Supabase changes API access for new projects from May 30

New Supabase projects will now require explicit permission for API access, changing from automatic exposure. This is a major security update.
By Newsroom | Technology, Software Development |

New projects launched after May 30th will require developers to actively grant permissions for tables in the public schema to be accessible via Supabase's Data API. This marks a significant departure from previous default behavior where tables were automatically exposed. The shift necessitates explicit PostgreSQL grants, either through the dashboard interface or directly via SQL commands.

Growing Number of Americans Say Religion Gaining Influence in Society - 1

This change mandates a granular, per-role access control model, specifically addressing the distinction between anonymous and authenticated user permissions. This aims to bolster security and governance for production environments. Explicit grants are designed to be reviewable and auditable, fitting more transparently into migration workflows.

Growing Number of Americans Say Religion Gaining Influence in Society - 2

Restoring and Securing Existing Data

For developers looking to align existing projects with this new security posture, Supabase provides methods to revoke and re-grant permissions. Running specific SQL commands can alter default privileges for future table creations, preventing them from being automatically exposed. Existing tables will retain their current access settings unless explicitly modified.

Read More: Big AI Influence on Law Worries Researchers

Growing Number of Americans Say Religion Gaining Influence in Society - 3

  • To stop automatic default privileges for future objects: ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public REVOKE SELECT, INSERT, UPDATE, DELETE ON TABLES FROM anon, authenticated, service_role; and ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public REVOKE USAGE, SELECT ON SEQUENCES FROM anon, authenticated, service_role;

  • To secure existing tables, direct REVOKE statements per table are advised: REVOKE ALL ON TABLE public.your_table FROM anon, authenticated, service_role;

The company’s 'Data API exposure badge' in the Table Editor and its 'Security Advisor' are tools to help identify tables that warrant review under this new access model.

Underlying Mechanisms and Previous Adjustments

This move builds upon Supabase's ongoing efforts to refine its security framework. Previously, on February 17th, 2026, access to the full OpenAPI specification via anonymous keys was deprecated. This adjustment, however, did not impact standard Data API usage, with the endpoint remaining accessible through service role or secret API keys.

The Data API itself is designed to function in concert with PostgreSQL's built-in access control features. Ensuring secure API endpoints typically involves enabling Row Level Security (RLS) on all tables exposed via the Data API. Policies can then be crafted to define specific access rules, such as allowing anonymous users to 'select' only published posts while authenticated users manage their own content. Supabase's documentation emphasizes using secret and service role keys exclusively on the backend, as they bypass RLS and can compromise security if exposed on the frontend.

Read More: Triton language helps developers write GPU code easily

Frequently Asked Questions

Q: Why is Supabase changing its API access for new projects starting May 30?
Supabase is changing its API access to require developers to actively grant permissions for tables in new projects. This aims to improve security by moving away from automatically exposing tables.
Q: What do developers need to do for new Supabase projects after May 30?
For new projects created after May 30, developers must now explicitly grant permissions for tables in the public schema to be accessed through Supabase's Data API. This can be done through the dashboard or SQL commands.
Q: How can I secure existing Supabase projects with this new change?
Existing tables will keep their current access settings unless changed. To secure them, you can use specific SQL commands to revoke access and then re-grant it selectively, or use Supabase's 'Security Advisor' tool to identify tables needing review.
Q: What underlying security features does Supabase use for API access?
Supabase uses PostgreSQL's built-in access control features. It strongly recommends enabling Row Level Security (RLS) on tables and using secret and service role keys only on the backend to maintain security.