CRE-2025-0131

Supabase Self-Hosted: JWT Secret Missing or Invalid ConfigurationHigh

Impact: 10/10

Mitigation: 4/10

CRE-2025-0131View on GitHub

SupabaseAuthenticationJWTConfigurationSecurityApi KeySelf-HostedPublic

Description

Detects when Supabase self-hosted services fail due to missing, empty, or invalid JWT_SECRET configuration.\nThis affects Auth service, REST API, and all authentication-dependent operations. Invalid JWT secrets prevent\nAPI token validation and break the entire authentication flow.\n

Mitigation

IMMEDIATE:\n - Set valid JWT_SECRET in .env: `JWT_SECRET=your-super-secret-jwt-token-with-at-least-32-characters-long`\n - Regenerate API keys if JWT_SECRET was changed: Use Supabase CLI or JWT generator\n - Ensure JWT_SECRET matches the secret used to generate ANON_KEY and SERVICE_ROLE_KEY\nVERIFICATION:\n - Test auth endpoint: `curl http://localhost:8000/auth/v1/user`\n - Verify JWT validation: Check service logs for "invalid JWT" errors\nPREVENTION:\n - Use environment variable validation in deployment scripts\n - Store secrets securely (HashiCorp Vault, Kubernetes secrets)\n - Document JWT_SECRET requirements in setup guides\n

References

• https://supabase.com/docs/guides/self-hosting/docker
• https://jwt.io/introduction/
• https://supabase.com/docs/learn/auth-deep-dive/auth-deep-dive-jwts