Fixmedium riskhigh confidencemoderator reviewed

Supabase Edge Functions Default to JWT-Required (Breaks Stripe Webhooks)

Supabase Edge Functions require a valid JWT by default, which causes 401 errors when Stripe (or any external service) calls your webhook endpoint.

By Contributor · published 5/30/2026

In plain English

Connect external services like Stripe to your app by turning off standard security checks that block outside traffic. This ensures your app receives important payment updates while allowing you to use Stripe's own verification system instead.

By default, every Supabase Edge Function requires a valid JWT token in the `Authorization` header. External services like Stripe, GitHub webhooks, or other providers don’t send a Supabase JWT — they send their own signature. This results in immediate 401 Unauthorized responses. The fix is a single configuration in `config.toml`: ```toml # supabase/config.toml [functions.stripe-webhook] verify_jwt = false ``` Per [Supabase function configuration documentation](https://supabase.com/docs/guides/functions/function-configuration), disabling JWT verification for a webhook function is the intended pattern. You then implement the provider’s own signature verification inside the function handler — for Stripe, that means calling `stripe.webhooks.constructEvent()` with the raw request body and the Stripe signing secret. ## Why it matters A Stripe webhook that returns 401 fails silently from Stripe’s perspective. Stripe will retry, then mark your endpoint as failing. After several days of failures, Stripe notifies you via email — by which time subscription state may be out of sync. ## Suggested next action For any Edge Function that receives an external webhook, add `verify_jwt = false` to its `config.toml` entry and implement the provider’s own signature check.

Discussion

0 comments

Loading comments…

Sign in to join the discussion.

Want the technical version? Switch the detail level at the top of the page toBuilder orTechnical.