auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

fix: correctly parse JWT ValidMethods from env by enabling split_words

Open singh-inder opened this issue 2 days ago • 1 comments

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

JWT ValidMethods not parsed from env because split_words was missing on the struct tag, causing envconfig to look for GOTRUE_JWT_VALIDMETHODS instead of GOTRUE_JWT_VALID_METHODS. Since v2.71.1, cli defaults to asymmetric keys, which caused valid HS256 tokens to be rejected.

What is the new behavior?

This change adds split_words to ensure the correct env var is used. I assume that GOTRUE_JWT_VALID_METHODS is the correct env var but if it isn't, then this issue can also be solved by updating the env var passed to auth service in supabase cli to

			env = append(env, "GOTRUE_JWT_VALIDMETHODS=HS256,RS256,ES256")

Additional context

The following screenshots are from print statements I added

  1. config.JWT.ValidMethods was nil because it was looking for wrong env var. It defaulted to jwk key algorithm (ES256). https://github.com/supabase/auth/blob/645654df63a3da7929840659c065f6a9cdd4ba96/internal/conf/configuration.go#L1092-L1097 Screenshot 2026-01-17 041756

    Screenshot 2026-01-17 042002

  2. After image

singh-inder avatar Jan 16 '26 23:01 singh-inder