Lef-F/mike@9c7218a8

fix: add aud claim to minted JWTs in generate-secrets.sh

↗ view on GitHub · Lef · 2026-05-05 · 9c7218a8

PostgREST is configured with PGRST_JWT_AUD: authenticated. The anon
and service_role JWTs minted by generate-secrets.sh had no aud claim
at all. PostgREST currently accepts a missing aud as a soft-pass
under our config - the smoke test exercised this path and got 200 -
but that is brittle library behaviour and would change between
PostgREST major versions.

Add "aud":"authenticated" to the JWT payload so the audience check
is explicit. GoTrue-issued user JWTs already carry this claim, so
the publishable/secret JWTs now match the user-session shape.

HMAC signing is unchanged. Existing .env files keep working with
their current keys; users who want the new form run
./scripts/generate-secrets.sh --force.

Repository	Lef-F/mike
Author	Lef <Lef-F@users.noreply.github.com>
Authored	2026-05-05T13:08:03+02:00
Parents	`e59f59ea`
Stats	1 file changed , +1 , -1
Part of	Self-host docker-compose stack

Repository

Lef-F/mike

Author

Lef <Lef-F@users.noreply.github.com>

Authored

2026-05-05T13:08:03+02:00

Parents

e59f59ea

Stats

1 file changed , +1 , -1

Part of

Self-host docker-compose stack

Capture this commit into my fork

Download a Markdown prompt that tells Claude how to port this exact commit into your working tree. Run it via claude -p < capture-commit-9c7218a8.md from inside the repo you want the change in.

⬇ Download capture-commit-9c7218a8.md