Storage

Overview

Supabase Storage makes it simple to store and serve large files.

Files

Files can be any sort of media file. This includes images, GIFs, and videos. It is best practice to store files outside of your database because of their sizes.

Folders

Folders are a way to organize your files (just like on your computer). There is no right or wrong way to organize your files. You can store them in whichever folder structure suits your project.

Buckets

Buckets are distinct containers for files and folders. You can think of them like "super folders". Generally you would create distinct buckets for different Security and Access Rules. For example, you might keep all public files in a "public" bucket, and other files that require logged-in access in a "restricted" bucket.

Getting started

This is a quick guide that shows the basic functionality of Supabase Storage. Find a full example application in GitHub, which you can deploy yourself.

Note before begin : File, Folder, and Bucket names must follow AWS Safe Characters naming guideline and avoid use of any other characters

Create a bucket

You can create a bucket using the Supabase Dashboard. Since the storage is interoperable with your Postgres database, you can also use SQL or our client libraries. Here we create a bucket called "avatars":

Dashboard

1. Go to the Storage page in the Dashboard.
2. Click New Bucket and enter a name for the bucket.
3. Click Create Bucket.

SQL

-- Use Postgres to create a bucket.

insert into storage.buckets (id, name)
values ('avatars', 'avatars');

JavaScript

// Use the JS library to create a bucket.

const { data, error } = await supabase.storage.createBucket('avatars')

Reference.

Dart

void main() async {
  final client = SupabaseClient('supabaseUrl', 'supabaseKey');

  final storageResponse = await client
      .storage
      .createBucket('avatars');
}

Reference.

Upload a file

You can upload a file from the Dashboard, or within a browser using our JS libraries.

Dashboard

1. Go to the Storage page in the Dashboard.
2. Select the bucket you want to upload the file to.
3. Click Upload File.
4. Select the file you want to upload.

JavaScript

const avatarFile = event.target.files[0]
const { data, error } = await supabase.storage
  .from('avatars')
  .upload('public/avatar1.png', avatarFile)

Reference.

Dart

void main() async {
  final client = SupabaseClient('supabaseUrl', 'supabaseKey');

  // Create file `example.txt` and upload it in `public` bucket
  final file = File('example.txt');
  file.writeAsStringSync('File content');
  final storageResponse = await client
      .storage
      .from('public')
      .upload('example.txt', file);
}

Download a file

You can download a file from the Dashboard, or within a browser using our JS libraries.

Dashboard

1. Go to the Storage page in the Dashboard.
2. Select the bucket that contains the file.
3. Select the file that you want to download.
4. Click Download.

JavaScript

// Use the JS library to create a bucket.

const { data, error } = await supabase.storage.from('avatars').download('public/avatar1.png')

Reference.

Dart

void main() async {
  final client = SupabaseClient('supabaseUrl', 'supabaseKey');

  final storageResponse = await client
      .storage
      .from('public')
      .download('example.txt');
}

Add security rules

To restrict access to your files you can use either the Dashboard or SQL.

Dashboard

1. Go to the Storage page in the Dashboard.
2. Click Policies in the sidebar.
3. Click Add Policies in the OBJECTS table to add policies for Files. You can also create policies for Buckets.
4. Choose whether you want the policy to apply to downloads (SELECT), uploads (INSERT), updates (UPDATE), or deletes (DELETE).
5. Give your policy a unique name.
6. Write the policy using SQL.

SQL

-- Use SQL to create a policy.

create policy "Public Access"
  on storage.objects for select
  using ( bucket_id = 'public' );

Helpers

Supabase Storage is configured with database SQL helper functions which you can use in your database queries and policies.

---

storage.filename()

Returns the name of a file.

select storage.filename(name)
from storage.objects;

For example, if your file is stored in public/subfolder/avatar.png it would return:

'avatar.png'

---

storage.foldername()

Returns an array path, with all of the subfolders that a file belongs to.

select storage.foldername(name)
from storage.objects;

For example, if your file is stored in public/subfolder/avatar.png it would return:

[ 'public', 'subfolder' ]

---

storage.extension()

Returns the extension of a file.

select storage.extension(name)
from storage.objects;

For example, if your file is stored in public/subfolder/avatar.png it would return:

'png'

---

Accessing objects

For private buckets, you can access objects via the download method. This corresponds to /object/auth/ API endpoint. Alternatively, you can create a publicly shareable URL with an expiry date using the createSignedUrl method which calls the /object/sign/ API.

For public buckets, you can access the assets directly without a token or an Authorisation header. The getPublicUrl helper method returns the full public URL for an asset. This calls the /object/public/ API endpoint internally.

Advanced: reverse proxy

The URLs returned are proxied through the API Proxy. They are prefixed by /storage/v1.

For example, on the hosted Platform they will be

https://[project_ref].supabase.co/storage/v1/object/public/[id]

You can access the storage API directly with the same endpoint. See the API docs for a full list of operations available.

---

Security

Supabase Storage is integrated with your Postgres Database. This means that you can use the same Policy engine for managing access to your files.

Policy Examples

Here are some examples to show you the power of PostgreSQL's Row Level Security. Each policy is attached to a table, and the policy is executed every time a table is accessed.

Allow public access to a bucket

-- 1. Allow public access to any files in the "public" bucket
create policy "Public Access"
on storage.objects for select
using ( bucket_id = 'public' );

Allow logged-in access to a bucket

-- 1. Allow logged-in access to any files in the "restricted" bucket
create policy "Restricted Access"
on storage.objects for select
using (
  bucket_id = 'restricted'
  and auth.role() = 'authenticated'
);

Allow individual access to a file

-- 1. Allow a user to access their own files
create policy "Individual user Access"
on storage.objects for select
using ( auth.uid() = owner );

Resources

• Find the API server on GitHub: github.com/supabase/storage-api
• Find the Swagger API Docs online: supabase.github.io/storage-api
• Official client libraries documentation: JavaScript and Dart.
• Community libraries: github.com/supabase-community

Next steps

• Got a question? Ask here.
• Read more about storage in our blog post.
• Sign in: app.supabase.com