• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

supabase / supabase-flutter
87%

Build:
DEFAULT BRANCH: main
Repo Added 19 Jan 2025 06:54AM UTC
Token z3GUkNtD1PDnCOWpuPvCMvjUB924F4R9N regen
Build 1132 Last
Files 103
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH main
branch: main
CHANGE BRANCH
x
Reset
Sync Branches
  • main
  • chore-review-actions
  • chore/add-agents-md-file
  • chore/adopt-null-aware-elements
  • chore/avoid-passing-async-when-sync-expected
  • chore/await-futures-lint
  • chore/bump-actions-ref
  • chore/bump-app_links
  • chore/bump-melos-8.2.0
  • chore/bump-min-dart-3.9
  • chore/bump-min-sdk-3.4
  • chore/bump-supabase-flutter-min-flutter-3.32
  • chore/cleanup-dead-code-simplifications
  • chore/cleanup-readmes-headers-foreach
  • chore/code-reference
  • chore/coverage
  • chore/coverage-realtime
  • chore/coverage-source
  • chore/enable-avoid-default-tostring
  • chore/enable-avoid-self-compare
  • chore/enable-avoid-shadowing
  • chore/enable-correct-json-casts
  • chore/enable-dcm-dispose-class-fields
  • chore/enable-dcm-easy-batch
  • chore/enable-dcm-lints-tier1-2
  • chore/enable-fatal-infos
  • chore/enable-misused-test-matchers
  • chore/enable-nullable-rules
  • chore/enable-single-violation-rules
  • chore/enable-small-safe-batch
  • chore/fix-typos
  • chore/functions-coverage
  • chore/gotrue-coverage
  • chore/issue-form-platform-all
  • chore/issue-form-templates
  • chore/pub-workspaces-melos-8
  • chore/publish
  • chore/realtime-test-first-instead-of-index
  • chore/release
  • chore/remove-useless-tests
  • chore/rename-cond-platform-getters
  • chore/replace-parse-ignore-with-internal
  • chore/setup-release-please
  • chore/silence-supabase-flutter-test-logs
  • chore/speed-up-ci-pipeline
  • chore/storage-test-inferrable-type
  • chore/supabase-coverage
  • chore/test-coverage
  • chore/test-proper-matchers
  • chore/update-examples
  • chore/upgrade-app-links
  • chore/version-2.16.0
  • ci/drop-publish-dry-run
  • ci/extract-app-builds
  • ci/imgproxy
  • ci/melos-publish-no-dry-run
  • ci/melos-publish-oidc-token
  • ci/melos-publish-yes
  • ci/release-tag-app-token
  • ci/storage
  • claude/agitated-dewdney-0268b3
  • claude/frosty-snyder-1b2f48
  • claude/mystifying-cerf-7d866b
  • claude/naughty-wright-f4fec3
  • claude/recursing-williamson-f3d62d
  • cleanup/remove-parens-fromJson
  • copilot/sub-pr-1327
  • dcm-baseline
  • dcm-pipeline
  • docs/error-codes
  • docs/fix-infra-typo-license-20250902-024002
  • docs/google-signin
  • docs/on-auth-state-change-error-handler
  • docs/pub-dev-logo
  • docs/update-signinwithidtoken-providers-1259
  • etienne/sec-666-pin-all-github-actions-to-full-commit-sha
  • examples-passkeys
  • feat-admin-oauth-update-list-19ca1
  • feat/abort
  • feat/add-examples-project
  • feat/add-force-function-region-query-param
  • feat/broadcast-replay-support
  • feat/cupertino
  • feat/custom-metadata
  • feat/default-debug-off-in-tests
  • feat/facebook-sdk-example
  • feat/gotrue-get-claims
  • feat/gotrue-oauth-server-authorization-api
  • feat/gotrue-passkeys
  • feat/gotrue-sign-out-reason
  • feat/issue-1158-debug-instrumentation
  • feat/oauth-admin-endpoints
  • feat/passkey-ceremony-helpers
  • feat/phone-2fa
  • feat/phone-mfa
  • feat/postgrest-abort-requests
  • feat/private-stream
  • feat/realtime-explicit-rest-call
  • feat/semantic-release-automation
  • feat/signed-out-reason
  • feat/storage-download-query-params
  • feat/storage-vector-buckets
  • feat/stream-changes
  • feat/support-new-realtime-features
  • feat/workflow-improvements
  • feat/workflow-phase4-developer-experience
  • feat/workflow-phase5-additional-improvements
  • fix-getclaims-token-decoding
  • fix-private-only-stream-channel-10188984025532099214
  • fix-to-string
  • fix/align-platform-stats-casing
  • fix/app-links-method-removal
  • fix/assert-async-storage-constructor-1446
  • fix/ci-wasm-test-timeout
  • fix/dartio-usage
  • fix/deprecate
  • fix/empty-response
  • fix/flutter-3x-windows-cache
  • fix/functions-client-case-insensitive-header-check
  • fix/functions-drain-error-event-stream
  • fix/functions-exception
  • fix/functions-parse-nonjson-error
  • fix/gotrue-getclaims-asymmetric-jwt
  • fix/gotrue-mfa-aal-missing-amr
  • fix/gotrue-mfa-enroll-optional-issuer
  • fix/gotrue-shared-header-mutation
  • fix/gotrue-token-refresh-races
  • fix/gotrue-web
  • fix/immutable-default-headers
  • fix/new-api-key-format
  • fix/oauth_server_formatexception
  • fix/oauth_server_second_consent
  • fix/passkeys-require-resident-key-upstream-fix
  • fix/postgrest-escape-filter-array
  • fix/postgrest-limit-range-override
  • fix/postgrest-select-prefer-and-this-cleanup
  • fix/prefer-header-empty-string-leak
  • fix/proactive-token-refresh-on-resume
  • fix/realtime
  • fix/realtime-cancel-conn-subscription
  • fix/realtime-channel-suppress-invalid-jwt-on-rejoin
  • fix/realtime-connect-race-condition
  • fix/realtime-in-filter-escape
  • fix/realtime-ios-disconnect-detection
  • fix/realtime-ios-dropped-connection-detection
  • fix/realtime-lifecycle-queue
  • fix/realtime-message-empty-map
  • fix/realtime-null-int-conversion
  • fix/realtime-postgres-changes-system-error
  • fix/realtime-reconnect-after-disconnect
  • fix/recover-session-duplicate-auth-error
  • fix/recover-session-stale-refresh-token
  • fix/regression-test-1372-auth-retryable-fetch-exception
  • fix/release-tag-workflow
  • fix/review-bugs
  • fix/sdk-1278-drop-rxdart
  • fix/sdk-475-drop-jwt-decode
  • fix/sdk-compliance-workflow
  • fix/session-expires-at-doc-clarification
  • fix/setup-presence-flag
  • fix/storage-client-wasm-compat
  • fix/storage-encode-object-path
  • fix/storage-exception-status-code
  • fix/supabase-common-dcm-inferrable
  • fix/supabase-flutter-preserve-url-params
  • fix/toJson-print
  • fix/uppercase-http-method
  • fix/verify-otp-secure-email-change
  • fix/web-hot-restart
  • fix/web-oauth-code-cleanup
  • grdsdev-patch-1
  • grdsdev/align-dart-sdk-min-3-3-0
  • grdsdev/auth-token-refresh
  • grdsdev/automate-melos-release
  • grdsdev/check-swift-pr-958
  • grdsdev/docs-refreshtoken-completer
  • grdsdev/fix-postgrest-http-method-case
  • grdsdev/fix-release-workflow-failures
  • grdsdev/flutter-auth-refresh-bug
  • grdsdev/hartford-v1
  • grdsdev/log-auth-state-errors
  • grdsdev/postgrest-retry-flutter
  • grdsdev/resilient-decoding
  • grdsdev/retrigger-release-tagging
  • grdsdev/sdk-816-realtime-class-docs
  • grdsdev/share-yajson-isolate
  • grdsdev/storage-setheader
  • guilherme/ci
  • guilherme/clibs-108-supabase-flutter-change-default-heartbeat-interval-to-25s
  • guilherme/clibs-120-supabase-flutter-send-standard-client-headers-on-all
  • guilherme/clibs-171-supabase-flutter-validate-uuid-on-admin-methods
  • guilherme/clibs-282-supabase-flutter-implement-linkidentity-with-oidc
  • guilherme/clibs-287-supabase-flutter-storageretrycontroller-causes-cant-finalize
  • guilherme/clibs-294-supabase-flutter-remove-providers-check-for-the
  • guilherme/clibs-379-supabase-flutter-implement-maxaffected-method
  • guilherme/clibs-99-supabase-flutter-remove-jwt-check-and-send-x-client-info
  • guilherme/feat-test
  • guilherme/generate-app-token
  • guilherme/remove-trailing-commas-rule
  • guilherme/sdk-230-supabase-flutter-use-dedicated-storage-host-for-storage-lib
  • guilherme/sdk-514-refreshsession-shouldnt-fail-because-currentsession-doesnt
  • guilherme/sdk-524-duplicate-sdk-522-for-flutter
  • guilherme/sdk-531-flutter-verify-optional-refs-handling-in-message
  • guilherme/sdk-614-fix-verifyotp-parameter-validation-for-otptyperecovery
  • guilherme/sdk-624-apply-reusable-ci-workflows-to-supabase-flutter
  • guilherme/sdk-627-flutter-sdk-getclaims-crashes-on-first-use-with-asymmetric
  • guilherme/sdk-640-fixrealtime-flutter-web-hot-restart-throws-typeerror-on
  • guilherme/sdk-698-paritypostgrest-add-url-length-validation-and-timeout
  • guilherme/sdk-784-featauth-add-setsession-support-for-both-access_token-and
  • guilherme/sdk-789-fixstorage-_transformstorageurl-unconditionally-breaks
  • guilherme/sdk-794-oauth-provider-custom-string
  • iat/add-x-provider
  • idempotent_initialization
  • lukasklingsbo/sdk-1018-httpsend-per-event-url
  • lukasklingsbo/sdk-1020-parityauth-verifyotp-for-email_change-returns-null
  • lukasklingsbo/sdk-1023-parityauth-resend-with-pkce-flow-should-include
  • lukasklingsbo/sdk-1029-paritypostgrest-return-structured-error-for-non-json-body-on
  • lukasklingsbo/sdk-1032-parityauth-recognize-error-parameter-in-implicit-grant
  • lukasklingsbo/sdk-1054-consolidate-ci-into-a-single-workflow-and-stop-re-running
  • lukasklingsbo/sdk-1065-example-database-crud-with-postgrest
  • lukasklingsbo/sdk-1077-enable-tiny-dcm-rules
  • lukasklingsbo/sdk-1089-paritystorage-preserve-sortby-defaults-when-list-receives
  • lukasklingsbo/sdk-1102-supabase_flutter-full-web-and-wasm-compatibility
  • lukasklingsbo/sdk-1106-spike-smithytypespec-codegen-for-dartflutter-sdk-http-layer
  • lukasklingsbo/sdk-1165-parityauth-add-shouldsoftdelete-option-to-admin-deleteuser
  • lukasklingsbo/sdk-1166-paritystorage-add-download-content-disposition-option-to
  • lukasklingsbo/sdk-1167-paritystorage-add-upsert-option-to-createsigneduploadurl
  • lukasklingsbo/sdk-1168-paritypostgrest-add-format-option-to-explain
  • lukasklingsbo/sdk-1169-parityrealtime-add-onheartbeat-listener
  • lukasklingsbo/sdk-1173-parityauth-add-custom_claims_allowlist-to-custom-providers
  • lukasklingsbo/sdk-1246-clean-up-package-metadata-readmes-license-and-examples
  • lukasklingsbo/sdk-1258-parityfunctions-expose
  • lukasklingsbo/sdk-1260-parityauth-add-channel-parameter-smswhatsapp-to-mfachallenge
  • lukasklingsbo/sdk-1261-parityauth-expose-skipbrowserredirect-on-signinwithoauth
  • lukasklingsbo/sdk-1262-parityfunctions-add-timeout-option-to-invoke
  • lukasklingsbo/sdk-1272-parityclient-custom-session-url-detection-predicate-and
  • lukasklingsbo/sdk-1279-chore-bump-all-dependencies
  • lukasklingsbo/sdk-1283-modernize-dart-syntax-across-client-packages
  • lukasklingsbo/sdk-1284-convert-private-stream-builder-holder-classes-to-records
  • lukasklingsbo/sdk-1288-enable-strict-raw-types
  • lukasklingsbo/sdk-1290-clean-up-package-tests-remove-abbreviations-and-code-smells
  • lukasklingsbo/sdk-1308-analytics-bucket-crud
  • lukasklingsbo/sdk-1309-iceberg-catalog
  • lukasklingsbo/sdk-1310-featfunctions-request-cancellation-for-invoke-flutter-sdk
  • lukasklingsbo/sdk-583-realtime-protocol-200
  • lukasklingsbo/sdk-583-realtime-v3-renames
  • lukasklingsbo/sdk-875-storage-cache-nonce
  • lukasklingsbo/storage-download-stream
  • lukasklingsbo/storage-list-v2
  • null-check-operator-on-realtime-conn
  • refactor/bucket-oauth-dedupe
  • refactor/extract-supabase-common
  • refactor/gotrue-pkce-helper
  • refactor/inline-retry
  • refactor/realtime-broadcast-http
  • refactor/refresh-flow
  • refactor/storage-dedupe
  • refactor/storage-drop-http-parser
  • refactor/supabase-drop-rxdart
  • refs/pull/1110/merge
  • release-23586209249
  • release-26828784805
  • release-27010981394
  • release-27216676269
  • release-27629220657
  • release-28404096617
  • release-28444217699
  • release-28535891613
  • release-28651474608
  • release-28853636227
  • release-29417173135
  • release-please/bootstrap/default
  • remove-wasm-ci
  • revert-commit
  • shared_prefs_async
  • storage
  • test/improve-coverage-common-storage
  • test/supabase-cli-integration-tests
  • test/web
  • test/yet-another-json-isolate-coverage
  • unnecessary_current_user
  • upgrade-github-actions-node24
  • upgrade-github-actions-node24-general
  • web-wasm-guardrails
  • worktree-1496
  • worktree-899
  • worktree-SDK-1269
  • worktree-SDK-1270
  • worktree-SDK-1271
  • worktree-SDK-1273
  • worktree-SDK-1274
  • worktree-SDK-1275
  • worktree-SDK-1318
  • worktree-SDK-701
  • worktree-SDK-752
  • worktree-SDK-753
  • worktree-SDK-754
  • worktree-SDK-878
  • worktree-ci-release-tags
  • worktree-ci-simplify
  • worktree-ci-uppercase
  • worktree-deferred_disconnect
  • worktree-email-fix
  • worktree-enums
  • worktree-facebook-login-issue
  • worktree-fix-coverage
  • worktree-fix-tests
  • worktree-fix-versioning
  • worktree-flutter_lints
  • worktree-passkeys-interface-types
  • worktree-realtime-tests
  • worktree-sdk-1331
  • worktree-sdk-1332

17 Jul 2026 01:28PM UTC coverage: 86.818% (+0.04%) from 86.783%
29584102933

push

github

web-flow
fix(functions): never send new-format API key as Bearer; warn on unrecognized sb_ key subtype (#1615)

## Summary

Parity with supabase-js and supabase-swift
([#1130](https://github.com/supabase/supabase-swift/pull/1130)) for the
new Supabase API key format (`sb_publishable_…` / `sb_secret_…`). These
keys are not JWTs and must never be sent as an `Authorization: Bearer`
token.

- **Functions never sends a new-format key as Bearer.** The
`Authorization: Bearer` header for Functions (and REST/Storage) is
injected per request by the shared `AuthHttpClient`. When no user
session exists it previously fell back to the API key, so a
`sb_publishable_`/`sb_secret_` key was sent as `Bearer …`, which the
Edge Functions runtime rejects. The Functions client now uses a
dedicated `AuthHttpClient` that omits the Bearer header for a new-format
key when there is no session. A genuine session JWT is still sent
normally.
- **Warn on unrecognized `sb_` subtypes.** `SupabaseClient` now warns
once per unrecognized `sb_`-prefixed key subtype at construction. It
never throws (the server, not the SDK, decides key validity) and never
logs the key value.

Scope matches the reference implementations: this affects Functions
only. Legacy JWT keys, REST, Storage, Auth, and Realtime are unchanged.

## Implementation notes

Unlike supabase-swift/js, supabase-flutter injects the Bearer token
through a **shared** `AuthHttpClient` used by REST, Functions, and
Storage, and `FunctionsClient.setAuth` is never wired up from
`SupabaseClient`. To keep the fix scoped to Functions, a separate
`AuthHttpClient` instance (`omitNewApiKeyAsBearer: true`) is created for
the Functions client instead of changing auth-state handling.

## Changes

- `packages/supabase/lib/src/api_key.dart` (new): `isNewApiKey`
classification and `warnOnUnrecognizedApiKey` warn-once helper.
- `packages/supabase/lib/src/auth_http_client.dart`:
`omitNewApiKeyAsBearer` flag suppressing the Bearer header for
new-format keys w... (continued)

21 of 0 new or added lines in 0 files covered. (NaN%)

15 existing lines in 1 file now uncovered.

5552 of 6395 relevant lines covered (86.82%)

3.92 hits per line

Relevant lines Covered
Build:
Build:
6395 RELEVANT LINES 5552 COVERED LINES
3.92 HITS PER LINE
Source Files on main
  • Tree
  • List 103
  • Changed 3
  • Source Changed 3
  • Coverage Changed 3
Coverage ∆ File Lines Relevant Covered Missed Hits/Line

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
29584102933 main fix(functions): never send new-format API key as Bearer; warn on unrecognized sb_ key subtype (#1615) ## Summary Parity with supabase-js and supabase-swift ([#1130](https://github.com/supabase/supabase-swift/pull/1130)) for the new Supabase API ... push 17 Jul 2026 01:31PM UTC web-flow github
86.82
29563951630 main fix(realtime_client): stop throwing internally when converting null cell values (#1612) ## What kind of change does this PR introduce? Bug fix (internal exception noise; no observable behavior change). ## What is the current behavior? `convert... push 17 Jul 2026 07:44AM UTC web-flow github
86.78
29417623650 main chore(release): publish packages (#1605) Prepared all packages to be released to pub.dev Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> push 15 Jul 2026 01:04PM UTC web-flow github
86.79
29415982262 main feat(storage): add analytics (Iceberg) bucket CRUD (#1588) ## Summary Adds support for analytics (Apache Iceberg) buckets to `storage_client`, covering the bucket lifecycle: create, list, and delete. These map to the storage server's Iceberg buc... push 15 Jul 2026 12:39PM UTC web-flow github
86.79
29415634238 main feat(functions): add request cancellation to invoke via abortSignal (#1593) ## Summary Adds request cancellation to `FunctionsClient.invoke`, closing the gap versus the canonical compliance matrix. `invoke` now accepts an optional `abortSignal` ... push 15 Jul 2026 12:33PM UTC web-flow github
88.86
29413897983 main feat(auth): send PKCE code_challenge in updateUser when changing email (#1601) ## Summary Under the PKCE flow, `updateUser({ email })` now generates a PKCE code verifier and sends the corresponding `code_challenge` / `code_challenge_method` in t... push 15 Jul 2026 12:06PM UTC web-flow github
88.86
29408971089 main test: expand unit coverage for supabase_common and storage_client types (#1595) ## What Fills genuine, server-free unit coverage gaps found by measuring actual line coverage (`dart test --coverage` + `format_coverage`) across the self-contained ... push 15 Jul 2026 10:43AM UTC web-flow github
88.5
29336359764 main feat(auth): add signInWithWeb3 for Web3 wallet authentication (#1590) ## Summary Adds `signInWithWeb3` support to `gotrue`, wrapping the GoTrue `POST /token?grant_type=web3` endpoint used for Web3 wallet authentication (Sign-In with Ethereum and... push 14 Jul 2026 01:26PM UTC web-flow github
87.9
29318155135 main fix(supabase_common): align platform stats casing with other SDKs (#1596) ## What Normalizes the platform name reported in the `platform=` segment of the `X-Client-Info` header so it uses the same casing across all Supabase SDKs. Previously the... push 14 Jul 2026 08:31AM UTC web-flow github
87.33
29287704963 main feat(postgrest): configurable auto-retry and request timeout (#1560) ## Summary Makes the PostgREST client's automatic retry behavior configurable and adds an optional per-request timeout that actually cancels a stalled attempt. Previously the r... push 13 Jul 2026 09:51PM UTC web-flow github
87.2
See All Builds (1128)

Badge your Repo: supabase-flutter

We detected this repo isn’t badged! Grab the embed code to the right, add it to your repo to show off your code coverage, and when the badge is live hit the refresh button to remove this message.

Could not find badge in README.

Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

Refresh
  • Settings
  • Repo on GitHub
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc