API Key Authentication Guide¶
Problem¶
When using Supabase REST API directly with custom API keys (cg_...), you may encounter this error:
{
"message": "No API key found in request",
"hint": "No `apikey` request header or url param was found."
}
Root Cause¶
Supabase REST API only accepts Supabase's own API keys (anon or service_role keys), not custom API keys. Custom API keys (cg_...) are only supported in Edge Functions.
Solutions¶
Option 1: Use Supabase Anon Key (Recommended for Direct REST API)¶
For direct REST API calls, use the Supabase anon key with the apikey header (lowercase):
curl --location 'https://txpaxbxhnvnhsjwwaeoy.supabase.co/rest/v1/contacts?first_name=ilike.*John*' \
--header 'apikey: YOUR_SUPABASE_ANON_KEY' \
--header 'Authorization: Bearer YOUR_SUPABASE_ANON_KEY'
Note: Replace YOUR_SUPABASE_ANON_KEY with your actual Supabase anon key from the Supabase Dashboard → Settings → API.
Option 2: Use REST API Proxy with Custom API Key (Recommended for External APIs)¶
We've created a proxy Edge Function that allows you to use custom API keys (cg_...) with REST API endpoints.
Base URL: https://txpaxbxhnvnhsjwwaeoy.supabase.co/functions/v1/rest-api-proxy
Example:
# Instead of:
curl --location 'https://txpaxbxhnvnhsjwwaeoy.supabase.co/rest/v1/contacts?first_name=ilike.*John*' \
--header 'X-API-Key: cg_your_api_key_here'
# Use:
curl --location 'https://txpaxbxhnvnhsjwwaeoy.supabase.co/functions/v1/rest-api-proxy/contacts?first_name=ilike.*John*' \
--header 'X-API-Key: cg_your_api_key_here'
Supported Query Parameters:
select- Specify columns to return:?select=id,first_name,last_nameorder- Order results:?order=created_at.desc- Filter operators:
?first_name=eq.John- Equals?first_name=ilike.*John*- Case-insensitive like (use*for wildcards)?age=gt.18- Greater than?age=gte.18- Greater than or equal?age=lt.65- Less than?age=lte.65- Less than or equal?tags=contains.["tag1","tag2"]- Contains array?id=in.uuid1,uuid2- In arraylimit- Limit results:?limit=50offset- Pagination:?offset=100
Example Queries:
# Search contacts by name
curl --location 'https://txpaxbxhnvnhsjwwaeoy.supabase.co/functions/v1/rest-api-proxy/contacts?first_name=ilike.*John*' \
--header 'X-API-Key: cg_...'
# Get conversations with pagination
curl --location 'https://txpaxbxhnvnhsjwwaeoy.supabase.co/functions/v1/rest-api-proxy/conversations?limit=20&offset=0&order=last_message_at.desc' \
--header 'X-API-Key: cg_...'
# Get specific columns only
curl --location 'https://txpaxbxhnvnhsjwwaeoy.supabase.co/functions/v1/rest-api-proxy/contacts?select=id,first_name,last_name,phones' \
--header 'X-API-Key: cg_...'
Option 3: Use Edge Functions (For Complex Operations)¶
For more complex operations, use Edge Functions that support custom API keys:
# Example: Insert message
curl --location 'https://txpaxbxhnvnhsjwwaeoy.supabase.co/functions/v1/insert-message' \
--header 'X-API-Key: cg_your_api_key_here' \
--header 'Content-Type: application/json' \
--data '{
"phone": "+1234567890",
"content": "Hello from API",
"direction": "outgoing"
}'
Key Differences¶
| Method | Header Name | Key Type | Use Case |
|---|---|---|---|
| Supabase REST API | apikey (lowercase) |
Supabase anon key | Direct database access |
| REST API Proxy | X-API-Key |
Custom cg_... key |
External API access |
| Edge Functions | X-API-Key |
Custom cg_... key |
Complex operations |
Security Notes¶
- Custom API keys are scoped to your organization and respect Row Level Security (RLS) policies
- Supabase anon key has broader access but is still limited by RLS policies
- Always use HTTPS in production
- Never expose your Supabase
service_rolekey in client-side code
Troubleshooting¶
Error: "No API key found in request"¶
- Cause: Using wrong header name or missing header
- Fix: Use
apikey(lowercase) for Supabase REST API, orX-API-Keyfor proxy/edge functions
Error: "Invalid or expired API key"¶
- Cause: API key is invalid, expired, or inactive
- Fix: Generate a new API key from Settings → API Keys
Error: "Invalid URL format"¶
- Cause: Incorrect proxy URL format
- Fix: Use format:
/rest-api-proxy/<table_name>?<query_params>
Getting Your Supabase Anon Key¶
- Go to Supabase Dashboard
- Select your project
- Go to Settings → API
- Copy the
anonpublickey
Generating Custom API Keys¶
- Log into ConnectGain
- Go to Settings → API Keys
- Click "Generate API Key"
- Save the key immediately (it's only shown once)