supabase · sweatybridge · Jul 29, 2025 · Jul 29, 2025
@@ -176,16 +176,11 @@ var (
 
 func checkHTTPHead(ctx context.Context, path string) error {
 	healthOnce.Do(func() {
-		server := utils.Config.Api.ExternalUrl
-		header := func(req *http.Request) {
-			req.Header.Add("apikey", utils.Config.Auth.AnonKey.Value)
-		}
-		client := NewKongClient()
-		healthClient = fetcher.NewFetcher(
-			server,
-			fetcher.WithHTTPClient(client),
-			fetcher.WithRequestEditor(header),
-			fetcher.WithExpectedStatus(http.StatusOK),
+		healthClient = fetcher.NewServiceGateway(
+			utils.Config.Api.ExternalUrl,
+			utils.Config.Auth.AnonKey.Value,
+			fetcher.WithHTTPClient(NewKongClient()),
+			fetcher.WithUserAgent("SupabaseCLI/"+utils.Version),
 		)
 	})
 	// HEAD method does not return response body

@@ -28,21 +28,19 @@ func NewStorageAPI(ctx context.Context, projectRef string) (storage.StorageAPI,
 }
 
 func newLocalClient() *fetcher.Fetcher {
-	client := status.NewKongClient()
-	return fetcher.NewFetcher(
+	return fetcher.NewServiceGateway(
 		utils.Config.Api.ExternalUrl,
-		fetcher.WithHTTPClient(client),
-		fetcher.WithBearerToken(utils.Config.Auth.ServiceRoleKey.Value),
+		utils.Config.Auth.ServiceRoleKey.Value,
+		fetcher.WithHTTPClient(status.NewKongClient()),
 		fetcher.WithUserAgent("SupabaseCLI/"+utils.Version),
-		fetcher.WithExpectedStatus(http.StatusOK),
 	)
 }
 
 func newRemoteClient(projectRef, token string) *fetcher.Fetcher {
-	return fetcher.NewFetcher(
+	return fetcher.NewServiceGateway(
 		"https://"+utils.GetSupabaseHost(projectRef),
-		fetcher.WithBearerToken(token),
+		token,
+		fetcher.WithHTTPClient(http.DefaultClient),
 		fetcher.WithUserAgent("SupabaseCLI/"+utils.Version),
-		fetcher.WithExpectedStatus(http.StatusOK),
 	)
 }
@@ -2,8 +2,7 @@ package tenant
 
 import (
 	"context"
-	"net/http"
-	"time"
+	"strings"
 
 	"github.com/go-errors/errors"
 	"github.com/supabase/cli/internal/utils"
@@ -32,16 +31,41 @@ func NewApiKey(resp []api.ApiKeyResponse) ApiKey {
 		if err != nil {
 			continue
 		}
+		if t, err := key.Type.Get(); err == nil {
+			switch t {
+			case api.ApiKeyResponseTypePublishable:
+				result.Anon = value
+				continue
+			case api.ApiKeyResponseTypeSecret:
+				if isServiceRole(key) {
+					result.ServiceRole = value
+				}
+				continue
+			}
+		}
 		switch key.Name {
 		case "anon":
-			result.Anon = value
+			if len(result.Anon) == 0 {
+				result.Anon = value
+			}
 		case "service_role":
-			result.ServiceRole = value
+			if len(result.ServiceRole) == 0 {
+				result.ServiceRole = value
+			}
 		}
 	}
 	return result
 }
 
+func isServiceRole(key api.ApiKeyResponse) bool {
+	if tmpl, err := key.SecretJwtTemplate.Get(); err == nil {
+		if role, ok := tmpl["role"].(string); ok {
+			return strings.EqualFold(role, "service_role")
+		}
+	}
+	return false
+}
+
 func GetApiKeys(ctx context.Context, projectRef string) (ApiKey, error) {
 	resp, err := utils.GetSupabase().V1GetProjectApiKeysWithResponse(ctx, projectRef, &api.V1GetProjectApiKeysParams{})
 	if err != nil {
@@ -62,19 +86,9 @@ type TenantAPI struct {
 }
 
 func NewTenantAPI(ctx context.Context, projectRef, anonKey string) TenantAPI {
-	server := "https://" + utils.GetSupabaseHost(projectRef)
-	client := &http.Client{
-		Timeout: 10 * time.Second,
-	}
-	header := func(req *http.Request) {
-		req.Header.Add("apikey", anonKey)
-	}
-	api := TenantAPI{Fetcher: fetcher.NewFetcher(
-		server,
-		fetcher.WithHTTPClient(client),
-		fetcher.WithRequestEditor(header),
+	return TenantAPI{Fetcher: fetcher.NewServiceGateway(
+		"https://"+utils.GetSupabaseHost(projectRef),
+		anonKey,
 		fetcher.WithUserAgent("SupabaseCLI/"+utils.Version),
-		fetcher.WithExpectedStatus(http.StatusOK),
 	)}
-	return api
 }
@@ -131,24 +131,21 @@ func TestGetApiKeys(t *testing.T) {
 }
 
 func TestNewTenantAPI(t *testing.T) {
-	t.Run("creates tenant api client", func(t *testing.T) {
-		projectRef := apitest.RandomProjectRef()
-		anonKey := "test-key"
-
-		api := NewTenantAPI(context.Background(), projectRef, anonKey)
+	projectRef := apitest.RandomProjectRef()
+	anonKey := "test-key"
 
-		assert.NotNil(t, api.Fetcher)
+	api := NewTenantAPI(context.Background(), projectRef, anonKey)
+	assert.NotNil(t, api.Fetcher)
 
-		defer gock.OffAll()
-		gock.New("https://"+utils.GetSupabaseHost(projectRef)).
-			Get("/test").
-			MatchHeader("apikey", anonKey).
-			MatchHeader("User-Agent", "SupabaseCLI/"+utils.Version).
-			Reply(http.StatusOK)
+	defer gock.OffAll()
+	gock.New("https://"+utils.GetSupabaseHost(projectRef)).
+		Get("/test").
+		MatchHeader("Authorization", "Bearer "+anonKey).
+		MatchHeader("User-Agent", "SupabaseCLI/"+utils.Version).
+		Reply(http.StatusOK)
 
-		_, err := api.Send(context.Background(), http.MethodGet, "/test", nil)
+	_, err := api.Send(context.Background(), http.MethodGet, "/test", nil)
 
-		assert.NoError(t, err)
-		assert.Empty(t, apitest.ListUnmatchedRequests())
-	})
+	assert.NoError(t, err)
+	assert.Empty(t, apitest.ListUnmatchedRequests())
 }
@@ -0,0 +1,28 @@
+package fetcher
+
+import (
+	"net/http"
+	"strings"
+	"time"
+)
+
+func NewServiceGateway(server, token string, overrides ...FetcherOption) *Fetcher {
+	opts := append([]FetcherOption{
+		WithHTTPClient(&http.Client{
+			Timeout: 10 * time.Second,
+		}),
+		withAuthToken(token),
+		WithExpectedStatus(http.StatusOK),
+	}, overrides...)
+	return NewFetcher(server, opts...)
+}
+
+func withAuthToken(token string) FetcherOption {
+	if strings.HasPrefix(token, "sb_") {
+		header := func(req *http.Request) {
+			req.Header.Add("apikey", token)
+		}
+		return WithRequestEditor(header)
+	}
+	return WithBearerToken(token)
+}