabase/supabase-js , making this quite a tedious issue as I was on my to create a few admin scripts

API URL: xxx
     GraphQL URL: xxx
  S3 Storage URL: xxx
    Database URL: xxx
      Studio URL: xxx
     Mailpit URL: xxx
 Publishable key: sb_publishable_xxx
      Secret key: sb_secret_xxx

For anyone running into this, you should be able to get your service key out by running npx supabase status -o env , it outputs the environment vars from the supabase container into stdout, giving you the full service key which can be used.

Answer 3 · 2025-10-15T21:32:43.000Z

Getting the same error for calling inviteUserByEmail:
Error: Failed to invite user: invalid JWT: unable to parse or verify signature, token is malformed: token contains an invalid number of segments

Answer 4 · 2025-10-28T05:10:24.000Z

This has been resolved in the latest cli release. The new publishable and secret keys can be used with admin client.