Hello @grdsdev , could you please review the pull request?

supabaseKey needs to be the fallback here. If something goes wrong elsewhere, it ensures any requests to supabase are at least using the anon key.

Hi @kausikds! Thank you for taking the time to contribute to Supabase and for thinking about code clarity. I appreciate your attention to detail!

However, I need to close this PR because the current implementation is actually working as intended. Let me explain why the fallback to supabaseKey is essential. Supabase is designed to work in two modes:

1. Authenticated requests: When a user is logged in, we use their JWT token
2. Anonymous requests: When no user is logged in, we use the supabaseKey (typically the anon key)

The line const accessToken = (await getAccessToken()) ?? supabaseKey ensures that

• Public resources remain accessible - Many Supabase projects have public tables/functions that should work without user authentication
• Row Level Security (RLS) policies work correctly - RLS policies can be designed to handle both authenticated users and anonymous access
• Service keys function properly - Server-side usage often relies on service keys when no user session exists
• API requests always have authorization - The Supabase API expects an Authorization header in all requests

If we removed the fallback (?? supabaseKey):
• Anonymous users couldn't access public resources
• Requests would fail with authentication errors when they should succeed
• Server-side applications would break when no user session exists

Consider a blog app where:
• Logged-in users can see private posts (uses JWT token)
• Anonymous visitors can see public posts (uses anon key)

The proposed change would prevent anonymous visitors from seeing public posts, breaking the intended functionality.

Thanks again for the contribution! If you have other ideas for improvements, please don't hesitate to open discussions or issues, and tag me! I'll be happy to take a look!