Changelog

Here's everything that happened with Supabase in the last month:

Supabase Series F#

Supabase has raised a $500M Series F at a $10B pre-money valuation. It’s led by GIC.

Read the blog →

Multigres 0.1 alpha released#

Multigres is a scalable operating system for Postgres: it holistically manages your Postgres instances and gives you sharding, connection pooling, automatic failover, and backup orchestration. Multigres v0.1 alpha is an open-source-only release. Multigres for Supabase is coming soon.

Read the blog →

Passkey Sign-in for Supabase Auth#

Users can now sign in with biometrics (Face ID, Touch ID, Windows Hello), a device PIN, or a hardware security key. Built on the WebAuthn standard, passkeys are passwordless and phishing-resistant. Supabase Auth stores only the public key for verification, while private key material stays on the user's device. Available to all projects in beta today.

Read the docs →

Supabase is now an official ChatGPT app#

Connect your Supabase projects to ChatGPT and manage your database infrastructure conversationally. The integration includes 29 tools covering SQL execution, schema changes, branching, edge function deployment, and live logs, all without leaving ChatGPT. Works on all Supabase plans with paid ChatGPT plans (Plus, Pro, Team, Enterprise).

Read the blog →

Supabase Plugin for AI Coding Agents#

A single install that gives your AI coding agent everything it needs to build on Supabase. The plugin bundles the Supabase MCP server and agent skills so your agent can query databases, manage migrations, deploy Edge Functions, and follow Supabase and Postgres best practices out of the box. Supports Claude Code, Cursor, Codex, and Gemini CLI.

Read the docs →

Feature preview: Temporary token-based database access#

Grant developers direct database access using Personal Access Tokens with; no passwords required. Project admins assign a specific database role and expiry window (up to 90 days) per user. Revoking project access immediately cuts database access too. Fully supported in branch projects, and available on Postgres 17+.

Join the GitHub discussion →

Quick Product Announcements#

• Guide to securing your app against npm supply-chain attacks. [Docs]
• Supabase client libraries now support traces following the W3C standard, compatible with any compliant tracing SDK including OpenTelemetry, Sentry, Datadog, and Honeycomb. [Docs]
• The Schema Visualizer now supports editing tables directly on the page, making it easier to design your database while viewing the full picture. [Twitter]
• Long text columns can now be expanded in the sidebar to view full content, with support for rendering as Markdown. [Twitter]
• The RLS Tester lets you run queries as another user, see which RLS policy took effect, and test via client libraries with AI-assisted SQL conversion. Enable it from the feature previews section in the dashboard. [Twitter]
• Navigation keyboard shortcuts are available in the dashboard. Press cmd+k and open "Show all keyboard shortcuts" to see the full list. [Twitter]
• pg-delta is a new schema-diffing engine built from scratch at Supabase to handle the full range of Postgres objects, including tables, columns, RLS policies, functions, triggers, indexes, and extensions. [Discussions]
• Logs usage is now metered. Pro and Team plans include 5 GB ingest and 1,000 GB query per month, with overage at $0.50/GB and $0.002/GB, respectively. New organizations may move to the new pricing as early as June; existing organizations begin migrating July 1. [Docs]
• Supabase is now available as a connector on Perplexity Computer. With Supabase as the persistent data layer, Computer can read from and write back to your Postgres tables, keeping state across runs without custom glue code. [Perplexity blog]

Meet the Supabase team#

• Webinar: From scattered tools to workflows that scale: Supabase + Perplexity Computer for Small Businesses. June 25 at 10:00 am PT. [Register]
• Webinar: From shipped app to production-ready insight with Supabase + Hex Agent. July 8 at 9:00am PT. [Register]
• Hangout with the Supabase team during Casual Wednesdays on Discord at 10:00 am PT. [Join]
• DASH by Datadog, June 9-10, New York [Register]
• Figma Config 2026, June 23-25, San Francisco [Register]
• Vercel Ship 26, June 30, New York [Register]

Made with Supabase#

Join our Discord, showcase your app, and maybe you’ll get featured.

• Gather is a simple way to stay connected with your family, friends, and activity groups. [Download]
• 021 helps you make better product decisions with clarity, context, and conviction. [Sign up]
• Nover is the unified visual generation suite that gives designers pixel-perfect precision over every render [Sign up]

Community Highlights#

• supabase-py has crossed 1 million downloads per day on PyPI. [Twitter]
• A developer replaced two years of custom Okta token exchange logic with Supabase's custom OAuth/OIDC provider in 40 minutes. [Reddit]
• The Multigres team used TLA+ to find a silent data-loss bug in pg_rewind that can leave a standby carrying phantom writes after two rapid failovers. The proposed fix embeds a UUIDv7 in each timeline history entry to distinguish independent promotions. [Blog]

For the past six months we've been tracking a steady increase in coordinated abuse of Supabase's free-tier email infrastructure. Bad actors were standing up free Supabase projects, rewriting the auth email templates with phishing content, and then triggering signup or password-reset flows against arbitrary email addresses to deliver those phishing emails from our SMTP infrastructure to people who had no relationship with Supabase.

We rolled out increasingly aggressive rate limits on outbound auth emails. We deployed keyword blocklists to catch the most common phishing payloads. We built automated detection that flagged suspicious template content and disabled offending projects. Each one was met with a workaround within days if not hours.

To our knowledge Supabase was the only auth provider that offers both a hosted email service and fully customizable email templates on free tier. Obviously this combination is what made us a uniquely attractive target.

All of this is to say we tried hard to ship changes that wouldn't affect legitimate users. But the abusive accounts — while likely just a handful of individuals — given the scale of their abuse, were responsible for the bulk of spam leaving our infrastructure, and we've reached the point where the volume risks having our email server blacklisted entirely.

What's changing#

Starting today Wednesday, 3 June 2026, new free-tier projects using Supabase's default email provider will no longer be able to modify their auth email templates. The default templates — confirmation, password reset, magic link, etc. — will be used as-is.

Who's affected#

Existing free-tier projects keep their current email templates exactly as they are. Nothing changes for projects created before 3 June 2026. Paid plans (Pro and above) are not affected. Template customization continues to work as it does today. Free-tier projects that configure their own SMTP provider can continue to customize templates freely. The restriction only applies when sending through Supabase's default SMTP.

If you're starting a new free-tier project and need branded auth emails, you can configure your own SMTP provider (Resend, Postmark, SendGrid, Amazon SES, etc.) in your project's auth settings — once enabled, you can customize your templates as before.

We're excited to announce the beta release of Passkeys for Supabase Auth — a passwordless, phishing-resistant credential built on the WebAuthn standard.

With passkeys, users sign in with biometrics (Face ID, Touch ID, Windows Hello), a device PIN, or a hardware security key. Supabase Auth stores the public key needed for verification; private key material remains managed by the user’s authenticator or credential provider.

How does it work?#

Each passkey enrollment or sign-in is a WebAuthn ceremony with three steps:

1. Options: the client requests a challenge from Supabase Auth.
2. Ceremony: the browser invokes navigator.credentials.create() (register) or navigator.credentials.get() (sign in), prompting the user to approve with biometrics or a security key.
3. Verify: the signed response is sent back to Supabase Auth, which validates the challenge and either stores the new credential or issues a session.

Supabase Auth uses discoverable credentials, so users don't need to type an email or username — the authenticator resolves the account from the credential it already stores.

Enable passkeys in the Dashboard#

Open Authentication → Passkeys in the Dashboard, toggle on Enable Passkey authentication, and fill in your WebAuthn relying party details:

• Relying Party Display Name: human-readable name shown during the passkey prompt (e.g. "My App").
• Relying Party ID: your bare domain (e.g. example.com). No scheme, port, or path.
• Relying Party Origins: up to 5 allowed origins (e.g. https://example.com,https://app.example.com).

The Dashboard pre-fills these from your project's Site URL and project name.

Passkeys can also be configured via the CLI and the Management API.

Use it from your app#

[!NOTE] The Passkeys API is currently experimental and requires an explicit opt-in as the API may change without notice during the beta phase.

Opt in to the experimental API when creating the client:

Register a passkey for an authenticated user — typically from a security settings page or right after sign-up:

Sign in with a passkey — no email or phone needed upfront; the authenticator picks the account:

Manage passkeys — list, rename, and delete from the current user's account:

What we'd like to know from you#

• Any bugs or rough edges you hit during passkey registration or sign-in flows.
• Friction when configuring the relying-party settings in the Dashboard, CLI, or Management API.
• Feedback on integrating passkeys in native or mobile flows.
• Suggestions for improving the API ergonomics or documentation.

Drop your feedback in this thread or open an issue.

Related links#

• Documentation: Passkey authentication
• Dashboard: Authentication → Passkeys
• JavaScript reference:
  • auth.registerPasskey
  • auth.signInWithPasskey
  • auth.passkey (two-step API)
  • auth.admin.passkey (server-side)