EdgeWorker auth fails with ensure_workers: JWT vs internal service role key format mismatch

[kemiller]

Problem

When deploying pgflow to Supabase production, the ensure_workers cron function fails to authenticate with the EdgeWorker.

Details

1. ensure_workers retrieves the service role key from vault (supabase_service_role_key) and sends it as Authorization: Bearer {key}
2. The vault stores the JWT format key (starts with eyJhbG...)
3. The EdgeWorker's validateServiceRoleAuth function compares against env['SUPABASE_SERVICE_ROLE_KEY']
4. Inside Edge Functions, SUPABASE_SERVICE_ROLE_KEY is in the internal format (starts with sb_secret_...)
5. These don't match → 401 Unauthorized

Test Results

Using a test edge function, I confirmed:

{
  "serviceRoleKeyPrefix": "sb_secret_...",
  "authHeader": "Bearer eyJhbG...",
  "match": false
}

Environment

• @pgflow/edge-worker: 0.13.2
• Supabase hosted (supabase.co)
• Using EdgeWorker.start(MyFlow)

Expected Behavior

The ensure_workers SQL function should be able to trigger the EdgeWorker successfully, or there should be documentation on how to configure this correctly.

Questions

1. Is this a known limitation?
2. Should the EdgeWorker validate against the JWT format key instead?
3. Is there a workaround we're missing?

[jumski]

Thanks for the report! Will debug it and get back to you

[jumski]

Hey @kemiller this got fixed in 0.13.3, see release article https://www.pgflow.dev/news/pgflow-0-13-3-authentication-fix-for-ensure-workers-and-edge-worker/