feat: replace get_anon_key with get_anon_or_publishable_keys

- Replace get_anon_key tool with get_anon_or_publishable_keys to support both legacy and modern API keys
- Add ApiKeyType type and apiKeyTypeSchema for proper type safety
- Update getAnonOrPublishableKeys to return array of structured ApiKey objects
- Filter for client-safe keys (legacy 'anon' or 'publishable' type)
- Update tests to verify both legacy and publishable keys are returned
- Update README documentation to reflect new tool
- Improve error messages and provide guidance on key types

Fixes AI-166

Author: Rodriguespn

README.md

@@ -195,7 +195,7 @@ Enabled by default. Use `debugging` to target this group of tools with the [`fea
 Enabled by default. Use `development` to target this group of tools with the [`features`](#feature-groups) option.
 
 - `get_project_url`: Gets the API URL for a project.
-- `get_anon_key`: Gets the anonymous API key for a project.
+- `get_anon_or_publishable_keys`: Gets the anonymous API keys for a project. Returns an array of client-safe API keys including legacy anon keys and modern publishable keys. Publishable keys are recommended for new applications.
 - `generate_typescript_types`: Generates TypeScript types based on the database schema. LLMs can save this to a file and use it in their code.
 
 #### Edge Functions

packages/mcp-server-supabase/src/platform/api-platform.ts

@@ -21,6 +21,8 @@ import {
   getLogsOptionsSchema,
   resetBranchOptionsSchema,
   type AccountOperations,
+  type ApiKey,
+  type ApiKeyType,
   type ApplyMigrationOptions,
   type BranchingOperations,
   type CreateBranchOptions,
@@ -298,7 +300,7 @@ export function createSupabaseApiPlatform(
       const apiUrl = new URL(managementApiUrl);
       return `https://${projectId}.${getProjectDomain(apiUrl.hostname)}`;
     },
-    async getAnonKey(projectId: string): Promise<string> {
+    async getAnonOrPublishableKeys(projectId: string): Promise<ApiKey[]> {
       const response = await managementApiClient.GET(
         '/v1/projects/{ref}/api-keys',
         {
@@ -315,13 +317,24 @@ export function createSupabaseApiPlatform(
 
       assertSuccess(response, 'Failed to fetch API keys');
 
-      const anonKey = response.data?.find((key) => key.name === 'anon');
+      // Filter for client-safe keys: legacy 'anon' or publishable type
+      const clientKeys = response.data?.filter(
+        (key) => key.name === 'anon' || key.type === 'publishable'
+      ) ?? [];
 
-      if (!anonKey?.api_key) {
-        throw new Error('Anonymous key not found');
+      if (clientKeys.length === 0) {
+        throw new Error(
+          'No client-safe API keys (anon or publishable) found. Please create a publishable key in your project settings.'
+        );
       }
 
-      return anonKey.api_key;
+      return clientKeys.map((key) => ({
+        api_key: key.api_key!,
+        name: key.name,
+        type: (key.type === 'publishable' ? 'publishable' : 'legacy') satisfies ApiKeyType,
+        description: key.description ?? undefined,
+        id: key.id ?? undefined,
+      }));
     },
     async generateTypescriptTypes(projectId: string) {
       const response = await managementApiClient.GET(

packages/mcp-server-supabase/src/platform/types.ts

@@ -208,9 +208,20 @@ export type DebuggingOperations = {
   getPerformanceAdvisors(projectId: string): Promise<unknown>;
 };
 
+export const apiKeyTypeSchema = z.enum(['legacy', 'publishable']);
+export type ApiKeyType = z.infer<typeof apiKeyTypeSchema>;
+
+export type ApiKey = {
+  api_key: string;
+  name: string;
+  type: ApiKeyType;
+  description?: string;
+  id?: string;
+};
+
 export type DevelopmentOperations = {
   getProjectUrl(projectId: string): Promise<string>;
-  getAnonKey(projectId: string): Promise<string>;
+  getAnonOrPublishableKeys(projectId: string): Promise<ApiKey[]>;
   generateTypescriptTypes(
     projectId: string
   ): Promise<GenerateTypescriptTypesResult>;

packages/mcp-server-supabase/src/server.test.ts

@@ -606,7 +606,7 @@ describe('tools', () => {
     expect(result).toEqual(`https://${project.id}.supabase.co`);
   });
 
-  test('get anon key', async () => {
+  test('get anon or publishable keys', async () => {
     const { callTool } = await setup();
     const org = await createOrganization({
       name: 'My Org',
@@ -621,12 +621,28 @@ describe('tools', () => {
     project.status = 'ACTIVE_HEALTHY';
 
     const result = await callTool({
-      name: 'get_anon_key',
+      name: 'get_anon_or_publishable_keys',
       arguments: {
         project_id: project.id,
       },
     });
-    expect(result).toEqual('dummy-anon-key');
+
+    expect(result).toBeInstanceOf(Array);
+    expect(result.length).toBe(2);
+    
+    // Check legacy anon key
+    const anonKey = result.find((key: any) => key.name === 'anon');
+    expect(anonKey).toBeDefined();
+    expect(anonKey.api_key).toEqual('dummy-anon-key');
+    expect(anonKey.type).toEqual('legacy');
+    expect(anonKey.id).toEqual('anon-key-id');
+    
+    // Check publishable key
+    const publishableKey = result.find((key: any) => key.type === 'publishable');
+    expect(publishableKey).toBeDefined();
+    expect(publishableKey.api_key).toEqual('sb_publishable_dummy_key_1');
+    expect(publishableKey.type).toEqual('publishable');
+    expect(publishableKey.description).toEqual('Main publishable key');
   });
 
   test('list storage buckets', async () => {
@@ -2607,7 +2623,7 @@ describe('feature groups', () => {
 
     expect(toolNames).toEqual([
       'get_project_url',
-      'get_anon_key',
+      'get_anon_or_publishable_keys',
       'generate_typescript_types',
     ]);
   });

packages/mcp-server-supabase/src/tools/development-tools.ts

@@ -31,10 +31,10 @@ export function getDevelopmentTools({
         return development.getProjectUrl(project_id);
       },
     }),
-    get_anon_key: injectableTool({
-      description: 'Gets the anonymous API key for a project.',
+    get_anon_or_publishable_keys: injectableTool({
+      description: 'Gets the anonymous API keys for a project. Returns an array of client-safe API keys that can be used in your application code. This includes legacy anon keys (JWT-based) and modern publishable keys (format: sb_publishable_...). Publishable keys are the recommended approach for new applications as they provide better security and can be rotated independently. These keys are safe to expose in client-side code.',
       annotations: {
-        title: 'Get anon key',
+        title: 'Get anon or publishable keys',
         readOnlyHint: true,
         destructiveHint: false,
         idempotentHint: true,
@@ -45,7 +45,7 @@ export function getDevelopmentTools({
       }),
       inject: { project_id },
       execute: async ({ project_id }) => {
-        return development.getAnonKey(project_id);
+        return development.getAnonOrPublishableKeys(project_id);
       },
     }),
     generate_typescript_types: injectableTool({

packages/mcp-server-supabase/test/mocks.ts

@@ -251,6 +251,15 @@ export const mockManagementApi = [
       {
         name: 'anon',
         api_key: 'dummy-anon-key',
+        type: 'legacy',
+        id: 'anon-key-id',
+      },
+      {
+        name: 'publishable-key-1',
+        api_key: 'sb_publishable_dummy_key_1',
+        type: 'publishable',
+        id: 'publishable-key-1-id',
+        description: 'Main publishable key',
       },
     ]);
   }),