Skip to content

[pull] master from supabase:master #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Sep 10, 2025
Merged

[pull] master from supabase:master #247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
1482e1a
feat: add AP2 support for datadog for log drains (#38460)
Ziinc Sep 10, 2025
f5567f3
feat: missing billing info banner (#38575)
kevcodez Sep 10, 2025
781f9db
use ref for selected org to ensure not outdated (#38573)
SaxonF Sep 10, 2025
dfb152a
chore: consolidate payment method components / ownership (#38578)
kevcodez Sep 10, 2025
1a41feb
fix: hide missing billing info banner for partner-managed orgs (#38580)
kevcodez Sep 10, 2025
577c3bf
Refine prompt (#38576)
SaxonF Sep 10, 2025
5e60170
chore: update cli reference doc (#38538)
kiwicopple Sep 10, 2025
ef6e969
docs: clarify empty jwks.json (#38250)
hf Sep 10, 2025
60b3ec2
docs: clarify user_metadata (#38252)
hf Sep 10, 2025
70ce5df
feat(docs): add auth audit logs docs (#37548)
cemalkilic Sep 10, 2025
97c1612
feat(auth): add audit logs configuration page (#37409)
cemalkilic Sep 10, 2025
a12243d
fix: update auth audit logs link (#38585)
cemalkilic Sep 10, 2025
48d76a1
feat(replication): Add UI for updating pipeline versions (#38473)
iambriccardo Sep 10, 2025
7650926
Chore/swap use check permissions with use async check project permiss…
joshenlim Sep 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,5 @@

/apps/studio/csp.js @supabase/security
/apps/studio/components/interfaces/Billing/Payment @supabase/security
/apps/studio/components/interfaces/Organization/BillingSettings/ @supabase/security
/apps/studio/components/interfaces/Organization/Documents/ @supabase/security
/apps/studio/pages/new/index.tsx @supabase/security
1 change: 1 addition & 0 deletions apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -793,6 +793,7 @@ export const auth: NavMenuConstant = {
{ name: 'Password Security', url: '/guides/auth/password-security' },
{ name: 'Rate Limits', url: '/guides/auth/rate-limits' },
{ name: 'Bot Detection (CAPTCHA)', url: '/guides/auth/auth-captcha' },
{ name: 'Audit Logs', url: '/guides/auth/audit-logs' },
{
name: 'JSON Web Tokens (JWT)',
url: '/guides/auth/jwts',
Expand Down
90 changes: 90 additions & 0 deletions apps/docs/content/guides/auth/audit-logs.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
---
id: 'auth-audit-logs'
title: 'Auth Audit Logs'
description: 'Monitor and track authentication events with audit logging.'
subtitle: 'Monitor and track authentication events with audit logging.'
---

Auth audit logs provide comprehensive tracking of authentication events in your Supabase project. Audit logs are automatically captured for all authentication events and help you monitor user authentication activities, detect suspicious behavior, and maintain compliance with security requirements.

## What gets logged

Supabase auth audit logs automatically capture all authentication events including:

- User signups and logins
- Password changes and resets
- Email verification events
- Token refresh and logout events

## Storage options

By default, audit logs are stored in two places:

1. **Your project's Postgres database** - Stored in the `auth.audit_log_entries` table, searchable via SQL but uses database storage
2. **External log storage** - Cost-efficient storage accessible through the dashboard

You can disable Postgres storage to reduce database storage costs while keeping the external log storage.

### Configuring audit log storage

1. Navigate to your project dashboard
2. Go to **Authentication**
3. Find the **Audit Logs** under **Configuration** section
4. Toggle on "Disable writing auth audit logs to project database" to disable database storage

<Admonition type="tip">

Disabling Postgres storage reduces your database storage costs. Audit logs will still be available through the dashboard.

</Admonition>

## Log format

Audit logs contain detailed information about each authentication event:

```json
{
"timestamp": "2025-08-01T10:30:00Z",
"user_id": "uuid",
"action": "user_signedup",
"ip_address": "192.168.1.1",
"user_agent": "Mozilla/5.0...",
"metadata": {
"provider": "email"
}
}
```

### Log actions reference

| Action | Description |
| ------------------------------- | --------------------------------------- |
| `login` | User login attempt |
| `logout` | User logout |
| `invite_accepted` | Team invitation accepted |
| `user_signedup` | New user registration |
| `user_invited` | User invitation sent |
| `user_deleted` | User account deleted |
| `user_modified` | User profile updated |
| `user_recovery_requested` | Password reset request |
| `user_reauthenticate_requested` | User reauthentication required |
| `user_confirmation_requested` | Email/phone confirmation requested |
| `user_repeated_signup` | Duplicate signup attempt |
| `user_updated_password` | Password change completed |
| `token_revoked` | Refresh token revoked |
| `token_refreshed` | Refresh token used to obtain new tokens |
| `generate_recovery_codes` | MFA recovery codes generated |
| `factor_in_progress` | MFA factor enrollment started |
| `factor_unenrolled` | MFA factor removed |
| `challenge_created` | MFA challenge initiated |
| `verification_attempted` | MFA verification attempt |
| `factor_deleted` | MFA factor deleted |
| `recovery_codes_deleted` | MFA recovery codes deleted |
| `factor_updated` | MFA factor settings updated |
| `mfa_code_login` | Login with MFA code |
| `identity_unlinked` | An identity unlinked from account |

## Limitations

- There may be a short delay before logs appear
- Query capabilities are limited to the dashboard interface
2 changes: 1 addition & 1 deletion apps/docs/content/guides/auth/jwts.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ Supabase Auth exposes a [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc
GET https://project-id.supabase.co/auth/v1/.well-known/jwks.json
```

Which responds with JWKS object containing one or more asymmetric [JWT signing keys](/docs/guides/auth/signing-keys) (only their public keys).
Which responds with JWKS object containing one or more asymmetric [JWT signing keys](/docs/guides/auth/signing-keys) (only their public keys). Be aware that this endpoint does not return any keys if you are not using asymmetric JWT signing keys.

```json
{
Expand Down
34 changes: 17 additions & 17 deletions apps/docs/content/guides/auth/users.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,23 +56,23 @@ A user with an email or phone identity will be able to sign in with either a pas

The user object contains the following attributes:

| Attributes | Type | Description |
| ------------------ | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| id | `string` | The unique id of the identity of the user. |
| aud | `string` | The audience claim. |
| role | `string` | The role claim used by Postgres to perform Row Level Security (RLS) checks. |
| email | `string` | The user's email address. |
| email_confirmed_at | `string` | The timestamp that the user's email was confirmed. If null, it means that the user's email is not confirmed. |
| phone | `string` | The user's phone number. |
| phone_confirmed_at | `string` | The timestamp that the user's phone was confirmed. If null, it means that the user's phone is not confirmed. |
| confirmed_at | `string` | The timestamp that either the user's email or phone was confirmed. If null, it means that the user does not have a confirmed email address and phone number. |
| last_sign_in_at | `string` | The timestamp that the user last signed in. |
| app_metadata | `object` | The `provider` attribute indicates the first provider that the user used to sign up with. The `providers` attribute indicates the list of providers that the user can use to login with. |
| user_metadata | `object` | Defaults to the first provider's identity data but can contain additional custom user metadata if specified. Refer to [**User Identity**](/docs/guides/auth/auth-identity-linking#the-user-identity) for more information about the identity object. |
| identities | `UserIdentity[]` | Contains an object array of identities linked to the user. |
| created_at | `string` | The timestamp that the user was created. |
| updated_at | `string` | The timestamp that the user was last updated. |
| is_anonymous | `boolean` | Is true if the user is an anonymous user. |
| Attributes | Type | Description |
| ------------------ | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| id | `string` | The unique id of the identity of the user. |
| aud | `string` | The audience claim. |
| role | `string` | The role claim used by Postgres to perform Row Level Security (RLS) checks. |
| email | `string` | The user's email address. |
| email_confirmed_at | `string` | The timestamp that the user's email was confirmed. If null, it means that the user's email is not confirmed. |
| phone | `string` | The user's phone number. |
| phone_confirmed_at | `string` | The timestamp that the user's phone was confirmed. If null, it means that the user's phone is not confirmed. |
| confirmed_at | `string` | The timestamp that either the user's email or phone was confirmed. If null, it means that the user does not have a confirmed email address and phone number. |
| last_sign_in_at | `string` | The timestamp that the user last signed in. |
| app_metadata | `object` | The `provider` attribute indicates the first provider that the user used to sign up with. The `providers` attribute indicates the list of providers that the user can use to login with. |
| user_metadata | `object` | Defaults to the first provider's identity data but can contain additional custom user metadata if specified. Refer to [**User Identity**](/docs/guides/auth/auth-identity-linking#the-user-identity) for more information about the identity object. Don't rely on the order of information in this field. Do not use it in security sensitive context (such as in RLS policies or authorization logic), as this value is editable by the user without any checks. |
| identities | `UserIdentity[]` | Contains an object array of identities linked to the user. |
| created_at | `string` | The timestamp that the user was created. |
| updated_at | `string` | The timestamp that the user was last updated. |
| is_anonymous | `boolean` | Is true if the user is an anonymous user. |

## Resources

Expand Down
Loading
Loading