Local Development

Supabase CLI config


A supabase/config.toml file is generated after running supabase init.

You can edit this file to change the settings for your locally running project. After you make changes, you will need to restart using supabase stop and then supabase start for the changes to take effect.

General Config

project_id

NameDefaultRequired
project_idNonetrue

Description

A string used to distinguish different Supabase projects on the same host. Defaults to the working directory name when running supabase init.

Auth Config

auth.enabled

NameDefaultRequired
auth.enabledtruefalse

Description

Enable the local GoTrue service.

auth.site_url

NameDefaultRequired
auth.site_url"http://localhost:3000"false

Description

The base URL of your website. Used as an allow-list for redirects and for constructing URLs used in emails.

auth.additional_redirect_urls

NameDefaultRequired
auth.additional_redirect_urls["https://localhost:3000"]false

Description

A list of exact URLs that auth providers are permitted to redirect to post authentication.

auth.jwt_expiry

NameDefaultRequired
auth.jwt_expiry3600false

Description

How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 seconds (one week).

auth.enable_refresh_token_rotation

NameDefaultRequired
auth.enable_refresh_token_rotationtruefalse

Description

If disabled, the refresh token will never expire.

auth.refresh_token_reuse_interval

NameDefaultRequired
auth.refresh_token_reuse_interval10false

Description

Allows refresh tokens to be reused after expiry, up to the specified interval in seconds. Requires enable_refresh_token_rotation = true.

auth.enable_signup

NameDefaultRequired
auth.enable_signuptruefalse

Description

Allow/disallow new user signups to your project.

auth.enable_anonymous_sign_ins

NameDefaultRequired
auth.enable_anonymous_sign_insfalsefalse

Description

Allow/disallow anonymous sign-ins to your project.

auth.email.enable_signup

NameDefaultRequired
auth.email.enable_signuptruefalse

Description

Allow/disallow new user signups via email to your project.

auth.email.double_confirm_changes

NameDefaultRequired
auth.email.double_confirm_changestruefalse

Description

If enabled, a user will be required to confirm any email change on both the old, and new email addresses. If disabled, only the new email is required to confirm.

auth.email.enable_confirmations

NameDefaultRequired
auth.email.enable_confirmationsfalsefalse

Description

If enabled, users need to confirm their email address before signing in.

auth.email.smtp.host

NameDefaultRequired
auth.email.smtp.hostinbucketfalse

Description

Hostname or IP address of the SMTP server.

auth.email.smtp.port

NameDefaultRequired
auth.email.smtp.port2500false

Description

Port number of the SMTP server.

auth.email.smtp.user

NameDefaultRequired
auth.email.smtp.userNonefalse

Description

Username for authenticating with the SMTP server.

auth.email.smtp.pass

NameDefaultRequired
auth.email.smtp.passNonefalse

Description

Password for authenticating with the SMTP server.

auth.email.smtp.admin_email

NameDefaultRequired
auth.email.smtp.admin_emailadmin@email.comfalse

Description

Email used as the sender for emails sent from the application.

auth.email.smtp.sender_name

NameDefaultRequired
auth.email.smtp.sender_nameNonefalse

Description

Display name used as the sender for emails sent from the application.

auth.email.template.<type>.subject

NameDefaultRequired
auth.email.template.type.subjectNonefalse

Description

The full list of email template types are:

  • invite
  • confirmation
  • recovery
  • magic_link
  • email_change

auth.email.template.<type>.content_path

NameDefaultRequired
auth.email.template.type.content_pathNonefalse

Description

The full list of email template types are:

  • invite
  • confirmation
  • recovery
  • magic_link
  • email_change

auth.sms.enable_signup

NameDefaultRequired
auth.sms.enable_signuptruefalse

Description

Allow/disallow new user signups via SMS to your project.

auth.sms.enable_confirmations

NameDefaultRequired
auth.sms.enable_confirmationsfalsefalse

Description

If enabled, users need to confirm their phone number before signing in.

auth.sms.test_otp

NameDefaultRequired
auth.sms.test_otpNonefalse

Description

Use pre-defined map of phone number to OTP for testing.

Usage

1[auth.sms.test_otp]
24152127777 = "123456"

auth.sms.<provider>.enabled

NameDefaultRequired
auth.sms.provider.enabledfalsefalse

Description

Use an external SMS provider. The full list of providers are:

  • twilio
  • twilio_verify
  • messagebird
  • textlocal
  • vonage

auth.sms.<twilio|twilio_verify>.account_sid

NameDefaultRequired
auth.sms.twilio.account_sidNonetrue

Description

Twilio Account SID

auth.sms.<twilio|twilio_verify>.message_service_sid

NameDefaultRequired
auth.sms.twilio.message_service_sidNonetrue

Description

Twilio Message Service SID

auth.sms.<twilio|twilio_verify>.auth_token

NameDefaultRequired
auth.sms.twilio.auth_tokenenv(SUPABASE_AUTH_SMS_TWILIO_AUTH_TOKEN)true

Description

Twilio Auth Token

DO NOT commit your Twilio auth token to git. Use environment variable substitution instead.

auth.sms.messagebird.originator

NameDefaultRequired
auth.sms.messagebird.originatorNonetrue

Description

MessageBird Originator

auth.sms.messagebird.access_key

NameDefaultRequired
auth.sms.messagebird.access_keyenv(SUPABASE_AUTH_SMS_MESSAGEBIRD_ACCESS_KEY)true

Description

MessageBird Access Key

DO NOT commit your MessageBird access key to git. Use environment variable substitution instead.

auth.sms.textlocal.sender

NameDefaultRequired
auth.sms.textlocal.senderNonetrue

Description

TextLocal Sender

auth.sms.textlocal.api_key

NameDefaultRequired
auth.sms.textlocal.api_keyenv(SUPABASE_AUTH_SMS_TEXTLOCAL_API_KEY)true

Description

TextLocal API Key

DO NOT commit your TextLocal API key to git. Use environment variable substitution instead.

auth.sms.vonage.from

NameDefaultRequired
auth.sms.vonage.fromNonetrue

Description

Vonage From

auth.sms.vonage.api_key

NameDefaultRequired
auth.sms.vonage.api_keyNonetrue

Description

Vonage API Key

auth.sms.vonage.api_secret

NameDefaultRequired
auth.sms.vonage.api_secretenv(SUPABASE_AUTH_SMS_VONAGE_API_SECRET)true

Description

Vonage API Secret

DO NOT commit your Vonage API secret to git. Use environment variable substitution instead.

auth.external.<provider>.enabled

NameDefaultRequired
auth.external.provider.enabledfalsefalse

Description

Use an external OAuth provider. The full list of providers are:

  • apple
  • azure
  • bitbucket
  • discord
  • facebook
  • github
  • gitlab
  • google
  • kakao
  • keycloak
  • linkedin
  • notion
  • twitch
  • twitter
  • slack
  • spotify
  • workos
  • zoom

auth.external.<provider>.client_id

NameDefaultRequired
auth.external.provider.client_idNonetrue

Description

Client ID for the external OAuth provider.

auth.external.<provider>.secret

NameDefaultRequired
auth.external.provider.secretenv(SUPABASE_AUTH_EXTERNAL_<PROVIDER>_SECRET)true

Description

Client secret for the external OAuth provider.

DO NOT commit your OAuth provider secret to git. Use environment variable substitution instead.

auth.external.<provider>.url

NameDefaultRequired
auth.external.provider.urlNonefalse

Description

The base URL used for constructing the URLs to request authorization and access tokens. Used by gitlab and keycloak. For gitlab it defaults to https://gitlab.com. For keycloak you need to set this to your instance, for example: https://keycloak.example.com/realms/myrealm .

auth.external.<provider>.redirect_uri

NameDefaultRequired
auth.external.provider.redirect_uriNonefalse

Description

The URI a OAuth2 provider will redirect to with the code and state values.

auth.external.<provider>.skip_nonce_check

NameDefaultRequired
auth.external.provider.skip_nonce_checkNonefalse

Description

Disables nonce validation during OIDC authentication flow for the specified provider. Enable only when client libraries cannot properly handle nonce verification. Be aware that this reduces security by allowing potential replay attacks with stolen ID tokens.

API Config

api.enabled

NameDefaultRequired
api.enabledtruefalse

Description

Enable the local PostgREST service.

api.port

NameDefaultRequired
api.port54321false

Description

Port to use for the API URL.

Usage

1[api]
2port = 54321

api.schemas

NameDefaultRequired
api.schemas["public", "storage", "graphql_public"]false

Description

Schemas to expose in your API. Tables, views and functions in this schema will get API endpoints. public and storage are always included.

api.extra_search_path

NameDefaultRequired
api.extra_search_path["public", "extensions"]false

Description

Extra schemas to add to the search_path of every request. public is always included.

api.max_rows

NameDefaultRequired
api.max_rows1000false

Description

The maximum number of rows returned from a view, table, or stored procedure. Limits payload size for accidental or malicious requests.

Database Config

db.port

NameDefaultRequired
db.port54322false

Description

Port to use for the local database URL.

db.shadow_port

NameDefaultRequired
db.shadow_port54320false

Description

Port to use for the local shadow database.

See also

    db.major_version

    NameDefaultRequired
    db.major_version15false

    Description

    The database major version to use. This has to be the same as your remote database's. Run SHOW server_version; on the remote database to check.

    db.pooler.enabled

    NameDefaultRequired
    db.pooler.enabledfalsefalse

    Description

    Enable the local PgBouncer service.

    db.pooler.port

    NameDefaultRequired
    db.pooler.port54329false

    Description

    Port to use for the local connection pooler.

    db.pooler.pool_mode

    NameDefaultRequired
    db.pooler.pool_mode"transaction"false

    Description

    Specifies when a server connection can be reused by other clients. Configure one of the supported pooler modes: transaction, session.

    db.pooler.default_pool_size

    NameDefaultRequired
    db.pooler.default_pool_size20false

    Description

    How many server connections to allow per user/database pair.

    db.pooler.max_client_conn

    NameDefaultRequired
    db.pooler.max_client_conn100false

    Description

    Maximum number of client connections allowed.

    db.seed.enabled

    NameDefaultRequired
    db.seed.enabledtruefalse

    Description

    Enables running seeds when starting or resetting the database.

    See also

      db.seed.sql_paths

      NameDefaultRequired
      db.seed.sql_paths["./seed.sql"]false

      Description

      An array of files or glob patterns to find seeds in.

      Dashboard Config

      studio.enabled

      NameDefaultRequired
      studio.enabledtruefalse

      Description

      Enable the local Supabase Studio dashboard.

      See also

        studio.port

        NameDefaultRequired
        studio.port54323false

        Description

        Port to use for Supabase Studio.

        See also

          studio.api_url

          NameDefaultRequired
          studio.api_url"http://localhost"false

          Description

          External URL of the API server that frontend connects to.

          See also

            Realtime Config

            realtime.enabled

            NameDefaultRequired
            realtime.enabledtruefalse

            Description

            Enable the local Realtime service.

            See also

              realtime.ip_version

              NameDefaultRequired
              realtime.ip_version"IPv6"false

              Description

              Bind realtime via either IPv4 or IPv6. (default: IPv6)

              See also

                Storage Config

                storage.enabled

                NameDefaultRequired
                storage.enabledtruefalse

                Description

                Enable the local Storage service.

                storage.file_size_limit

                NameDefaultRequired
                storage.file_size_limit"50MiB"false

                Description

                The maximum file size allowed (e.g. "5MB", "500KB").

                Edge-Functions Config

                functions.<function_name>.enabled

                NameDefaultRequired
                functions.function_name.enabledtruefalse

                Description

                Controls whether a function is deployed or served. When set to false, the function will be skipped during deployment and won't be served locally. This is useful for disabling demo functions or temporarily disabling a function without removing its code.

                functions.<function_name>.verify_jwt

                NameDefaultRequired
                functions.function_name.verify_jwttruefalse

                Description

                By default, when you deploy your Edge Functions or serve them locally, it will reject requests without a valid JWT in the Authorization header. Setting this configuration changes the default behavior.

                Note that the --no-verify-jwt flag overrides this configuration.

                functions.<function_name>.import_map

                NameDefaultRequired
                functions.function_name.import_mapNonefalse

                Description

                Specify the Deno import map file to use for the Function.

                Note that the --import-map flag overrides this configuration.

                Analytics Config

                analytics.enabled

                NameDefaultRequired
                analytics.enabledfalsefalse

                Description

                Enable the local Logflare service.

                analytics.port

                NameDefaultRequired
                analytics.port54327false

                Description

                Port to the local Logflare service.

                See also

                  analytics.vector_port

                  NameDefaultRequired
                  analytics.vector_port54328false

                  Description

                  Port to the local syslog ingest service.

                  See also

                    analytics.backend

                    NameDefaultRequired
                    analytics.backend"postgres"false

                    Description

                    Configure one of the supported backends:

                    • postgres
                    • bigquery

                    Local Development Config

                    inbucket.enabled

                    NameDefaultRequired
                    inbucket.enabledtruefalse

                    Description

                    Enable the local InBucket service.

                    inbucket.port

                    NameDefaultRequired
                    inbucket.port54324false

                    Description

                    Port to use for the email testing server web interface.

                    Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.

                    inbucket.smtp_port

                    NameDefaultRequired
                    inbucket.smtp_port54325false

                    Description

                    Port to use for the email testing server SMTP port.

                    Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.

                    If set, you can access the SMTP server from this port.

                    inbucket.pop3_port

                    NameDefaultRequired
                    inbucket.pop3_port54326false

                    Description

                    Port to use for the email testing server POP3 port.

                    Emails sent with the local dev setup are not actually sent - rather, they are monitored, and you can view the emails that would have been sent from the web interface.

                    If set, you can access the POP3 server from this port.