Supabase

Sync secrets to Supabase Edge Function secrets directly from the SikkerKey dashboard.

SikkerKey syncs your vault secrets directly to Supabase Edge Function secrets. Your functions read them as environment variables via Deno.env.get(). When a secret rotates in SikkerKey, the new value is pushed to Supabase automatically, and functions pick it up on their next invocation without a redeploy.

How It Works

  1. From the dashboard, go to Integrations and expand Supabase Edge Functions
  2. Click Connect Supabase to open the connection modal
  3. Generate a Personal Access Token from your Supabase account tokens page and paste it into the modal
  4. SikkerKey validates the token against the Supabase Management API before storing it; the modal closes on success
  5. Back on the dashboard, click + Add Project and select a Supabase project
  6. Click Manage secrets to choose which secrets to sync from any of your SikkerKey projects

SikkerKey pushes the selected secret values into the Supabase project's Edge Function secrets store using the Management API. Secret names are sanitized into uppercase environment variable form, so a SikkerKey secret named "Database URL" becomes DATABASE_URL in the function runtime:

const databaseUrl = Deno.env.get('DATABASE_URL')
const stripeKey = Deno.env.get('STRIPE_SECRET_KEY')

Propagation

There are two distinct hops between a SikkerKey change and a function receiving the new value:

  1. SikkerKey → Supabase secrets store. When a secret changes in SikkerKey, the new value is pushed to every mapped Supabase project in seconds. This step is network-bound and is what the sync status on the Integrations page reflects.
  2. Supabase secrets store → function runtime. Supabase does not require a redeploy when secrets change. Running functions pick up the new value on their next invocation; you do not have to trigger anything.

Automatic Sync

A sync is triggered whenever a secret value changes in SikkerKey: manual update, automatic rotation, rollback, restore from trash, or rename. The new value is pushed to every Supabase project that has it mapped.

The Integrations page shows the sync status for each secret per project: synced, pending, or failed, along with the last synced timestamp. Status updates stream live via server-sent events.

Failure Handling

If a push to Supabase fails (network error, token revoked on Supabase's side, API rejection, etc.), the mapping is marked failed and the error message is recorded. The old value stays in place on Supabase. Only a successful push overwrites it, so partial or failed syncs never leave the function runtime without a credential it previously had.

Failed mappings are retried automatically by a background worker, starting at a two-minute interval with exponential backoff when queues are empty. A Supabase target that accumulates 10 consecutive failures is marked unhealthy and excluded from further automatic retries until you intervene (e.g., reconnect the integration with a valid token). Reconnecting resets the consecutive-failure counter and resumes retries.

There is no separate alert channel for sync failures today. Watch the Integrations page for failed mappings, or subscribe to the sync_push audit action in Settings > Alerts (the audit event fires on successful pushes; failures appear as failed mappings in real time on the page).

Soft-Delete and Restore

Moving a SikkerKey secret to trash removes it from every mapped Supabase project immediately, not when the 30-day retention window lapses. Restoring a trashed secret triggers a fresh push with the current value, so functions regain access on their next invocation without any manual step.

Managing Secrets

Click Manage secrets on a configured Supabase project to open the secret management modal. From there you can:

  • Browse secrets from any project in your vault
  • Search by name
  • Sync or remove individual secrets with one click
  • Bulk-select and sync or remove multiple secrets

Secrets from different SikkerKey projects can be synced to the same Supabase project.

Structured Secrets

A structured secret with multiple fields is pushed as one Supabase secret per field. A SikkerKey structured secret named database with fields host, user, password becomes three separate Supabase secrets: DATABASE_HOST, DATABASE_USER, DATABASE_PASSWORD. If per-field rotation is configured on the SikkerKey secret, each field syncs independently as it rotates.

Disconnecting

Click Disconnect on a configured Supabase project to remove the mapping. SikkerKey deletes all synced secrets from that project and clears the sync mapping. The Supabase project itself and any secrets you configured manually are not affected.

To disconnect Supabase entirely, remove all configured projects first, then click Disconnect Supabase at the bottom of the Supabase panel. This deletes the stored token from SikkerKey.

Revoking the Token on Supabase

Disconnecting in SikkerKey removes the PAT from SikkerKey's storage, but SikkerKey cannot revoke the token on Supabase's side. Only the token owner can. To fully invalidate the token, delete it from your Supabase account tokens page as well.

Security

  • Encrypted tokens. The PAT is encrypted with the server encryption key and stored in the database. It is only accessible when the vault is unsealed and is never shown in the dashboard after connection.
  • Validation before storage. SikkerKey calls the Supabase Management API to validate the token before persisting it. An invalid or revoked token is rejected cleanly, without storing anything.
  • Per-secret control. You choose exactly which secrets sync to which projects. Secrets are not synced by default, every mapping is explicit.
  • Audit logged. supabase_integration_connect, supabase_integration_disconnected, sync_push, and sync_delete events are recorded with timestamps and the acting user.
  • Instant revocation. Removing a secret from a sync mapping deletes it from the Supabase project immediately.
  • PAT cannot be recovered. Because SikkerKey only stores the encrypted form, a database backup alone does not expose the token value.

Requirements

  • A Supabase account with at least one project
  • A Personal Access Token generated from your Supabase account tokens page

The PAT inherits the scope of the Supabase user that creates it: SikkerKey reaches exactly the projects and organizations that user can access, nothing more. To give the integration least-privilege access, create a dedicated Supabase user (or a sub-organization) with access only to the projects you want to sync, and generate the PAT from there.

No paid Supabase tier is required. The Management API is available on all Supabase plans.

Limitations

  • Edge Function secrets only. SikkerKey writes to the project-wide Edge Function secrets store. Database passwords, API keys (anon / service_role), and other Supabase-managed credentials are not currently managed by this integration.
  • One PAT per SikkerKey account. A SikkerKey account can hold a single Supabase PAT at a time. If you manage two Supabase accounts or organizations that are not reachable by a single PAT, only one can be integrated from the same SikkerKey account. The other requires a separate SikkerKey account, or a consolidated Supabase user with access to both.
  • No inbound webhooks. The Supabase Management API does not expose a change-notification stream, so SikkerKey cannot observe out-of-band edits on Supabase. An edit made directly on Supabase will be overwritten on the next sync from SikkerKey. Keep SikkerKey as the source of truth.