• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

supabase / supabase-flutter / 29584102933
87%

Build:
DEFAULT BRANCH: main
Ran 17 Jul 2026 01:31PM UTC
Jobs 9
Files 103
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

17 Jul 2026 01:28PM UTC coverage: 86.818% (+0.04%) from 86.783%
29584102933

push

github

web-flow
fix(functions): never send new-format API key as Bearer; warn on unrecognized sb_ key subtype (#1615)

## Summary

Parity with supabase-js and supabase-swift
([#1130](https://github.com/supabase/supabase-swift/pull/1130)) for the
new Supabase API key format (`sb_publishable_…` / `sb_secret_…`). These
keys are not JWTs and must never be sent as an `Authorization: Bearer`
token.

- **Functions never sends a new-format key as Bearer.** The
`Authorization: Bearer` header for Functions (and REST/Storage) is
injected per request by the shared `AuthHttpClient`. When no user
session exists it previously fell back to the API key, so a
`sb_publishable_`/`sb_secret_` key was sent as `Bearer …`, which the
Edge Functions runtime rejects. The Functions client now uses a
dedicated `AuthHttpClient` that omits the Bearer header for a new-format
key when there is no session. A genuine session JWT is still sent
normally.
- **Warn on unrecognized `sb_` subtypes.** `SupabaseClient` now warns
once per unrecognized `sb_`-prefixed key subtype at construction. It
never throws (the server, not the SDK, decides key validity) and never
logs the key value.

Scope matches the reference implementations: this affects Functions
only. Legacy JWT keys, REST, Storage, Auth, and Realtime are unchanged.

## Implementation notes

Unlike supabase-swift/js, supabase-flutter injects the Bearer token
through a **shared** `AuthHttpClient` used by REST, Functions, and
Storage, and `FunctionsClient.setAuth` is never wired up from
`SupabaseClient`. To keep the fix scoped to Functions, a separate
`AuthHttpClient` instance (`omitNewApiKeyAsBearer: true`) is created for
the Functions client instead of changing auth-state handling.

## Changes

- `packages/supabase/lib/src/api_key.dart` (new): `isNewApiKey`
classification and `warnOnUnrecognizedApiKey` warn-once helper.
- `packages/supabase/lib/src/auth_http_client.dart`:
`omitNewApiKeyAsBearer` flag suppressing the Bearer header for
new-format keys w... (continued)

21 of 21 new or added lines in 3 files covered. (100.0%)

5552 of 6395 relevant lines covered (86.82%)

3.92 hits per line

Jobs
ID Job ID Ran Files Coverage
8 supabase - 29584102933.8 17 Jul 2026 01:32PM UTC 17
83.2
GitHub Action Run
9 supabase_flutter - 29584102933.9 17 Jul 2026 01:31PM UTC 10
79.31
GitHub Action Run
3 postgrest - 29417623650.3 15 Jul 2026 01:06PM UTC 10
85.33
GitHub Action Run
7 functions_client - 29417623650.7 15 Jul 2026 01:04PM UTC 3
98.85
GitHub Action Run
9 realtime_client - 29563951630.9 17 Jul 2026 07:46AM UTC 11
90.11
GitHub Action Run
8 supabase_common - 29417623650.8 15 Jul 2026 01:04PM UTC 10
100.0
GitHub Action Run
9 yet_another_json_isolate - 29417623650.9 15 Jul 2026 01:04PM UTC 1
93.65
GitHub Action Run
5 gotrue - 29417623650.5 15 Jul 2026 01:07PM UTC 28
87.6
GitHub Action Run
2 storage_client - 29417623650.2 15 Jul 2026 01:06PM UTC 13
84.42
GitHub Action Run
Source Files on build 29584102933
  • Tree
  • List 103
  • Changed 3
  • Source Changed 3
  • Coverage Changed 3
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #29584102933
  • 1e5a379b on github
  • Prev Build on main (#29563951630)
  • Delete
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc