Storage

Ownership

When creating new buckets or objects in Supabase Storage, an owner is automatically assigned to the bucket or object. The owner is the user who created the resource and the value is derived from the sub claim in the JWT. We store the owner in the owner_id column.

Access control

By itself, the ownership of a resource does not provide any access control. However, you can enforce the ownership by implementing access control against storage resources scoped to their owner.

For example, you can implement a policy where only the owner of an object can delete it. To do this, check the owner_id field of the object and compare it with the sub claim of the JWT:


_10
create policy "User can delete their own objects"
_10
on storage.objects
_10
for delete
_10
to authenticated
_10
using (
_10
owner_id = (select auth.uid())
_10
);

The use of RLS policies is just one way to enforce access control. You can also implement access control in your server code by following the same pattern.