# Usage # Start: docker compose up # With helpers: docker compose -f docker-compose.yml -f ./dev/docker-compose.dev.yml up # Stop: docker compose down # Destroy: docker compose -f docker-compose.yml -f ./dev/docker-compose.dev.yml down -v --remove-orphans # Reset everything: ./reset.sh # Environment Variable Loading Order (first → last, later overrides earlier): # 1. ../../.env.default - Default values for all Supabase settings # 2. ../../.env - User's custom configuration (if exists) # 3. ./.env - Local overrides specific to db/docker (if exists) # 4. environment key - Service-specific overrides defined below # 5. Shell environment - Variables exported before running docker compose name: supabase # Common env_file configuration for all Supabase services x-supabase-env-files: &supabase-env-files env_file: - ../../.env.default # Base defaults from platform root - path: ../../.env # User overrides from platform root (optional) required: false - path: ./.env # Local overrides for db/docker (optional) required: false # Common Supabase environment - hardcoded defaults to avoid variable substitution x-supabase-env: &supabase-env SUPABASE_ANON_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJhbm9uIiwKICAgICJpc3MiOiAic3VwYWJhc2UtZGVtbyIsCiAgICAiaWF0IjogMTY0MTc2OTIwMCwKICAgICJleHAiOiAxNzk5NTM1NjAwCn0.dc_X5iR_VP_qT0zsiyj_I_OZ2T9FtRU2BBNWN8Bu4GE SUPABASE_SERVICE_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJzZXJ2aWNlX3JvbGUiLAogICAgImlzcyI6ICJzdXBhYmFzZS1kZW1vIiwKICAgICJpYXQiOiAxNjQxNzY5MjAwLAogICAgImV4cCI6IDE3OTk1MzU2MDAKfQ.DaYlNEoUrrEn2Ig7tqibS-PHK5vgusbcbo7X36XVt4Q services: studio: container_name: supabase-studio image: supabase/studio:20250224-d10db0f restart: unless-stopped healthcheck: test: [ "CMD", "node", "-e", "fetch('http://studio:3000/api/platform/profile').then((r) => {if (r.status !== 200) throw new Error(r.status)})" ] timeout: 10s interval: 5s retries: 3 <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service STUDIO_PG_META_URL: http://meta:8080 DEFAULT_ORGANIZATION_NAME: Default Organization DEFAULT_PROJECT_NAME: Default Project SUPABASE_URL: http://kong:8000 AUTH_JWT_SECRET: your-super-secret-jwt-token-with-at-least-32-characters-long LOGFLARE_API_KEY: your-super-secret-and-long-logflare-key LOGFLARE_URL: http://analytics:4000 NEXT_PUBLIC_ENABLE_LOGS: true # Comment to use Big Query backend for analytics NEXT_ANALYTICS_BACKEND_PROVIDER: postgres # Uncomment to use Big Query backend for analytics # NEXT_ANALYTICS_BACKEND_PROVIDER: bigquery kong: container_name: supabase-kong image: kong:2.8.1 restart: unless-stopped ports: - 8000:8000/tcp - 8443:8443/tcp volumes: # https://github.com/supabase/supabase/issues/12661 - ./volumes/api/kong.yml:/home/kong/temp.yml:ro <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service KONG_DATABASE: "off" KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml # https://github.com/supabase/cli/issues/14 KONG_DNS_ORDER: LAST,A,CNAME KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k # https://unix.stackexchange.com/a/294837 entrypoint: bash -c 'eval "echo \"$$(cat ~/temp.yml)\"" > ~/kong.yml && /docker-entrypoint.sh kong docker-start' auth: container_name: supabase-auth image: supabase/gotrue:v2.170.0 restart: unless-stopped healthcheck: test: [ "CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9999/health" ] timeout: 5s interval: 5s retries: 3 depends_on: db: # Disable this if you are using an external Postgres database condition: service_healthy <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service GOTRUE_API_HOST: 0.0.0.0 GOTRUE_API_PORT: 9999 GOTRUE_DB_DRIVER: postgres GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:your-super-secret-and-long-postgres-password@db:5432/postgres GOTRUE_SITE_URL: http://localhost:3000 GOTRUE_URI_ALLOW_LIST: "" GOTRUE_DISABLE_SIGNUP: false GOTRUE_JWT_ADMIN_ROLES: service_role GOTRUE_JWT_AUD: authenticated GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated GOTRUE_JWT_EXP: 3600 GOTRUE_JWT_SECRET: your-super-secret-jwt-token-with-at-least-32-characters-long GOTRUE_EXTERNAL_EMAIL_ENABLED: true GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED: false GOTRUE_MAILER_AUTOCONFIRM: false # Uncomment to bypass nonce check in ID Token flow. Commonly set to true when using Google Sign In on mobile. # GOTRUE_EXTERNAL_SKIP_NONCE_CHECK: true # GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED: true # GOTRUE_SMTP_MAX_FREQUENCY: 1s GOTRUE_SMTP_ADMIN_EMAIL: admin@example.com GOTRUE_SMTP_HOST: supabase-mail GOTRUE_SMTP_PORT: 2500 GOTRUE_SMTP_USER: fake_mail_user GOTRUE_SMTP_PASS: fake_mail_password GOTRUE_SMTP_SENDER_NAME: fake_sender GOTRUE_MAILER_URLPATHS_INVITE: /auth/v1/verify GOTRUE_MAILER_URLPATHS_CONFIRMATION: /auth/v1/verify GOTRUE_MAILER_URLPATHS_RECOVERY: /auth/v1/verify GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: /auth/v1/verify GOTRUE_EXTERNAL_PHONE_ENABLED: true GOTRUE_SMS_AUTOCONFIRM: true # Uncomment to enable custom access token hook. Please see: https://supabase.com/docs/guides/auth/auth-hooks for full list of hooks and additional details about custom_access_token_hook # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_ENABLED: "true" # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_URI: "pg-functions://postgres/public/custom_access_token_hook" # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_SECRETS: "" # GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_ENABLED: "true" # GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_URI: "pg-functions://postgres/public/mfa_verification_attempt" # GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_ENABLED: "true" # GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_URI: "pg-functions://postgres/public/password_verification_attempt" # GOTRUE_HOOK_SEND_SMS_ENABLED: "false" # GOTRUE_HOOK_SEND_SMS_URI: "pg-functions://postgres/public/custom_access_token_hook" # GOTRUE_HOOK_SEND_SMS_SECRETS: "v1,whsec_VGhpcyBpcyBhbiBleGFtcGxlIG9mIGEgc2hvcnRlciBCYXNlNjQgc3RyaW5n" # GOTRUE_HOOK_SEND_EMAIL_ENABLED: "false" # GOTRUE_HOOK_SEND_EMAIL_URI: "http://host.docker.internal:54321/functions/v1/email_sender" # GOTRUE_HOOK_SEND_EMAIL_SECRETS: "v1,whsec_VGhpcyBpcyBhbiBleGFtcGxlIG9mIGEgc2hvcnRlciBCYXNlNjQgc3RyaW5n" rest: container_name: supabase-rest image: postgrest/postgrest:v12.2.8 restart: unless-stopped depends_on: db: # Disable this if you are using an external Postgres database condition: service_healthy <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service PGRST_DB_URI: postgres://authenticator:your-super-secret-and-long-postgres-password@db:5432/postgres PGRST_DB_SCHEMAS: public,storage,graphql_public PGRST_DB_ANON_ROLE: anon PGRST_JWT_SECRET: your-super-secret-jwt-token-with-at-least-32-characters-long PGRST_DB_USE_LEGACY_GUCS: "false" PGRST_APP_SETTINGS_JWT_SECRET: your-super-secret-jwt-token-with-at-least-32-characters-long PGRST_APP_SETTINGS_JWT_EXP: 3600 command: [ "postgrest" ] realtime: # This container name looks inconsistent but is correct because realtime constructs tenant id by parsing the subdomain container_name: realtime-dev.supabase-realtime image: supabase/realtime:v2.34.40 restart: unless-stopped depends_on: db: # Disable this if you are using an external Postgres database condition: service_healthy healthcheck: test: [ "CMD", "curl", "-sSfL", "--head", "-o", "/dev/null", "-H", "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJhbm9uIiwKICAgICJpc3MiOiAic3VwYWJhc2UtZGVtbyIsCiAgICAiaWF0IjogMTY0MTc2OTIwMCwKICAgICJleHAiOiAxNzk5NTM1NjAwCn0.dc_X5iR_VP_qT0zsiyj_I_OZ2T9FtRU2BBNWN8Bu4GE", "http://localhost:4000/api/tenants/realtime-dev/health" ] timeout: 5s interval: 5s retries: 3 <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service PORT: 4000 DB_HOST: db DB_PORT: 5432 DB_USER: supabase_admin DB_PASSWORD: your-super-secret-and-long-postgres-password DB_NAME: postgres DB_AFTER_CONNECT_QUERY: 'SET search_path TO _realtime' DB_ENC_KEY: supabaserealtime API_JWT_SECRET: your-super-secret-jwt-token-with-at-least-32-characters-long SECRET_KEY_BASE: UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3gZv1/u2oq ERL_AFLAGS: -proto_dist inet_tcp DNS_NODES: "''" RLIMIT_NOFILE: "10000" APP_NAME: realtime SEED_SELF_HOST: true RUN_JANITOR: true # To use S3 backed storage: docker compose -f docker-compose.yml -f docker-compose.s3.yml up storage: container_name: supabase-storage image: supabase/storage-api:v1.19.3 restart: unless-stopped volumes: - ./volumes/storage:/var/lib/storage:z healthcheck: test: [ "CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://storage:5000/status" ] timeout: 5s interval: 5s retries: 3 depends_on: db: # Disable this if you are using an external Postgres database condition: service_healthy rest: condition: service_started imgproxy: condition: service_started <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service ANON_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJhbm9uIiwKICAgICJpc3MiOiAic3VwYWJhc2UtZGVtbyIsCiAgICAiaWF0IjogMTY0MTc2OTIwMCwKICAgICJleHAiOiAxNzk5NTM1NjAwCn0.dc_X5iR_VP_qT0zsiyj_I_OZ2T9FtRU2BBNWN8Bu4GE SERVICE_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJzZXJ2aWNlX3JvbGUiLAogICAgImlzcyI6ICJzdXBhYmFzZS1kZW1vIiwKICAgICJpYXQiOiAxNjQxNzY5MjAwLAogICAgImV4cCI6IDE3OTk1MzU2MDAKfQ.DaYlNEoUrrEn2Ig7tqibS-PHK5vgusbcbo7X36XVt4Q POSTGREST_URL: http://rest:3000 PGRST_JWT_SECRET: your-super-secret-jwt-token-with-at-least-32-characters-long DATABASE_URL: postgres://supabase_storage_admin:your-super-secret-and-long-postgres-password@db:5432/postgres FILE_SIZE_LIMIT: 52428800 STORAGE_BACKEND: file FILE_STORAGE_BACKEND_PATH: /var/lib/storage TENANT_ID: stub # TODO: https://github.com/supabase/storage-api/issues/55 REGION: stub GLOBAL_S3_BUCKET: stub ENABLE_IMAGE_TRANSFORMATION: "true" IMGPROXY_URL: http://imgproxy:5001 imgproxy: container_name: supabase-imgproxy image: darthsim/imgproxy:v3.8.0 restart: unless-stopped volumes: - ./volumes/storage:/var/lib/storage:z healthcheck: test: [ "CMD", "imgproxy", "health" ] timeout: 5s interval: 5s retries: 3 <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service IMGPROXY_BIND: ":5001" IMGPROXY_LOCAL_FILESYSTEM_ROOT: / IMGPROXY_USE_ETAG: "true" IMGPROXY_ENABLE_WEBP_DETECTION: true meta: container_name: supabase-meta image: supabase/postgres-meta:v0.86.1 restart: unless-stopped depends_on: db: # Disable this if you are using an external Postgres database condition: service_healthy <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service PG_META_PORT: 8080 PG_META_DB_HOST: db PG_META_DB_PORT: 5432 PG_META_DB_NAME: postgres PG_META_DB_USER: supabase_admin PG_META_DB_PASSWORD: your-super-secret-and-long-postgres-password functions: container_name: supabase-edge-functions image: supabase/edge-runtime:v1.67.2 restart: unless-stopped volumes: - ./volumes/functions:/home/deno/functions:Z <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service SUPABASE_URL: http://kong:8000 SUPABASE_SERVICE_ROLE_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJzZXJ2aWNlX3JvbGUiLAogICAgImlzcyI6ICJzdXBhYmFzZS1kZW1vIiwKICAgICJpYXQiOiAxNjQxNzY5MjAwLAogICAgImV4cCI6IDE3OTk1MzU2MDAKfQ.DaYlNEoUrrEn2Ig7tqibS-PHK5vgusbcbo7X36XVt4Q SUPABASE_DB_URL: postgresql://postgres:your-super-secret-and-long-postgres-password@db:5432/postgres # TODO: Allow configuring VERIFY_JWT per function. This PR might help: https://github.com/supabase/cli/pull/786 VERIFY_JWT: "false" command: [ "start", "--main-service", "/home/deno/functions/main" ] analytics: container_name: supabase-analytics image: supabase/logflare:1.12.5 restart: unless-stopped ports: - 4000:4000 # Uncomment to use Big Query backend for analytics # volumes: # - type: bind # source: ${PWD}/gcloud.json # target: /opt/app/rel/logflare/bin/gcloud.json # read_only: true healthcheck: test: [ "CMD", "curl", "http://localhost:4000/health" ] timeout: 5s interval: 5s retries: 10 depends_on: db: # Disable this if you are using an external Postgres database condition: service_healthy <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service LOGFLARE_NODE_HOST: 127.0.0.1 DB_USERNAME: supabase_admin DB_DATABASE: _supabase DB_HOSTNAME: db DB_PORT: 5432 DB_PASSWORD: your-super-secret-and-long-postgres-password DB_SCHEMA: _analytics LOGFLARE_API_KEY: your-super-secret-and-long-logflare-key LOGFLARE_SINGLE_TENANT: true LOGFLARE_SUPABASE_MODE: true LOGFLARE_MIN_CLUSTER_SIZE: 1 # Comment variables to use Big Query backend for analytics POSTGRES_BACKEND_URL: postgresql://supabase_admin:your-super-secret-and-long-postgres-password@db:5432/_supabase POSTGRES_BACKEND_SCHEMA: _analytics LOGFLARE_FEATURE_FLAG_OVERRIDE: multibackend=true # Uncomment to use Big Query backend for analytics # GOOGLE_PROJECT_ID: GOOGLE_PROJECT_ID # GOOGLE_PROJECT_NUMBER: GOOGLE_PROJECT_NUMBER # Comment out everything below this point if you are using an external Postgres database db: container_name: supabase-db image: supabase/postgres:15.8.1.049 restart: unless-stopped volumes: - ./volumes/db/realtime.sql:/docker-entrypoint-initdb.d/migrations/99-realtime.sql:Z # Must be superuser to create event trigger - ./volumes/db/webhooks.sql:/docker-entrypoint-initdb.d/init-scripts/98-webhooks.sql:Z # Must be superuser to alter reserved role - ./volumes/db/roles.sql:/docker-entrypoint-initdb.d/init-scripts/99-roles.sql:Z # Initialize the database settings with JWT_SECRET and JWT_EXP - ./volumes/db/jwt.sql:/docker-entrypoint-initdb.d/init-scripts/99-jwt.sql:Z # PGDATA directory is persisted between restarts - ./volumes/db/data:/var/lib/postgresql/data:Z # Changes required for internal supabase data such as _analytics - ./volumes/db/_supabase.sql:/docker-entrypoint-initdb.d/migrations/97-_supabase.sql:Z # Changes required for Analytics support - ./volumes/db/logs.sql:/docker-entrypoint-initdb.d/migrations/99-logs.sql:Z # Changes required for Pooler support - ./volumes/db/pooler.sql:/docker-entrypoint-initdb.d/migrations/99-pooler.sql:Z # Use named volume to persist pgsodium decryption key between restarts - supabase-config:/etc/postgresql-custom healthcheck: test: [ "CMD", "pg_isready", "-U", "postgres", "-h", "localhost" ] interval: 5s timeout: 5s retries: 10 <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service POSTGRES_HOST: /var/run/postgresql PGPORT: 5432 PGPASSWORD: your-super-secret-and-long-postgres-password PGDATABASE: postgres JWT_EXP: 3600 command: [ "postgres", "-c", "config_file=/etc/postgresql/postgresql.conf", "-c", "log_min_messages=fatal" # prevents Realtime polling queries from appearing in logs ] vector: container_name: supabase-vector image: timberio/vector:0.28.1-alpine restart: unless-stopped volumes: - ./volumes/logs/vector.yml:/etc/vector/vector.yml:ro - /var/run/docker.sock:/var/run/docker.sock:ro healthcheck: test: [ "CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://vector:9001/health" ] timeout: 5s interval: 5s retries: 3 <<: *supabase-env-files environment: <<: *supabase-env command: [ "--config", "/etc/vector/vector.yml" ] # Update the DATABASE_URL if you are using an external Postgres database supavisor: container_name: supabase-pooler image: supabase/supavisor:2.4.12 restart: unless-stopped ports: - 5432:5432 - 6543:6543 volumes: - ./volumes/pooler/pooler.exs:/etc/pooler/pooler.exs:ro healthcheck: test: [ "CMD", "curl", "-sSfL", "--head", "-o", "/dev/null", "http://127.0.0.1:4000/api/health" ] interval: 10s timeout: 5s retries: 5 depends_on: db: condition: service_healthy analytics: condition: service_healthy <<: *supabase-env-files environment: <<: *supabase-env # Keep any existing environment variables specific to that service PORT: 4000 DATABASE_URL: ecto://supabase_admin:your-super-secret-and-long-postgres-password@db:5432/_supabase CLUSTER_POSTGRES: true SECRET_KEY_BASE: UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3gZv1/u2oq VAULT_ENC_KEY: your-encryption-key-32-chars-min API_JWT_SECRET: your-super-secret-jwt-token-with-at-least-32-characters-long METRICS_JWT_SECRET: your-super-secret-jwt-token-with-at-least-32-characters-long REGION: local ERL_AFLAGS: -proto_dist inet_tcp POOLER_TENANT_ID: your-tenant-id POOLER_DEFAULT_POOL_SIZE: 20 POOLER_MAX_CLIENT_CONN: 100 POOLER_POOL_MODE: transaction command: [ "/bin/sh", "-c", "/app/bin/migrate && /app/bin/supavisor eval \"$$(cat /etc/pooler/pooler.exs)\" && /app/bin/server" ] volumes: supabase-config: