JWT signing keys in local development yields client failure

[afnan-davia]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

I migrated my production supabase to JWT signing keys and the Python supabase client works perfectly. However, when I try to set it up locally with signing_keys_path = "./signing_keys.json" in my config.toml I get:

APIError: {'message': 'No suitable key or wrong key type', 'code': 'PGRST301', 'hint': None, 'details': None}

To Reproduce

1. Create a simple local setup with supabase with signing_keys_path = "./signing_keys.json" in config.toml
2. Generate signing keys with the following command and save it under the supabase folder in signing_keys.json:

supabase gen signing-key --algorithm ES256

3. Start the local development platform
4. Create a Python program with:

from supabase import create_client

supabase = create_client(
    "http://127.0.0.1:54321",
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU",
)

result = supabase.table("threads").select("*").execute()

5. See error

If you comment out signing_keys_path = "./signing_keys.json" in config.toml and start supabase again, it will work fine.

Expected behavior

APIResponse[TypeVar](data=[], count=None)

System information

• OS: macOS
• Supabase CLI: 2.34.3
• supabase 2.18.1
• supabase-auth 2.12.3
• supabase-functions 0.10.1

[silentworks]

I've tested this and cannot replicate the issue you are having. I'm using the latest beta version (2.38.2) of the CLI without any issues. I did test with the version (2.34.3) you mentioned and the SUPABASE_KEY generated is in the old format and not the new format like you have in your example above.

[emghost779]

Hello 👋
The error occurs because the local Supabase instance is configured to verify JWTs with ES256 keys (signing_keys.json), but the provided token is signed with HS256. This algorithm mismatch causes verification to fail.

To fix: Use JWTs signed with ES256 that match the local signing keys, or remove signing_keys_path and use HS256 tokens instead.

[afnan-davia]

Hello 👋 The error occurs because the local Supabase instance is configured to verify JWTs with ES256 keys (signing_keys.json), but the provided token is signed with HS256. This algorithm mismatch causes verification to fail.

To fix: Use JWTs signed with ES256 that match the local signing keys, or remove signing_keys_path and use HS256 tokens instead.

What should I do to be able to get a permanent key that I can put in create_client, like the secret key that is available on Supabase's database? The service_role key when I do supabase status yields an HS256 signed key...

[christopheragnus]

This is still happening as of October. I switched over to asymmetric JWTs on production but there's no way I can test on local.

[noook]

I think it's the content of your signing_keys.json that causes the issue.

It shouldn't be an object but directly an array:

// signing_keys.json
[
    {
        "kty": "EC",
        "kid": "<kid>",
        "use": "sig",
        "key_ops": [
            "sign",
            "verify"
        ],
        "alg": "ES256",
        "ext": true,
        "d": "<d>",
        "crv": "P-256",
        "x": "<x>",
        "y": "<y>"
    }
]

[peremunoz]

I think it's the content of your signing_keys.json that causes the issue.

It shouldn't be an object but directly an array:

// signing_keys.json
[
{
"kty": "EC",
"kid": "",
"use": "sig",
"key_ops": [
"sign",
"verify"
],
"alg": "ES256",
"ext": true,
"d": "",
"crv": "P-256",
"x": "",
"y": ""
}
]

this worked for me, but it is so confusing to be honest, no idea after getting the error of what is the expected format