AppItYourWayAppItYourWay
App an idea
Fixmedium riskhigh confidencemoderator reviewed

Supabase Edge Functions Default to JWT-Required (Breaks Stripe Webhooks)

Supabase Edge Functions require a valid JWT by default, which causes 401 errors when Stripe (or any external service) calls your webhook endpoint.

By Contributor · published 5/30/2026

By default, every Supabase Edge Function requires a valid JWT token in the `Authorization` header. External services like Stripe, GitHub webhooks, or other providers don’t send a Supabase JWT — they send their own signature. This results in immediate 401 Unauthorized responses. The fix is a single configuration in `config.toml`: ```toml # supabase/config.toml [functions.stripe-webhook] verify_jwt = false ``` Per [Supabase function configuration documentation](https://supabase.com/docs/guides/functions/function-configuration), disabling JWT verification for a webhook function is the intended pattern. You then implement the provider’s own signature verification inside the function handler — for Stripe, that means calling `stripe.webhooks.constructEvent()` with the raw request body and the Stripe signing secret. ## Why it matters A Stripe webhook that returns 401 fails silently from Stripe’s perspective. Stripe will retry, then mark your endpoint as failing. After several days of failures, Stripe notifies you via email — by which time subscription state may be out of sync. ## Suggested next action For any Edge Function that receives an external webhook, add `verify_jwt = false` to its `config.toml` entry and implement the provider’s own signature check.

Sources

Confidence check

Authorship · HumanHas anyone checked this? · moderator reviewedConfidence · highReviewed · todayEndorsements · 0Challenges · 0Evidence · 0Related guides · 0

Evidence

No evidence linked yet.

Discussion

0 comments

Loading comments…

Sign in to join the discussion.