Symptom: No clients receive postgres_changes events for any table. WebSocket handshake succeeds (101). Channel fires SUBSCRIBED on client. But realtime.subscription table count is 0 — no subscription ever registers server-side. Affects all subscribers (admin and authenticated users equally), so this is not RLS-specific.
Diagnostic findings:
Replication slot supabase_realtime_replication_slot_2_94_0_dc6dcf1 is active=true, lag=0 bytes
supabase_realtime publication contains 9 public tables including jobs (verified via pg_publication_tables)
REPLICA IDENTITY = default (primary key) on all subscribed tables
JWT validated client-side, decoded shows correct sub/role/exp
Manual INSERT into realtime.subscription as SET ROLE authenticated fails with: ERROR: 42501: permission denied for table subscription. HINT: Grant the required privileges to the current role with: GRANT INSERT ON realtime.subscription TO authenticated;
Running GRANT INSERT, UPDATE, DELETE ON realtime.subscription TO authenticated reports "Success. No rows returned" — but subsequent information_schema.table_privileges query shows authenticated/anon still only have SELECT. Grant appears to be silently reverted by Supabase managed-schema protection.
Trigger tr_check_filters (BEFORE INSERT/UPDATE) is enabled — but never gets reached due to permission denial
supabase-js client version is current; setAuth fires correctly on SIGNED_IN/INITIAL_SESSION/TOKEN_REFRESHED
realtime.schema_migrations latest: 20260326120000
Request: Please verify project-level realtime configuration. Either (a) authenticated role grants on realtime.subscription need to be restored, or (b) the realtime worker should be inserting subscriptions as supabase_realtime_admin (which has all privileges) rather than the user's role, or (c) some other infrastructure-level fix.
Symptom: No clients receive postgres_changes events for any table. WebSocket handshake succeeds (101). Channel fires SUBSCRIBED on client. But realtime.subscription table count is 0 — no subscription ever registers server-side. Affects all subscribers (admin and authenticated users equally), so this is not RLS-specific.
Diagnostic findings:
Replication slot supabase_realtime_replication_slot_2_94_0_dc6dcf1 is active=true, lag=0 bytes
supabase_realtime publication contains 9 public tables including jobs (verified via pg_publication_tables)
REPLICA IDENTITY = default (primary key) on all subscribed tables
JWT validated client-side, decoded shows correct sub/role/exp
Manual INSERT into realtime.subscription as SET ROLE authenticated fails with: ERROR: 42501: permission denied for table subscription. HINT: Grant the required privileges to the current role with: GRANT INSERT ON realtime.subscription TO authenticated;
Running GRANT INSERT, UPDATE, DELETE ON realtime.subscription TO authenticated reports "Success. No rows returned" — but subsequent information_schema.table_privileges query shows authenticated/anon still only have SELECT. Grant appears to be silently reverted by Supabase managed-schema protection.
Trigger tr_check_filters (BEFORE INSERT/UPDATE) is enabled — but never gets reached due to permission denial
supabase-js client version is current; setAuth fires correctly on SIGNED_IN/INITIAL_SESSION/TOKEN_REFRESHED
realtime.schema_migrations latest: 20260326120000
Request: Please verify project-level realtime configuration. Either (a) authenticated role grants on realtime.subscription need to be restored, or (b) the realtime worker should be inserting subscriptions as supabase_realtime_admin (which has all privileges) rather than the user's role, or (c) some other infrastructure-level fix.