Use of new API keys (replacing legacy JWT base anon and service role keys): Changes needed? When?

[Proj3ctS]

Based on the discussion on 'Upcoming changes to Supabase API Keys' https://github.com/orgs/supabase/discussions/29260 I am looking into the need to make changes to my project and the timing to implement these changes for switching from anon (JWT) to sb_publishable_... and service_role (JWT) to sb_secret_...

I have 2 questions

1. I see that auto injection of the new API keys to the edge function secrets (f.e. SUPABASE_PUBLISHABLE_KEY) is not available yet. Is this correct? When is it planned to make that available?
2. Timing of the discussion shows November 2025 as a milestone: "Projects restored from 1st November 2025 will no longer be restored with the legacy API keys. New projects no longer have anon and service_role available for use. You are highly encouraged to migrate off to use the new API keys before this date since paused projects that are restored risk being broken as they won’t have the legacy keys.". Is this timing still correct? Any update?

It sounds straight forward: "For the most part, you can substitute the sb_publishable_... and sb_secret_... values anywhere you used the anon and service_role keys respectively. They work roughly the same in terms of permissions and data access."
But replace Deno.env.get('SUPABASE_ANON_KEY')!; by Deno.env.get('SUPABASE_PUBLISHABLE_KEY')!; does not work for me since the edge function secret is not available.

Or I might be missing something more fundamental.

[GaryAustin1]

The anon and service_role Edge function secrets become the publishable and secret keys when you switch to the new keys.

[Proj3ctS]

Thanks for your quick response. With this information I was able to switch to the new API publishable keys and JWT Signing Keys.

[priyarp]

Hi, I am sorry if I am asking the same question. But I am new to supabase and am struggling to understand how this change would impact going forward. I am using edge functions in Supabase and would like to know the impact. I do not want to use —no-verify-jwt. Do we continue using SUPABASE_SERVICE_ROLE_KEY and SUPABASE_ANON_KEY in our edge functions even after we disable the legacy JWT keys ? Do these existing variables get the new API Key values automatically assigned? What happens when the legacy keys are removed ?

I saw this in another comment in this space and am confused - " Also be aware instead of Deno.env.get("SERVICE_ROLE_KEY") you should probably use the secret key. Create a new environment variable?
We plan to launch automatically generated variables for the new API keys soon. Format: SUPABASE_(PUBLISHABLE|SECRET)_<name of key, usually DEFAULT>_KEY. This will be both for Edge Functions and the Next.js / Vercel integration if you have it set up. "

Could you please clarify. I am not finding any documents on this ? Thank you !

[Proj3ctS]

My feedback (but note that I am no expert):

• Continue using SUPABASE_SERVICE_ROLE_KEY and SUPABASE_ANON_KEY in edge functions
• What happens when the legacy keys are removed: I have switched enabling legacy API keys OFF in the project settings > API Keys. Everything is working fine, so I will propogate this change to other environments.

[priyarp]

Ok, thank you for your response.