Supabase SDK Capability Matrix

Create a new custom OIDC/OAuth provider. Requires admin/service role.

Create a new user with specified attributes without sending a confirmation. Requires admin/service role.

Delete a specific MFA factor from a user's account. Requires admin/service role.

Delete a custom provider. Requires admin/service role.

Permanently delete a user by their ID. Requires admin/service role.

Generate an action link (confirmation, magic link, recovery) for a user. Requires admin/service role.

Get details of a specific custom provider by identifier. Requires admin/service role.

Fetch a single user's profile and metadata by their ID. Requires admin/service role.

Send an invite to a new user. Requires admin/service role.

List all MFA factors enrolled for a specific user. Requires admin/service role.

List all custom providers with optional type filter. Requires admin/service role.

Retrieve a paginated list of all users in the project. Requires admin/service role.

Revoke a user's session server-side by their access token. Requires admin/service role.

Update an existing custom provider. Requires admin/service role.

Update a user's attributes (email, password, metadata, role, etc.) by their ID. Requires admin/service role.

Link an additional OAuth or ID-token identity to the current user's account.

List all external identities linked to the current user's account.

Remove a linked identity from the current user's account.

Create a challenge for an enrolled MFA factor to begin the verification flow.

Create a challenge and verify a code in a single call for convenience.

Enroll a new MFA factor (TOTP or phone) for the current user.

Return the current and next authenticator assurance levels (AAL1/AAL2) for the session.

List all MFA factors enrolled for the current user.

Remove an enrolled MFA factor from the current user's account.

Verify a code against an active MFA challenge to complete second-factor authentication.

Register a new OAuth client application. Requires admin/service role.

Remove a registered OAuth client. Requires admin/service role.

Retrieve details of a specific OAuth client by its client ID. Requires admin/service role.

List all registered OAuth clients for the project. Requires admin/service role.

Regenerate the client secret for a registered OAuth client. Requires admin/service role.

Update a registered OAuth client's settings (name, redirect URIs, etc.). Requires admin/service role.

Approve a pending OAuth authorization request on behalf of the current user.

Deny a pending OAuth authorization request on behalf of the current user.

Fetch the details of a pending OAuth authorization request.

List all active OAuth grants the current user has approved.

Revoke a specific OAuth grant that the current user previously approved.

Delete a specific passkey for a user. Requires admin/service role.

List all passkeys registered for a specific user. Requires admin/service role.

Register a new WebAuthn passkey for the currently authenticated user.

Authenticate using a WebAuthn passkey registered on the device.

Automatically refresh the access token in the background before it expires. Exposes controls to start and stop the refresh loop and configure whether it is enabled.

Verify and return the token claims for the current session using the server's public key set, which is typically cached for performance.

Return the current active session, refreshing the access token if needed.

Fetch the authenticated user's profile from the server, verifying the token.

Force an immediate refresh of the current session using the refresh token.

Manually set the current session from a known access token and refresh token.

Revoke the current user session and clear stored credentials.

Subscribe to authentication state change events (sign-in, sign-out, token refresh, etc.).

Update the current user's attributes such as email, password, or metadata.

Exchange a PKCE authorization code for a user session.

Send a reauthentication nonce to verify the user before sensitive operations such as a password change.

Resend a signup confirmation or OTP email/SMS to a user.

Send a password-reset link to a user's email address.

Create an anonymous (guest) session without user credentials.

Authenticate using a provider-issued ID token (e.g. from Apple or Google).

Initiate a third-party OAuth sign-in flow (Google, GitHub, etc.).

Send a one-time password (email or SMS) or magic link and authenticate with it.

Authenticate an existing user with email or phone and password.

Initiate a SAML SSO sign-in by supplying a domain or provider ID. The user is redirected to the identity provider to authenticate.

Authenticate using a Web3 wallet (Solana or Ethereum) via a signed message.

Register a new user with email or phone and password.

Verify a one-time password or token hash to complete sign-in or email confirmation.

Provide an async token callback at construction time to use an external auth provider; the SDK disables its own auth client and injects the returned JWT into all downstream requests.

The client listens for auth state change events and automatically propagates the current JWT to all sub-clients (database, realtime, storage, functions) so requests stay authenticated without manual intervention.

Choose between implicit and PKCE OAuth flows at construction time; PKCE is recommended for scenarios where the implicit flow is less secure.

Configure whether and how the client detects an incoming OAuth redirect; accepts a boolean or a custom predicate so apps using multiple OAuth providers can disambiguate callbacks.

Supply a custom storage backend at construction time to control where the user session is persisted; enables use of platform-native secure storage instead of the default.

Disable automatic session persistence so the session exists only in memory for the lifetime of the client instance.

Supply a custom HTTP client implementation at construction time; the SDK wraps it with automatic API key and authorization header injection and propagates it to all sub-clients.

Attach extra HTTP headers to every request made by all sub-clients at construction time.

Inject standard trace context headers into outgoing requests so server-side spans can be correlated with client-side traces in a distributed tracing system.

Delete rows from a table or view that match a filter.

Insert one or more rows into a table or view.

Chain a column selection onto an insert, update, upsert, or delete to return the affected rows in the response.

Update rows in a table or view that match a filter.

Insert rows, or update them on conflict based on specified conflict columns.

Scope a query to a specific table or view. The entry point for all table-level operations.

Invoke a database function via the PostgREST RPC interface.

Target a non-default database schema for the query or function call.

Read rows from a table or view with column selection.

For jsonb, array, and range columns — match only rows where every element in the column is contained by the given value.

For jsonb, array, and range columns — match only rows where the column contains every element in the given value.

Match only rows where a column equals a value.

Match only rows where a column is greater than a value.

Match only rows where a column is greater than or equal to a value.

Match only rows where a column matches a pattern case-insensitively (SQL ILIKE).

Match only rows where a column matches all of the given patterns case-insensitively.

Match only rows where a column matches any of the given patterns case-insensitively.

Match only rows where a column's value is in a given set.

Match only rows where a column IS a value (null, true, or false).

Match only rows where a column IS DISTINCT FROM a value (null-safe inequality).

Match only rows where a column matches a pattern case-sensitively (SQL LIKE).

Match only rows where a column matches all of the given patterns case-sensitively.

Match only rows where a column matches any of the given patterns case-sensitively.

Match only rows where a column is less than a value.

Match only rows where a column is less than or equal to a value.

Match rows where each key/value pair in an object equals the corresponding column value. Shorthand for multiple equality filters.

Match only rows where a column does not equal a value.

Negate a filter so only rows that do not satisfy it are returned.

Match only rows where a column's value is not in a given set.

Match rows that satisfy at least one of multiple filters.

For array and range columns — match only rows where the column and value share at least one element.

For range columns — match only rows where the column is mutually exclusive to the given range with no gap between them.

For range columns — match only rows where every element in the column is greater than any element in the given range.

For range columns — match only rows where every element in the column is contained in or greater than any element in the given range.

For range columns — match only rows where every element in the column is less than any element in the given range.

For range columns — match only rows where every element in the column is contained in or less than any element in the given range.

Apply a raw filter expression. Escape hatch for filter combinations not covered by the specific filter operations.

Match only rows where a column matches a regex pattern case-sensitively.

Match only rows where a column matches a regex pattern case-insensitively.

For text and tsvector columns — match only rows where a column matches a full-text search query.

Execute the query against the database but discard any changes, returning what would have been affected.

Return the database query execution plan instead of the result data.

Return the query result as a CSV string instead of a structured object.

Return the query result as a GeoJSON object.

Limit the number of rows returned by the query.

Set the maximum number of rows that a mutation (update or delete) is allowed to affect.

Return a single row if one exists, or null if no rows match. Errors if multiple rows are returned.

Sort the query result by one or more columns.

Return a slice of results by specifying a zero-based start and end offset.

Assert that the query returns exactly one row and unwrap it from the array. Errors if zero or multiple rows are returned.

Omit null-valued properties from response objects using the nulls=stripped Accept header variant; requires PostgREST 11.2+.

Cancel an in-flight request at any point; merges cleanly with any client-level timeout.

Select columns from related tables within a single query using PostgREST's spread notation; supports inner joins, left joins, aliasing, and nested relationships.

Automatically retry idempotent requests on transient failures using exponential backoff; configurable per-client and overridable per-request.

Set a global request timeout in milliseconds at construction time; in-flight requests are cancelled once the deadline is reached.

Call a deployed Edge Function by name with an optional request body.

Update the authorization token sent with all subsequent function invocations.

Invoke a function using a non-default HTTP method (GET, PUT, PATCH, DELETE) for RESTful Edge Function designs.

Receive a streaming response from a function; when the function returns text/event-stream the raw Response object is passed through for caller-controlled reading.

Route an invocation to a specific geographic deployment region set at client construction time or overridden per individual call.

Cancel a function invocation after a specified timeout; composable with a caller-supplied cancellation signal.

Cancel an in-flight function invocation at any point before a response is received.

Send a broadcast message to channel subscribers via the REST API instead of the websocket connection.

Send a message to other subscribers of the channel.

Register the channel with the server and start receiving events.

Leave the channel and stop receiving events.

Create a new channel or return an existing one for the given topic.

Open the websocket connection to the Realtime server.

Return the current state of the websocket connection.

Close the websocket connection to the Realtime server.

Return all active channels for this client.

Register a callback that receives lifecycle events for internal heartbeat messages.

Unsubscribe from and tear down all channels.

Unsubscribe from and tear down a single channel.

Update the access token used for channel subscription authorization and row-level security.

Return the current presence state for all tracked clients on this channel.

Broadcast a presence payload so other subscribers can see this client as online.

Remove this client's presence state, making it appear offline to other subscribers.

Set a stable identifier for the current client's presence entries so multiple connections from the same user share one logical key via the presence.key channel option.

Listen for broadcast messages sent by other clients on this channel.

Listen for Postgres database change events (insert, update, delete) streamed over this channel.

Listen for presence events on this channel — when peers join, leave, or sync their presence state.

Apply a PostgREST-style filter expression (e.g. id=eq.200) to a Postgres changes subscription to receive events only for matching rows.

Mark a channel as private to enforce Row Level Security on Postgres change events and restrict broadcast and presence access to authorized users.

Opt in to receiving broadcast messages that the current client sends on the same channel via the broadcast.self channel option.

Require server confirmation of receipt for each broadcast message before the send resolves via the broadcast.ack channel option.

Replay historical broadcast messages from a point in time on a private channel via the broadcast.replay option (requires a since timestamp; supports an optional message limit).

Inject a custom WebSocket constructor at client construction time for runtimes without a native global WebSocket, such as Node.js (<22), Cloudflare Workers, or Deno.

Provide a custom function mapping reconnect attempt count to delay milliseconds, replacing the default stepped backoff strategy.

Configure the WebSocket heartbeat interval in milliseconds; used to detect stale connections and trigger reconnection.

Supply an async callback at construction time that returns the current JWT; called on connect and each heartbeat to keep WebSocket authorization fresh without manual intervention.

Delay WebSocket disconnection after all channels are removed instead of closing immediately, reducing reconnection overhead for short-lived channel patterns.

Provide a custom logging function and log level filter at construction time to route Realtime client diagnostics to an application logger.

Select protocol version 2.0.0 for binary-serialized messages over the WebSocket connection.

Scope subsequent file operations to a specific bucket.

Copy an existing file to a new path within the same bucket.

Create a new file storage bucket.

Create a signed URL that allows an unauthenticated client to upload a file to the bucket.

Create a time-limited signed URL for sharing a file.

Create time-limited signed URLs for multiple files in a single request.

Delete an existing file bucket. The bucket must be empty before deletion.

Download a file from a private bucket.

Delete all objects inside a bucket without deleting the bucket itself.

Check whether a file exists at a given path.

Retrieve the metadata of an existing file.

Retrieve the details of a specific storage bucket.

Get the public URL for a file in a public bucket.

List all file storage buckets in the project.

List files and folders within a path of the bucket.

List files and folders within a bucket with cursor-based pagination support.

Move an existing file to a new path within the same bucket.

Delete one or more files from the bucket.

Update a storage bucket's settings (public access, file size limits, etc.).

Replace an existing file at the specified path with a new one.

Upload a file to an existing bucket.

Upload a file using a pre-signed upload URL, without requiring standard authentication.

Download a file and return its content as a stream for memory-efficient handling of large files.

Apply server-side image transformations inline during download without creating a separate file.

Copy a file to a path in a different bucket using the destinationBucket option.

Move a file to a path in a different bucket using the destinationBucket option.

Attach arbitrary JSON metadata, a custom cache-control header, and an explicit content-type to a file at upload time.

Append a cache-busting nonce to public and signed URLs to bypass CDN caching for a specific file version.

Scope subsequent vector operations to a specific index within a bucket.

Create a new vector index in a bucket.

Delete a vector index from a bucket.

Delete vectors by key from an index.

Retrieve metadata for a specific vector index.

Retrieve vectors by key from an index.

List all vector indexes in a bucket.

List vectors in an index with pagination.

Insert or update vectors in an index.

Search for similar vectors in an index using a query vector.

Create a new bucket dedicated to holding S3 Vectors indexes.

List all vector buckets with prefix filtering and cursor-based pagination.

Delete an empty vector bucket and all its indexes.

Distribute a full-index vector scan across multiple workers using segmentCount and segmentIndex parameters to parallelize large-scale retrieval.

Create a bucket backed by Apache Iceberg table format for structured analytical data storage.

List analytics buckets with optional pagination and sort options.

Delete an empty analytics bucket.

Create, list, and drop namespaces within an analytics bucket via the Iceberg REST Catalog API.

Create, list, load, update, rename, and drop Iceberg tables within a namespace, including schema and partition spec definition.