ContextQMD
Back to Supabase

Database Api 42501 Errors

apps/docs/content/troubleshooting/database-api-42501-errors.mdx

1.26.043.6 KB
Original Source

Postgres 42501 errors, often reported by clients as 401 or 403 errors, imply the request lacked adequate privileges. They can be viewed in the log explorer by running:

sql
select
  cast(postgres_logs.timestamp as datetime) as timestamp,
  event_message,
  parsed.error_severity,
  parsed.user_name,
  parsed.query,
  parsed.detail,
  parsed.hint
from
  postgres_logs
  cross join unnest(metadata) as metadata
  cross join unnest(metadata.parsed) as parsed
where
  regexp_contains(parsed.error_severity, 'ERROR|FATAL|PANIC')
  and parsed.sql_state_code = '42501'
order by timestamp desc
limit 100;

They tend to be caused by one of the following factors.

Attempted to access a forbidden schema

API roles cannot access certain schemas, most notably auth and vault. This restriction extends to Foreign Data Wrappers relying on vault. While you can bypass it using a security definer function, these schemas are intentionally restricted for security reasons.

Attempted to access a custom schema

If you created a custom schema, you will have to give the Database API permission to query it. Follow our Using Custom Schemas guide for more directions.

Missing table-level privileges

If you see an error like permission denied for table your_table, the querying role may not have the required privilege for the operation.

By default, tables in the public schema are granted SELECT, INSERT, UPDATE, and DELETE to the anon and authenticated roles. However, these privileges can be adjusted via the Dashboard Table Editor or via SQL.

To check the current privileges on a table:

sql
select grantee, privilege_type
from information_schema.role_table_grants
where table_name = 'your_table';

To grant a specific privilege to a role:

sql
grant select on table public.your_table to anon;

To grant all privileges:

sql
grant select, insert, update, delete on table public.your_table to anon, authenticated;
<Admonition type="note">

Granting privileges allows access to your table through the Data API, so you should ensure you enable RLS and write appropriate policies to protect your data.

For more information, see Adjusting table-level privileges.

</Admonition>

Configured column-level restrictions

If you've set column-based access in the Dashboard or via SQL, queries will fail with a 42501 error when accessing restricted columns. This includes using select *, as it expands to include forbidden columns.

RLS:

If the anon or authenticated roles attempt to UPDATE or INSERT values without the necessary RLS permissions, Postgres will return a 42501 error.