supabase-webhooks-events

'Implement Supabase database webhooks, pg_net async HTTP, LISTEN/NOTIFY,

Allowed Tools

WriteBash(supabase:*)Bash(curl:*)Bash(psql:*)

Provided by Plugin

supabase-pack

Claude Code skill pack for Supabase (30 skills)

saas packs v1.53.0
View Plugin

Installation

This skill is included in the supabase-pack plugin:

/plugin install supabase-pack@claude-code-plugins-plus

Click to copy

Instructions

Supabase Webhooks & Database Events

Overview

Supabase offers four complementary event mechanisms: Database Webhooks (trigger-based HTTP calls via pgnet), supabasefunctions.httprequest() (call Edge Functions from triggers), Postgres LISTEN/NOTIFY (lightweight pub/sub), and Realtime postgreschanges (client-side event subscriptions). This skill covers all four patterns with production-ready code including signature verification, idempotency, and retry handling.

Prerequisites

  • Supabase project (local or hosted) with supabase CLI installed
  • pgnet extension enabled: Dashboard > Database > Extensions > search "pgnet" > Enable
  • @supabase/supabase-js v2+ installed for client-side patterns
  • Edge Functions deployed for webhook receiver patterns

Authentication

Both directions of a webhook are authenticated:

  • Outbound (trigger → Edge Function): the trigger sends an Authorization: Bearer rolekey> header. Store the key in a Postgres setting (app.settings.servicerolekey) or Supabase Vault — never inline it in a committed migration.
  • Inbound (Edge Function receiver): verify an HMAC-SHA256 signature against a shared WEBHOOK_SECRET (read from Deno.env) using a constant-time comparison, and reject mismatches with 401. See signature-verification.md.

Instructions

Pick the mechanism that fits the consumer: pg_net triggers for server-side HTTP fan-out, Edge Function receivers for signed processing, LISTEN/NOTIFY for in-database pub/sub, and Realtime for client UI. Write each SQL trigger to a supabase/migrations/ file and each handler to supabase/functions//index.ts, then apply and deploy with the supabase CLI.

Step 1 — Database Webhooks with pg_net and Trigger Functions

Enable pgnet, then write a trigger function that POSTs the changed row to an Edge Function. Attach it AFTER INSERT/UPDATE/DELETE. Full trigger set (conditional status-change trigger, the supabasefunctions.httprequest() built-in helper, and net.http_response inspection queries) is in database-webhooks.md.


CREATE EXTENSION IF NOT EXISTS pg_net WITH SCHEMA extensions;

CREATE OR REPLACE FUNCTION public.notify_order_created()
RETURNS trigger AS $$
BEGIN
  PERFORM net.http_post(
    url     := 'https://<project-ref>.supabase.co/functions/v1/on-order-created',
    headers := jsonb_build_object('Content-Type', 'application/json'),
    body    := jsonb_build_object('type', TG_OP, 'record', row_to_json(NEW)::jsonb)
  );
  RETURN NEW;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;

CREATE TRIGGER on_order_created
  AFTER INSERT ON public.orders
  FOR EACH ROW EXECUTE FUNCTION public.notify_order_created();

Step 2 — Edge Function Webhook Receivers with Signature Verification

Write an Edge Function that reads the raw body, verifies the HMAC signature, parses the typed payload, and routes by event type. Guard against duplicate delivery with a processed_events idempotency table. The complete receiver, the idempotent-handler variant, and the idempotency table DDL are in edge-function-receivers.md.


// supabase/functions/on-order-created/index.ts
serve(async (req) => {
  const rawBody = await req.text();
  const secret = Deno.env.get("WEBHOOK_SECRET");
  if (secret) {
    const sig = req.headers.get("x-webhook-signature") ?? "";
    if (!(await verifySignature(rawBody, sig, secret)))
      return new Response(JSON.stringify({ error: "Invalid signature" }), { status: 401 });
  }
  const payload = JSON.parse(rawBody); // { type, table, record, old_record }
  // route by payload.type: INSERT | UPDATE | DELETE
  return new Response(JSON.stringify({ received: true }));
});

Step 3 — Postgres LISTEN/NOTIFY and Realtime as Event Source

Use pgnotify from a trigger for lightweight, non-persistent pub/sub consumed by a backend LISTEN; use Realtime postgreschanges for client-side UI subscriptions (keep NOTIFY payloads to IDs — they truncate past 8000 bytes). The backend listener, the full Realtime subscription with event routing, and the combined event-driven architecture diagram are in listen-notify-realtime.md.


const channel = supabase
  .channel("orders-events")
  .on("postgres_changes",
    { event: "*", schema: "public", table: "orders" },
    (payload) => console.log(payload.eventType, payload.new))
  .subscribe();

Output

These patterns produce:

  • Database trigger functions calling Edge Functions via pg_net on row changes
  • Conditional triggers that fire only when specific columns change
  • Edge Function webhook receivers with HMAC signature verification
  • Idempotent event processing preventing duplicate side effects
  • LISTEN/NOTIFY channels for lightweight inter-service communication
  • Realtime subscriptions for live client-side UI updates
  • An event-driven architecture combining server and client patterns

Error Handling

Error Cause Fix
pg_net returns 404 Edge Function not deployed or wrong URL Run supabase functions deploy and verify the URL matches
Webhook not firing Trigger not attached or table not in publication Check SELECT * FROM pg_trigger WHERE tgrelid = 'orders'::regclass;
Duplicate events processed No idempotency layer Add processedevents table with unique eventid constraint
Realtime not receiving Table not added to Realtime publication Dashboard > Database > Replication > enable the table
net.httpresponse shows 401 Invalid or missing auth header Verify servicerolekey is set in app.settings or vault
NOTIFY payload truncated Payload exceeds 8000 bytes Send only IDs in NOTIFY, fetch full record in the listener
Auth hook errors Function raises exception Check Dashboard > Logs > Auth; ensure function returns valid JSONB
Trigger silently fails SECURITY DEFINER without search_path Add SET search_path = public, extensions; to function

Examples

Resources

Next Steps

For performance optimization of triggers and queries, see supabase-performance-tuning. For production hardening including RLS policies on webhook-accessed tables, see supabase-security-basics.

Ready to use supabase-pack?