Edge Function Always Returns 401 Unauthorized Despite "auth": false Config and Latest CLI

[TransmissionFromNaat]

Project Ref:
srfjvqllvkfmxweocmeq

Issue:
My Edge Function always returns a 401 Unauthorized error ({"code":401,"message":"Missing authorization header"}) even though I have set up the function to be public with the recommended configuration.

---

Details

• Function Names Tried:
  stripe-webhook, stripe-webhook2

• Config File:
  The file supabase.functions.config.json is present in the function directory and contains:

  {
    "auth": false
  }

• Supabase CLI Version:
  2.20.12 (latest, installed via Homebrew)

• Deploy Commands Used:

  supabase functions deploy stripe-webhook
  supabase functions deploy stripe-webhook2
  

• Function Directory Structure:
  The config file, index.ts, and deno.json are all in the same directory.

• Tested Endpoints:

  • https://srfjvqllvkfmxweocmeq.supabase.co/functions/v1/stripe-webhook
  • https://srfjvqllvkfmxweocmeq.supabase.co/functions/v1/stripe-webhook2

• Test Command:

  curl -i -X POST https://srfjvqllvkfmxweocmeq.supabase.co/functions/v1/stripe-webhook2
  

• Result:
  Always returns:

  HTTP/2 401
  {"code":401,"message":"Missing authorization header"}
  

• What I’ve Tried:

  • Verified config file name, content, and location
  • Upgraded CLI to latest version
  • Deployed with new function name to break cache
  • Confirmed function is ACTIVE and recently updated in the dashboard
  • No .gitignore or .npmignore excluding the config file
  • Tried POSTing both empty and with JSON body

---

This is blocking Stripe webhooks and any public access to the function.

What can I do to solve this issue?

Thank you!

[GaryAustin1]

Can you link where you are seeing docs on use a config.json file?

https://supabase.com/docs/guides/functions/development-tips#using-configtoml
Shows using config.toml file.
Also https://supabase.com/docs/reference/cli/supabase-functions-deploy shows a deploy flag.

[saltcod]

Do you have this toggled on in your edge function settings?

[gastsail]

This fixes the issue but why we cant rely on authorization for the webook to work ?

[GaryAustin1]

Depends on how the edge function is called. If it is on then you must provided an authorization header with bearer JWT. JWT can be legacy anon/service_role keys or a user JWT, or any JWT signed by Supabase. It can't be the new API keys of the form sb_......

[Dudeonyx]

Depends on how the edge function is called. If it is on then you must provided an authorization header with bearer JWT. JWT can be legacy anon/service_role keys or a user JWT, or any JWT signed by Supabase. It can't be the new API keys of the form sb_......

then why does it automatically fill in the new format service keys when adding a cron job? that needs to fixed or at least noted