Does anyone know if Supabase always uses the anon and authenticated users by default to execute requests (ignoring requests that involve SECURITY DEFINER stored procedures)? Are there any other users that need to be considered? The context is defining column-level permissions using GRANT/REVOKE statements

The JWT's that are generated when setting up a project are linked to the

service_role

and

anon

users (specified as 'role' inside the JWT). As I understand it, when a user logs in, their role is graduated from

anon

to

authenticated

and their account UUID and a few other bits of information are minted into a new JWT that is sent to the user. As far as I'm aware, the other roles don't play a part in executing user requests but are instead used for other functionality within the stack (not sure on specifics unfortunately)

I am not sure I understand your point about the service_role - what do you mean by "JWT's are linked to the service_role"?

As mentioned in the self-host docs (https://supabase.com/docs/guides/hosting/overview#api-keys), there are 2 keys - this applies to self-host or those projects hosted on the Supabase platform. One JWT is linked to anon, the other JWT is linked to the service_role. Sorry that I didn't make that clear. So, essentially, logged in users =

authenticated

. Other users =

anon

"So, essentially, logged in users = authenticated. Other users = anon" - right, that's what I thought too. Thanks for the confirmation!