CLI configuration
A supabase/config.toml
file is generated after running supabase init
.
You can edit this file to change the settings for your locally running project. After you make changes, you will need to restart using supabase stop
and then supabase start
for the changes to take effect.
General Config
project_id
Name | Default | Required |
---|---|---|
project_id | None | true |
Description
A string used to distinguish different Supabase projects on the same host. Defaults to the working directory name when running supabase init
.
Auth Config
auth.enabled
Name | Default | Required |
---|---|---|
auth.enabled | true | false |
Description
Enable the local GoTrue service.
See also
auth.site_url
Name | Default | Required |
---|---|---|
auth.site_url | "http://localhost:3000" | false |
Description
The base URL of your website. Used as an allow-list for redirects and for constructing URLs used in emails.
See also
auth.additional_redirect_urls
Name | Default | Required |
---|---|---|
auth.additional_redirect_urls | ["https://localhost:3000"] | false |
Description
A list of exact URLs that auth providers are permitted to redirect to post authentication.
See also
auth.jwt_expiry
Name | Default | Required |
---|---|---|
auth.jwt_expiry | 3600 | false |
Description
How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 seconds (one week).
See also
auth.enable_refresh_token_rotation
Name | Default | Required |
---|---|---|
auth.enable_refresh_token_rotation | true | false |
Description
If disabled, the refresh token will never expire.
See also
auth.refresh_token_reuse_interval
Name | Default | Required |
---|---|---|
auth.refresh_token_reuse_interval | 10 | false |
Description
Allows refresh tokens to be reused after expiry, up to the specified interval in seconds. Requires enable_refresh_token_rotation = true.
See also
auth.enable_signup
Name | Default | Required |
---|---|---|
auth.enable_signup | true | false |
Description
Allow/disallow new user signups to your project.
See also
auth.enable_anonymous_sign_ins
Name | Default | Required |
---|---|---|
auth.enable_anonymous_sign_ins | false | false |
Description
Allow/disallow anonymous sign-ins to your project.
See also
auth.email.enable_signup
Name | Default | Required |
---|---|---|
auth.email.enable_signup | true | false |
Description
Allow/disallow new user signups via email to your project.
See also
auth.email.double_confirm_changes
Name | Default | Required |
---|---|---|
auth.email.double_confirm_changes | true | false |
Description
If enabled, a user will be required to confirm any email change on both the old, and new email addresses. If disabled, only the new email is required to confirm.
See also
auth.email.enable_confirmations
Name | Default | Required |
---|---|---|
auth.email.enable_confirmations | false | false |
Description
If enabled, users need to confirm their email address before signing in.
See also
auth.email.template.<type>.subject
Name | Default | Required |
---|---|---|
auth.email.template.type.subject | None | false |
Description
The full list of email template types are:
invite
confirmation
recovery
magic_link
email_change
See also
auth.email.template.<type>.content_path
Name | Default | Required |
---|---|---|
auth.email.template.type.content_path | None | false |
Description
The full list of email template types are:
invite
confirmation
recovery
magic_link
email_change
See also
auth.sms.enable_signup
Name | Default | Required |
---|---|---|
auth.sms.enable_signup | true | false |
Description
Allow/disallow new user signups via SMS to your project.
See also
auth.sms.enable_confirmations
Name | Default | Required |
---|---|---|
auth.sms.enable_confirmations | false | false |
Description
If enabled, users need to confirm their phone number before signing in.
See also
auth.sms.test_otp
Name | Default | Required |
---|---|---|
auth.sms.test_otp | None | false |
Description
Use pre-defined map of phone number to OTP for testing.
Usage
1[auth.sms.test_otp]
24152127777 = "123456"
See also
auth.sms.<provider>.enabled
Name | Default | Required |
---|---|---|
auth.sms.provider.enabled | false | false |
Description
Use an external SMS provider. The full list of providers are:
twilio
twilio_verify
messagebird
textlocal
vonage
See also
auth.sms.<twilio|twilio_verify>.account_sid
Name | Default | Required |
---|---|---|
auth.sms.twilio.account_sid | None | true |
Description
Twilio Account SID
See also
auth.sms.<twilio|twilio_verify>.message_service_sid
Name | Default | Required |
---|---|---|
auth.sms.twilio.message_service_sid | None | true |
Description
Twilio Message Service SID
See also
auth.sms.<twilio|twilio_verify>.auth_token
Name | Default | Required |
---|---|---|
auth.sms.twilio.auth_token | env(SUPABASE_AUTH_SMS_TWILIO_AUTH_TOKEN) | true |
Description
Twilio Auth Token
DO NOT commit your Twilio auth token to git. Use environment variable substitution instead.
See also
auth.sms.messagebird.originator
Name | Default | Required |
---|---|---|
auth.sms.messagebird.originator | None | true |
Description
MessageBird Originator
See also
auth.sms.messagebird.access_key
Name | Default | Required |
---|---|---|
auth.sms.messagebird.access_key | env(SUPABASE_AUTH_SMS_MESSAGEBIRD_ACCESS_KEY) | true |
Description
MessageBird Access Key
DO NOT commit your MessageBird access key to git. Use environment variable substitution instead.
See also
auth.sms.textlocal.sender
Name | Default | Required |
---|---|---|
auth.sms.textlocal.sender | None | true |
Description
TextLocal Sender
See also
auth.sms.textlocal.api_key
Name | Default | Required |
---|---|---|
auth.sms.textlocal.api_key | env(SUPABASE_AUTH_SMS_TEXTLOCAL_API_KEY) | true |
Description
TextLocal API Key
DO NOT commit your TextLocal API key to git. Use environment variable substitution instead.
See also
auth.sms.vonage.from
Name | Default | Required |
---|---|---|
auth.sms.vonage.from | None | true |
Description
Vonage From
See also
auth.sms.vonage.api_key
Name | Default | Required |
---|---|---|
auth.sms.vonage.api_key | None | true |
Description
Vonage API Key
See also
auth.sms.vonage.api_secret
Name | Default | Required |
---|---|---|
auth.sms.vonage.api_secret | env(SUPABASE_AUTH_SMS_VONAGE_API_SECRET) | true |
Description
Vonage API Secret
DO NOT commit your Vonage API secret to git. Use environment variable substitution instead.
See also
auth.external.<provider>.enabled
Name | Default | Required |
---|---|---|
auth.external.provider.enabled | false | false |
Description
Use an external OAuth provider. The full list of providers are:
apple
azure
bitbucket
discord
facebook
github
gitlab
google
kakao
keycloak
linkedin
notion
twitch
twitter
slack
spotify
workos
zoom
See also
auth.external.<provider>.client_id
Name | Default | Required |
---|---|---|
auth.external.provider.client_id | None | true |
Description
Client ID for the external OAuth provider.
See also
auth.external.<provider>.secret
Name | Default | Required |
---|---|---|
auth.external.provider.secret | env(SUPABASE_AUTH_EXTERNAL_<PROVIDER>_SECRET) | true |
Description
Client secret for the external OAuth provider.
DO NOT commit your OAuth provider secret to git. Use environment variable substitution instead.
See also
auth.external.<provider>.url
Name | Default | Required |
---|---|---|
auth.external.provider.url | None | false |
Description
The base URL used for constructing the URLs to request authorization and access tokens. Used by gitlab and keycloak. For gitlab it defaults to https://gitlab.com. For keycloak you need to set this to your instance, for example: https://keycloak.example.com/realms/myrealm .
See also
auth.external.<provider>.redirect_uri
Name | Default | Required |
---|---|---|
auth.external.provider.redirect_uri | None | false |
Description
The URI a OAuth2 provider will redirect to with the code and state values.
See also
API Config
api.enabled
Name | Default | Required |
---|---|---|
api.enabled | true | false |
Description
Enable the local PostgREST service.
See also
api.port
Name | Default | Required |
---|---|---|
api.port | 54321 | false |
Description
Port to use for the API URL.
Usage
1[api]
2port = 54321
See also
api.schemas
Name | Default | Required |
---|---|---|
api.schemas | ["public", "storage", "graphql_public"] | false |
Description
Schemas to expose in your API. Tables, views and functions in this schema will get API endpoints. public
and storage
are always included.
See also
api.extra_search_path
Name | Default | Required |
---|---|---|
api.extra_search_path | ["public", "extensions"] | false |
Description
Extra schemas to add to the search_path of every request. public is always included.
See also
api.max_rows
Name | Default | Required |
---|---|---|
api.max_rows | 1000 | false |
Description
The maximum number of rows returned from a view, table, or stored procedure. Limits payload size for accidental or malicious requests.
See also
Database Config
db.port
Name | Default | Required |
---|---|---|
db.port | 54322 | false |
Description
Port to use for the local database URL.
See also
db.shadow_port
Name | Default | Required |
---|---|---|
db.shadow_port | 54320 | false |
Description
Port to use for the local shadow database.
See also
db.major_version
Name | Default | Required |
---|---|---|
db.major_version | 15 | false |
Description
The database major version to use. This has to be the same as your remote database's. Run SHOW server_version;
on the remote database to check.
See also
db.pooler.enabled
Name | Default | Required |
---|---|---|
db.pooler.enabled | false | false |
Description
Enable the local PgBouncer service.
See also
db.pooler.port
Name | Default | Required |
---|---|---|
db.pooler.port | 54329 | false |
Description
Port to use for the local connection pooler.
See also
db.pooler.pool_mode
Name | Default | Required |
---|---|---|
db.pooler.pool_mode | "transaction" | false |
Description
Specifies when a server connection can be reused by other clients. Configure one of the supported pooler modes: transaction
, session
.
See also
db.pooler.default_pool_size
Name | Default | Required |
---|---|---|
db.pooler.default_pool_size | 20 | false |
Description
How many server connections to allow per user/database pair.
See also
db.pooler.max_client_conn
Name | Default | Required |
---|---|---|
db.pooler.max_client_conn | 100 | false |
Description
Maximum number of client connections allowed.
See also
Dashboard Config
studio.enabled
Name | Default | Required |
---|---|---|
studio.enabled | true | false |
Description
Enable the local Supabase Studio dashboard.
See also
studio.port
Name | Default | Required |
---|---|---|
studio.port | 54323 | false |
Description
Port to use for Supabase Studio.
See also
studio.api_url
Name | Default | Required |
---|---|---|
studio.api_url | "http://localhost" | false |
Description
External URL of the API server that frontend connects to.
See also
Realtime Config
realtime.enabled
Name | Default | Required |
---|---|---|
realtime.enabled | true | false |
Description
Enable the local Realtime service.
See also
realtime.ip_version
Name | Default | Required |
---|---|---|
realtime.ip_version | "IPv6" | false |
Description
Bind realtime via either IPv4 or IPv6. (default: IPv6)
See also
Storage Config
storage.enabled
Name | Default | Required |
---|---|---|
storage.enabled | true | false |
Description
Enable the local Storage service.
See also
storage.file_size_limit
Name | Default | Required |
---|---|---|
storage.file_size_limit | "50MiB" | false |
Description
The maximum file size allowed (e.g. "5MB", "500KB").
See also
Edge-Functions Config
functions.<function_name>.verify_jwt
Name | Default | Required |
---|---|---|
functions.function_name.verify_jwt | true | false |
Description
By default, when you deploy your Edge Functions or serve them locally, it will reject requests without a valid JWT in the Authorization header. Setting this configuration changes the default behavior.
Note that the --no-verify-jwt
flag overrides this configuration.
functions.<function_name>.import_map
Name | Default | Required |
---|---|---|
functions.function_name.import_map | None | false |
Description
Specify the Deno import map file to use for the Function.
Note that the --import-map
flag overrides this configuration.
Analytics Config
analytics.enabled
Name | Default | Required |
---|---|---|
analytics.enabled | false | false |
Description
Enable the local Logflare service.
analytics.port
Name | Default | Required |
---|---|---|
analytics.port | 54327 | false |
Description
Port to the local Logflare service.
See also
analytics.vector_port
Name | Default | Required |
---|---|---|
analytics.vector_port | 54328 | false |
Description
Port to the local syslog ingest service.
See also
analytics.backend
Name | Default | Required |
---|---|---|
analytics.backend | "postgres" | false |
Description
Configure one of the supported backends:
postgres
bigquery
Local Development Config
inbucket.enabled
Name | Default | Required |
---|---|---|
inbucket.enabled | true | false |
Description
Enable the local InBucket service.
See also
inbucket.port
Name | Default | Required |
---|---|---|
inbucket.port | true | false |
Description
Port to use for the email testing server web interface.
Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.
See also
inbucket.smtp_port
Name | Default | Required |
---|---|---|
inbucket.smtp_port | 54325 | false |
Description
Port to use for the email testing server SMTP port.
Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.
If set, you can access the SMTP server from this port.
See also
inbucket.pop3_port
Name | Default | Required |
---|---|---|
inbucket.pop3_port | 54326 | false |
Description
Port to use for the email testing server POP3 port.
Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.
If set, you can access the POP3 server from this port.
See also