Storage
Supabase Storage makes it simple to store and serve large files.
Files#
Files can be any sort of media file. This includes images, GIFs, and videos. It is best practice to store files outside of your database because of their sizes. For security, HTML files are returned as plain text.
Folders#
Folders are a way to organize your files (just like on your computer). There is no right or wrong way to organize your files. You can store them in whichever folder structure suits your project.
Buckets#
Buckets are distinct containers for files and folders. You can think of them like "super folders". Generally you would create distinct buckets for different Security and Access Rules. For example, you might keep all video files in a "video" bucket, and profile pictures in an "avatar" bucket.
Getting started#
This is a quick guide that shows the basic functionality of Supabase Storage. Find a full example application in GitHub, which you can deploy yourself.
note
File, Folder, and Bucket names must follow AWS object key naming guidelines and avoid use of any other characters.
Create a bucket#
You can create a bucket using the Supabase Dashboard. Since the storage is interoperable with your Postgres database, you can also use SQL or our client libraries. Here we create a bucket called "avatars":
- Go to the Storage page in the Dashboard.
- Click New Bucket and enter a name for the bucket.
- Click Create Bucket.
Upload a file#
You can upload a file from the Dashboard, or within a browser using our JS libraries.
- Go to the Storage page in the Dashboard.
- Select the bucket you want to upload the file to.
- Click Upload File.
- Select the file you want to upload.
Download a file#
You can download a file from the Dashboard, or within a browser using our JS libraries.
- Go to the Storage page in the Dashboard.
- Select the bucket that contains the file.
- Select the file that you want to download.
- Click Download.
Add security rules#
To restrict access to your files you can use either the Dashboard or SQL.
- Go to the Storage page in the Dashboard.
- Click Policies in the sidebar.
- Click Add Policies in the
OBJECTS
table to add policies for Files. You can also create policies for Buckets. - Choose whether you want the policy to apply to downloads (SELECT), uploads (INSERT), updates (UPDATE), or deletes (DELETE).
- Give your policy a unique name.
- Write the policy using SQL.
Public and Private Buckets#
Storage buckets are private by default.
For private buckets, you can access objects via the download method. This corresponds to /object/auth/
API endpoint.
Alternatively, you can create a publicly shareable URL with an expiry date using the createSignedUrl method
which calls the /object/sign/
API.
For public buckets, you can access the assets directly without a token or an Authorisation header. The getPublicUrl
helper method returns the full public URL for an asset. This calls the /object/public/
API endpoint internally. While no authorization is required for accessing objects in a public bucket, proper access control is required for other operations like uploading, deleting objects from public buckets as well.
Public buckets also tend to have better performance.
Advanced: reverse proxy
The URLs returned are proxied through the API Proxy. They are prefixed by/storage/v1
For example, on the hosted Platform they will be
https://[project_ref].supabase.co/storage/v1/object/public/[id]
You can access the storage API directly with the same endpoint. See the API docs for a full list of operations available.
Access control#
Supabase Storage is integrated with your Postgres Database.
This means that you can use the same Row Level Security Policies
for managing access to your files. Supabase Storage stores metadata in the objects
and buckets
table in the storage schema. To allow read access to files, the RLS policy must allow users to SELECT
the objects
table and for uploading a new object, the RLS policy must grant users access to INSERT
into the objects
table and so on. The mapping between the different API calls and the database permissions required is documented in the Reference docs.
note
Access control for Storage is mapped to CRUD operations on the buckets
and objects
table via RLS policies.
Helpers#
Supabase Storage provides SQL helper functions which you can use in your database queries and policies.
storage.filename()
Returns the name of a file.
1select storage.filename(name) 2from storage.objects;
For example, if your file is stored in public/subfolder/avatar.png
it would return:
'avatar.png'
storage.foldername()
Returns an array path, with all of the subfolders that a file belongs to.
1select storage.foldername(name) 2from storage.objects;
For example, if your file is stored in public/subfolder/avatar.png
it would return:
[ 'public', 'subfolder' ]
storage.extension()
Returns the extension of a file.
1select storage.extension(name) 2from storage.objects;
For example, if your file is stored in public/subfolder/avatar.png
it would return:
'png'
Policy examples#
Here are some examples of storage policies.
Allow public access to a bucket#
1-- 1. Allow public access to any files in the "public" bucket
2create policy "Public Access"
3on storage.objects for select
4using ( bucket_id = 'public' );
Allow logged-in access to a bucket#
1-- 1. Allow logged-in access to any files in the "restricted" bucket
2create policy "Restricted Access"
3on storage.objects for select
4using (
5 bucket_id = 'restricted'
6 and auth.role() = 'authenticated'
7);
Allow individual access to a file#
1-- 1. Allow a user to access their own files
2create policy "Individual user Access"
3on storage.objects for select
4using ( auth.uid() = owner );
See also#
- Read more about Supabase Storage in the blog post
- Supabase Storage on GitHub
- Swagger API documentation
- Official JavaScript and Dart documentation
- Community libraries