Home

CLI configuration

A supabase/config.toml file is generated after running supabase init.

You can edit this file to change the settings for your locally running project. After you make changes, you will need to restart using supabase stop and then supabase start for the changes to take effect.

General Config#

project_id#

NameDefaultRequired
project_idNonetrue

Description

A string used to distinguish different Supabase projects on the same host. Defaults to the working directory name when running supabase init.

Auth Config#

auth.enabled#

NameDefaultRequired
auth.enabledtruefalse

Description

Enable the local GoTrue service.

auth.site_url#

NameDefaultRequired
auth.site_url"http://localhost:3000"false

Description

The base URL of your website. Used as an allow-list for redirects and for constructing URLs used in emails.

auth.additional_redirect_urls#

NameDefaultRequired
auth.additional_redirect_urls["https://localhost:3000"]false

Description

A list of exact URLs that auth providers are permitted to redirect to post authentication.

auth.jwt_expiry#

NameDefaultRequired
auth.jwt_expiry3600false

Description

How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 seconds (one week).

auth.enable_refresh_token_rotation#

NameDefaultRequired
auth.enable_refresh_token_rotationtruefalse

Description

If disabled, the refresh token will never expire.

auth.refresh_token_reuse_interval#

NameDefaultRequired
auth.refresh_token_reuse_interval10false

Description

Allows refresh tokens to be reused after expiry, up to the specified interval in seconds. Requires enable_refresh_token_rotation = true.

auth.enable_signup#

NameDefaultRequired
auth.enable_signuptruefalse

Description

Allow/disallow new user signups to your project.

auth.email.enable_signup#

NameDefaultRequired
auth.email.enable_signuptruefalse

Description

Allow/disallow new user signups via email to your project.

auth.email.double_confirm_changes#

NameDefaultRequired
auth.email.double_confirm_changestruefalse

Description

If enabled, a user will be required to confirm any email change on both the old, and new email addresses. If disabled, only the new email is required to confirm.

auth.email.enable_confirmations#

NameDefaultRequired
auth.email.enable_confirmationsfalsefalse

Description

If enabled, users need to confirm their email address before signing in.

auth.email.template.<type>.subject#

NameDefaultRequired
auth.email.template.type.subjectNonefalse

Description

The full list of email template types are:

  • invite
  • confirmation
  • recovery
  • magic_link
  • email_change

auth.email.template.<type>.content_path#

NameDefaultRequired
auth.email.template.type.content_pathNonefalse

Description

The full list of email template types are:

  • invite
  • confirmation
  • recovery
  • magic_link
  • email_change

auth.sms.enable_signup#

NameDefaultRequired
auth.sms.enable_signuptruefalse

Description

Allow/disallow new user signups via SMS to your project.

auth.sms.enable_confirmations#

NameDefaultRequired
auth.sms.enable_confirmationsfalsefalse

Description

If enabled, users need to confirm their phone number before signing in.

auth.sms.test_otp#

NameDefaultRequired
auth.sms.test_otpNonefalse

Description

Use pre-defined map of phone number to OTP for testing.

Usage

[auth.sms.test_otp]
4152127777 = "123456"

auth.sms.<provider>.enabled#

NameDefaultRequired
auth.sms.provider.enabledfalsefalse

Description

Use an external SMS provider. The full list of providers are:

  • twilio
  • twilio_verify
  • messagebird
  • textlocal
  • vonage

auth.sms.<twilio|twilio_verify>.account_sid#

NameDefaultRequired
auth.sms.twilio.account_sidNonetrue

Description

Twilio Account SID

auth.sms.<twilio|twilio_verify>.message_service_sid#

NameDefaultRequired
auth.sms.twilio.message_service_sidNonetrue

Description

Twilio Message Service SID

auth.sms.<twilio|twilio_verify>.auth_token#

NameDefaultRequired
auth.sms.twilio.auth_tokenenv(SUPABASE_AUTH_SMS_TWILIO_AUTH_TOKEN)true

Description

Twilio Auth Token

DO NOT commit your Twilio auth token to git. Use environment variable substitution instead.

auth.sms.messagebird.originator#

NameDefaultRequired
auth.sms.messagebird.originatorNonetrue

Description

MessageBird Originator

auth.sms.messagebird.access_key#

NameDefaultRequired
auth.sms.messagebird.access_keyenv(SUPABASE_AUTH_SMS_MESSAGEBIRD_ACCESS_KEY)true

Description

MessageBird Access Key

DO NOT commit your MessageBird access key to git. Use environment variable substitution instead.

auth.sms.textlocal.sender#

NameDefaultRequired
auth.sms.textlocal.senderNonetrue

Description

TextLocal Sender

auth.sms.textlocal.api_key#

NameDefaultRequired
auth.sms.textlocal.api_keyenv(SUPABASE_AUTH_SMS_TEXTLOCAL_API_KEY)true

Description

TextLocal API Key

DO NOT commit your TextLocal API key to git. Use environment variable substitution instead.

auth.sms.vonage.from#

NameDefaultRequired
auth.sms.vonage.fromNonetrue

Description

Vonage From

auth.sms.vonage.api_key#

NameDefaultRequired
auth.sms.vonage.api_keyNonetrue

Description

Vonage API Key

auth.sms.vonage.api_secret#

NameDefaultRequired
auth.sms.vonage.api_secretenv(SUPABASE_AUTH_SMS_VONAGE_API_SECRET)true

Description

Vonage API Secret

DO NOT commit your Vonage API secret to git. Use environment variable substitution instead.

auth.external.<provider>.enabled#

NameDefaultRequired
auth.external.provider.enabledfalsefalse

Description

Use an external OAuth provider. The full list of providers are:

  • apple
  • azure
  • bitbucket
  • discord
  • facebook
  • github
  • gitlab
  • google
  • keycloak
  • linkedin
  • notion
  • twitch
  • twitter
  • slack
  • spotify
  • workos
  • zoom

auth.external.<provider>.client_id#

NameDefaultRequired
auth.external.provider.client_idNonetrue

Description

Client ID for the external OAuth provider.

auth.external.<provider>.secret#

NameDefaultRequired
auth.external.provider.secretenv(SUPABASE_AUTH_EXTERNAL_<PROVIDER>_SECRET)true

Description

Client secret for the external OAuth provider.

DO NOT commit your OAuth provider secret to git. Use environment variable substitution instead.

auth.external.<provider>.url#

NameDefaultRequired
auth.external.provider.urlNonefalse

Description

The base URL used for constructing the URLs to request authorization and access tokens. Used by gitlab and keycloak. For gitlab it defaults to https://gitlab.com. For keycloak you need to set this to your instance, for example: https://keycloak.example.com/realms/myrealm .

auth.external.<provider>.redirect_uri#

NameDefaultRequired
auth.external.provider.redirect_uriNonefalse

Description

The URI a OAuth2 provider will redirect to with the code and state values.

API Config#

api.enabled#

NameDefaultRequired
api.enabledtruefalse

Description

Enable the local PostgREST service.

api.port#

NameDefaultRequired
api.port54321false

Description

Port to use for the API URL.

Usage

[api]
port = 54321

api.schemas#

NameDefaultRequired
api.schemas["public", "storage", "graphql_public"]false

Description

Schemas to expose in your API. Tables, views and functions in this schema will get API endpoints. public and storage are always included.

api.extra_search_path#

NameDefaultRequired
api.extra_search_path["public", "extensions"]false

Description

Extra schemas to add to the search_path of every request. public is always included.

api.max_rows#

NameDefaultRequired
api.max_rows1000false

Description

The maximum number of rows returned from a view, table, or stored procedure. Limits payload size for accidental or malicious requests.

Database Config#

db.port#

NameDefaultRequired
db.port54322false

Description

Port to use for the local database URL.

db.shadow_port#

NameDefaultRequired
db.shadow_port54320false

Description

Port to use for the local shadow database.

See also

    db.major_version#

    NameDefaultRequired
    db.major_version15false

    Description

    The database major version to use. This has to be the same as your remote database's. Run SHOW server_version; on the remote database to check.

    db.pooler.enabled#

    NameDefaultRequired
    db.pooler.enabledfalsefalse

    Description

    Enable the local PgBouncer service.

    db.pooler.port#

    NameDefaultRequired
    db.pooler.port54329false

    Description

    Port to use for the local connection pooler.

    db.pooler.pool_mode#

    NameDefaultRequired
    db.pooler.pool_mode"transaction"false

    Description

    Specifies when a server connection can be reused by other clients. Configure one of the supported pooler modes: transaction, session.

    db.pooler.default_pool_size#

    NameDefaultRequired
    db.pooler.default_pool_size20false

    Description

    How many server connections to allow per user/database pair.

    db.pooler.max_client_conn#

    NameDefaultRequired
    db.pooler.max_client_conn100false

    Description

    Maximum number of client connections allowed.

    Dashboard Config#

    studio.enabled#

    NameDefaultRequired
    studio.enabledtruefalse

    Description

    Enable the local Supabase Studio dashboard.

    See also

      studio.port#

      NameDefaultRequired
      studio.port54323false

      Description

      Port to use for Supabase Studio.

      See also

        studio.api_url#

        NameDefaultRequired
        studio.api_url"http://localhost"false

        Description

        External URL of the API server that frontend connects to.

        See also

          Realtime Config#

          realtime.enabled#

          NameDefaultRequired
          realtime.enabledtruefalse

          Description

          Enable the local Realtime service.

          See also

            realtime.ip_version#

            NameDefaultRequired
            realtime.ip_version"IPv6"false

            Description

            Bind realtime via either IPv4 or IPv6. (default: IPv6)

            See also

              Storage Config#

              storage.enabled#

              NameDefaultRequired
              storage.enabledtruefalse

              Description

              Enable the local Storage service.

              storage.file_size_limit#

              NameDefaultRequired
              storage.file_size_limit"50MiB"false

              Description

              The maximum file size allowed (e.g. "5MB", "500KB").

              Edge-Functions Config#

              functions.<function_name>.verify_jwt#

              NameDefaultRequired
              functions.function_name.verify_jwttruefalse

              Description

              By default, when you deploy your Edge Functions or serve them locally, it will reject requests without a valid JWT in the Authorization header. Setting this configuration changes the default behavior.

              Note that the --no-verify-jwt flag overrides this configuration.

              functions.<function_name>.import_map#

              NameDefaultRequired
              functions.function_name.import_mapNonefalse

              Description

              Specify the Deno import map file to use for the Function.

              Note that the --import-map flag overrides this configuration.

              Analytics Config#

              analytics.enabled#

              NameDefaultRequired
              analytics.enabledfalsefalse

              Description

              Enable the local Logflare service.

              analytics.port#

              NameDefaultRequired
              analytics.port54327false

              Description

              Port to the local Logflare service.

              See also

                analytics.vector_port#

                NameDefaultRequired
                analytics.vector_port54328false

                Description

                Port to the local syslog ingest service.

                See also

                  analytics.backend#

                  NameDefaultRequired
                  analytics.backend"postgres"false

                  Description

                  Configure one of the supported backends:

                  • postgres
                  • bigquery

                  Local Development Config#

                  inbucket.enabled#

                  NameDefaultRequired
                  inbucket.enabledtruefalse

                  Description

                  Enable the local InBucket service.

                  inbucket.port#

                  NameDefaultRequired
                  inbucket.porttruefalse

                  Description

                  Port to use for the email testing server web interface.

                  Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.

                  inbucket.smtp_port#

                  NameDefaultRequired
                  inbucket.smtp_port54325false

                  Description

                  Port to use for the email testing server SMTP port.

                  Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.

                  If set, you can access the SMTP server from this port.

                  inbucket.pop3_port#

                  NameDefaultRequired
                  inbucket.pop3_port54326false

                  Description

                  Port to use for the email testing server POP3 port.

                  Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.

                  If set, you can access the POP3 server from this port.