############ # Docker compose override files to layer on top of docker-compose.yml. # Native docker compose COMPOSE_FILE: colon-separated list, base file first. # Manage with: ./run.sh config add|remove # # Examples: # COMPOSE_FILE=docker-compose.yml # COMPOSE_FILE=docker-compose.yml:docker-compose.pg17.yml # ############ COMPOSE_FILE=docker-compose.yml ############ # Secrets # # YOU MUST CHANGE ALL THE DEFAULT VALUES BELOW BEFORE STARTING # THE CONTAINERS FOR THE FIRST TIME! # # Documentation: # https://supabase.com/docs/guides/self-hosting/docker#configuring-and-securing-supabase # # To generate secrets and API keys: # 1. sh utils/generate-keys.sh # 2. sh utils/add-new-auth-keys.sh # ############ # Postgres POSTGRES_PASSWORD=7da49c3b4a62d446430082bd0cb3c238 # Legacy symmetric HS256 key JWT_SECRET=gNAGgi6vYfyMqFMyHT5nbFow1MklGE57/fiap9pA # Legacy API keys (HS256-signed JWTs) ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiIsImlzcyI6InN1cGFiYXNlIiwiaWF0IjoxNzgwNjY1NDc0LCJleHAiOjE5MzgzNDU0NzR9.IdSVAHLcELmrQj19YU-7Tb_oI0BwQyADfRDu4qdW1sk SERVICE_ROLE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaXNzIjoic3VwYWJhc2UiLCJpYXQiOjE3ODA2NjU0NzQsImV4cCI6MTkzODM0NTQ3NH0.jvJnzgYVbx1aQOhhs3nBL99LdfPTGoa2haDtpIYW-dU # Asymmetric key pair (ES256) and opaque API keys # # Documentation: # https://supabase.com/docs/guides/self-hosting/self-hosted-auth-keys # # To generate: # sh ./utils/add-new-auth-keys.sh # # Opaque API key for client-side use (anon role). SUPABASE_PUBLISHABLE_KEY=sb_publishable_PNDlYaG13ZGdG67ZlpKlC3_bc8PpuRg # Opaque API key for server-side use (service_role). Never expose in client code. SUPABASE_SECRET_KEY=sb_secret_ePbz8YDnis8hpLJb4z7dMY_oRwPtoUh # JSON array of signing JWKs (EC private + legacy symmetric). # Used by Auth. JWT_KEYS=[{"kty":"EC","kid":"ed13496a-53df-43e8-afb3-2016fe217508","use":"sig","key_ops":["sign","verify"],"alg":"ES256","ext":true,"crv":"P-256","x":"2eIZ3MgewDAJwxrmYJRXjOvZsf3VkWKz8THYYfyHlK8","y":"qad03ZZhMadwdlCkNgI8Lyatjh22EKvNVGsCPq84B18","d":"TPZ3pFwn0bmgKSo6T81PCuJm8BDcNOTqUXbKN6NVkQc"},{"kty":"oct","k":"Z05BR2dpNnZZZnlNcUZNeUhUNW5iRm93MU1rbEdFNTcvZmlhcDlwQQ","alg":"HS256"}] # JWKS for token verification (EC public + legacy symmetric). # Used by PostgREST, Realtime, Storage to verify tokens. JWT_JWKS={"keys":[{"kty":"EC","kid":"71dc613b-7ab3-493c-8df2-cd6c66026e70","use":"sig","key_ops":["verify"],"alg":"ES256","ext":true,"crv":"P-256","x":"TOy2AYvt1WuUNSrxy2eWZQmT5yMmDUKNv74Kz9Yt964","y":"sxNABQp1bA12RZjoVSvp4wWO3GTDDF_U54YrfPP3YlY"},{"kty":"oct","k":"QzFiRUpHNElqcE51dlIxODJZUDZFeFZjN1g0Y2dQU2dsOXF5UGlUQg","alg":"HS256"}]} # Access to Dashboard DASHBOARD_USERNAME=supabase DASHBOARD_PASSWORD=909f5980a3542c84c6ae6bcb82fdf8a0 # Used by Realtime and Supavisor SECRET_KEY_BASE=cnrV6e3IdLYYQRMXW7ya+Q5nNAKj6sX23NDcWPQ1X8za/elrvWI/r96iIa/MRZgo # Used by Supavisor VAULT_ENC_KEY=5a7707d9068ca3fc7473eee5ac372e35 # Used by Studio to access Postgres via postgres-meta PG_META_CRYPTO_KEY=Q7yvLaLiy3T9A97LBmnDUJMjfE3HTbei # Analytics - API tokens for log ingestion/querying, and for management # If Logflare has to be externally exposed - configure securely! # Used in the docker-compose.logs.yml override. LOGFLARE_PUBLIC_ACCESS_TOKEN=dJ78MZD//eVLtP1y0YAA4p+vjTjEvukX LOGFLARE_PRIVATE_ACCESS_TOKEN=3PK3vgvRoX5Np9CxBQ1aQgL7OEC+/SS+ # Access to Storage via S3 protocol endpoint (see below) S3_PROTOCOL_ACCESS_KEY_ID=7791a77abdfbd8dbbb4855ec341388e0 S3_PROTOCOL_ACCESS_KEY_SECRET=46fbaccdd6188dec014200b89e43e5f1c98d95c3be40196defc504190d1d98c0 ############ # URLs - Configure hostnames below to reflect your actual domain name ############ # Access to Dashboard and REST API SUPABASE_PUBLIC_URL=http://localhost:8000 # Full external URL of the Auth service, used to construct OAuth callbacks, # SAML endpoints, and email links API_EXTERNAL_URL=http://localhost:8000 # See also the Auth section below for Site URL and Redirect URLs configuration ############ # Database - Postgres configuration ############ # Using default user (postgres) POSTGRES_HOST=db POSTGRES_DB=postgres # Default configuration includes Supavisor exposing POSTGRES_PORT # Postgres uses POSTGRES_PORT inside the container # Documentation: # https://supabase.com/docs/guides/self-hosting/docker#accessing-postgres-through-supavisor POSTGRES_PORT=5432 ############ # Supavisor - Database pooler ############ # Supavisor exposes POSTGRES_PORT and POOLER_PROXY_PORT_TRANSACTION, # POSTGRES_PORT is used for session mode pooling # # Port to use for transaction mode pooling connections POOLER_PROXY_PORT_TRANSACTION=6543 # Maximum number of PostgreSQL connections Supavisor opens per pool POOLER_DEFAULT_POOL_SIZE=20 # Maximum number of client connections Supavisor accepts per pool POOLER_MAX_CLIENT_CONN=100 # Unique Supavisor tenant identifier # Documentation: # https://supabase.com/docs/guides/self-hosting/docker#accessing-postgres POOLER_TENANT_ID=your-tenant-id # Pool size for internal metadata storage used by Supavisor # This is separate from client connections and used only by Supavisor itself POOLER_DB_POOL_SIZE=5 ############ # Studio - Configuration for the Dashboard ############ STUDIO_DEFAULT_ORGANIZATION=Default Organization STUDIO_DEFAULT_PROJECT=Default Project # Add your OpenAI API key to enable AI Assistant OPENAI_API_KEY=sk-proj-xxxxxxxx ############ # Auth - Configuration for the authentication server ############ ## General settings # Equivalent to "Site URL" and "Redirect URLs" platform configuration options # Documentation: https://supabase.com/docs/guides/auth/redirect-urls SITE_URL=http://localhost:3000 ADDITIONAL_REDIRECT_URLS= JWT_EXPIRY=3600 DISABLE_SIGNUP=false ## Mailer Config MAILER_URLPATHS_CONFIRMATION="/auth/v1/verify" MAILER_URLPATHS_INVITE="/auth/v1/verify" MAILER_URLPATHS_RECOVERY="/auth/v1/verify" MAILER_URLPATHS_EMAIL_CHANGE="/auth/v1/verify" ## Email auth ENABLE_EMAIL_SIGNUP=true ENABLE_EMAIL_AUTOCONFIRM=false SMTP_ADMIN_EMAIL=admin@example.com SMTP_HOST=supabase-mail SMTP_PORT=2500 SMTP_USER=fake_mail_user SMTP_PASS=fake_mail_password SMTP_SENDER_NAME=fake_sender ENABLE_ANONYMOUS_USERS=false ## Phone auth ENABLE_PHONE_SIGNUP=true ENABLE_PHONE_AUTOCONFIRM=true ## OAuth / Social login providers # Uncomment and fill in the providers you want to enable. # You must ALSO uncomment the matching GOTRUE_EXTERNAL_* lines in docker-compose.yml # Documentation: https://supabase.com/docs/guides/self-hosting/self-hosted-oauth # GOOGLE_ENABLED=false # GOOGLE_CLIENT_ID= # GOOGLE_SECRET= # GITHUB_ENABLED=false # GITHUB_CLIENT_ID= # GITHUB_SECRET= # AZURE_ENABLED=false # AZURE_CLIENT_ID= # AZURE_SECRET= # Phone / SMS provider configuration # Uncomment to configure SMS delivery for phone auth and phone MFA. # You must ALSO uncomment the matching GOTRUE_SMS_* lines in docker-compose.yml # Documentation: https://supabase.com/docs/guides/self-hosting/self-hosted-phone-mfa # SMS_PROVIDER=twilio # SMS_OTP_EXP=60 # SMS_OTP_LENGTH=6 # SMS_MAX_FREQUENCY=60s # SMS_TEMPLATE=Your code is {{ .Code }} # SMS_TWILIO_ACCOUNT_SID= # SMS_TWILIO_AUTH_TOKEN= # SMS_TWILIO_MESSAGE_SERVICE_SID= # Test OTP: map phone numbers to fixed OTP codes for development # Format: phone1:code1,phone2:code2 # SMS_TEST_OTP= # Multi-factor authentication (MFA) # Uncomment to change MFA defaults. # You must ALSO uncomment the matching GOTRUE_MFA_* lines in docker-compose.yml # App Authenticator (TOTP) - enabled by default # MFA_TOTP_ENROLL_ENABLED=true # MFA_TOTP_VERIFY_ENABLED=true # Phone MFA - disabled by default (opt-in) # MFA_PHONE_ENROLL_ENABLED=false # MFA_PHONE_VERIFY_ENABLED=false # Maximum MFA factors a user can enroll # MFA_MAX_ENROLLED_FACTORS=10 ## SAML SSO # You must ALSO uncomment the matching GOTRUE_* lines in docker-compose.yml # Documentation: https://supabase.com/docs/guides/self-hosting/self-hosted-saml-sso # SAML_ENABLED=true # SAML_PRIVATE_KEY= # Optional: accept encrypted SAML assertions from IdPs (default: false) # SAML_ALLOW_ENCRYPTED_ASSERTIONS=false # Optional: how long relay state tokens remain valid (default: 2m0s) # SAML_RELAY_STATE_VALIDITY_PERIOD=2m0s # Optional: override the SAML entity ID / ACS base URL # Defaults to API_EXTERNAL_URL if not set # SAML_EXTERNAL_URL=https://supabase.example.com:8000 # Optional: rate limit on the ACS endpoint (requests per second, default: 15) # SAML_RATE_LIMIT_ASSERTION=15 ############ # Storage - Configuration for Storage ############ # Check the S3_PROTOCOL_ACCESS_KEY_ID/SECRET above, and # refer to the documentation at: # https://supabase.com/docs/guides/self-hosting/self-hosted-s3 # to learn how to configure the S3 protocol endpoint # S3 bucket when using S3 backend, directory name when using 'file' GLOBAL_S3_BUCKET=stub # Used for S3 protocol endpoint configuration REGION=stub # Used by MinIO when added via: # docker compose -f docker-compose.yml -f docker-compose.s3.yml up -d MINIO_ROOT_USER=supa-storage MINIO_ROOT_PASSWORD=2cc00cf3c9aa04b63d22b8e9549deae6 # Equivalent to project_ref as described here: # https://supabase.com/docs/guides/storage/s3/authentication#session-token STORAGE_TENANT_ID=stub ############ # Functions - Configuration for Edge functions ############ # Documentation: # https://supabase.com/docs/guides/self-hosting/self-hosted-functions # NOTE: VERIFY_JWT applies to all functions FUNCTIONS_VERIFY_JWT=false ############ # API - Configuration for PostgREST ############ # Postgres schemas exposed via the REST API PGRST_DB_SCHEMAS=public,storage,graphql_public # Max number of rows returned by a request PGRST_DB_MAX_ROWS=1000 # Extra schemas added to the search_path of every request PGRST_DB_EXTRA_SEARCH_PATH=public ############ # Logs and Analytics ############ ## Vector log collection and routing # Docker socket location - required for proper Vector operation DOCKER_SOCKET_LOCATION=/var/run/docker.sock # For Podman use the following: # DOCKER_SOCKET_LOCATION=/run/podman/podman.sock ## Analytics (Logflare) # Check the LOGFLARE_* access token configuration _above_. # If Logflare has to be externally exposed - configure securely! # Google Cloud Project details # Documentation: # https://supabase.com/docs/reference/self-hosting-analytics/introduction GOOGLE_PROJECT_ID=GOOGLE_PROJECT_ID GOOGLE_PROJECT_NUMBER=GOOGLE_PROJECT_NUMBER ############ # API gateway ############ # Kong configuration variables KONG_HTTP_PORT=8000 KONG_HTTPS_PORT=8443 # Used internally by the API gateway - DO NOT use in any client or server code. # Pre-signed ES256 JWT "API key" for anon role. ANON_KEY_ASYMMETRIC=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImVkMTM0OTZhLTUzZGYtNDNlOC1hZmIzLTIwMTZmZTIxNzUwOCJ9.eyJyb2xlIjoiYW5vbiIsImlzcyI6InN1cGFiYXNlIiwiaWF0IjoxNzgwNjY1NDk0LCJleHAiOjE5MzgzNDU0OTR9.rhh-E42KhEp6F_znI-fT9PrBFOANyk89xuzcdlwrMfQ5tBVnHr-oHt088yLn0G_qzpuG-3p8L3RpCBCjiQC3yw # Pre-signed ES256 JWT "API key" for service_role. SERVICE_ROLE_KEY_ASYMMETRIC=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImVkMTM0OTZhLTUzZGYtNDNlOC1hZmIzLTIwMTZmZTIxNzUwOCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaXNzIjoic3VwYWJhc2UiLCJpYXQiOjE3ODA2NjU0OTQsImV4cCI6MTkzODM0NTQ5NH0.qaoG8kfkwXDw1ap0R3k1mqn-NLItjxxrOn9BWiXXwIs40dXTfcW1hEx2NlUWKR_-VJuFg1GpiS3kBrrGs-WqjA ############ # imgproxy ############ # Enable webp support IMGPROXY_AUTO_WEBP=true ############ # TLS Proxy - Optional Caddy or Nginx reverse proxy with Let's Encrypt ############ # Documentation: # https://supabase.com/docs/guides/self-hosting/self-hosted-proxy-https # Usage: # docker compose -f docker-compose.yml -f docker-compose.caddy.yml up -d # docker compose -f docker-compose.yml -f docker-compose.nginx.yml up -d # Domain name for the proxy (must point to your server) PROXY_DOMAIN=your-domain.example.com # Email for Let's Encrypt certificate notifications (nginx only, Caddy uses PROXY_DOMAIN). # This should be a valid email, not a placehoder (otherwise Certbot may fail to start). CERTBOT_EMAIL=admin@example.com