Edge function JWT verification settings ignored during function updates

[brainwavecoder9]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the [Docs](https://docs.supabase.com), GitHub [Discussions](https://github.com/supabase/supabase/discussions), and [Discord](https://discord.supabase.com).

Describe the bug

The --no-verify-jwt flag in the Supabase CLI does not seem to be applied correctly during edge function deployment. Functions deployed with this flag still have JWT verification enabled in the dashboard, despite the CLI indicating successful deployment with the flag.

NOTE: I specifically encountered this for functions originally deployed with the standard approach.

To Reproduce

Steps to reproduce the behavior:

1. Create an edge function (e.g., my-function) & deploy it

   supabase functions deploy my-function

2. Create a supabase/config.toml file with:

   [functions.my-function]
   verify_jwt = false

3. Deploy the function using the CLI:

   supabase functions deploy my-function #To use toml flag
   supabase functions deploy my-function --no-verify-jwt #To update directly

4. Check the function configuration in the Supabase Dashboard
5. OBSERVED: The "Verify JWT with legacy secret" toggle is still ENABLED (green) in the dashboard
6. EXPECTED: The toggle should be DISABLED (gray) since --no-verify-jwt was specified

Expected behavior

When deploying an edge function with the --no-verify-jwt flag / toml setting:

• The function should have JWT verification disabled
• The dashboard should show "Verify JWT with legacy secret" toggle as OFF
• The function should accept requests with only the apikey header (no Authorization header required)

System information

• supabase --version 2.33.9
• Using new API key format: sb_publishable_... w/legacy disabled

Additional context

Workaround that works:

• Manually deleting and re-creating the functions does work correctly (I did not specify --no-verify-jwt -- the toml seemed to be enough)
• This suggests the config/flag works for initial deployment but not for updates, at least in my specific case

CLI behavior observed:

• When deploying with --no-verify-jwt, CLI shows "No change found in Function" even when toggling the flag on/off
• This suggests the CLI may not be detecting the JWT verification setting as a change that needs to be applied

Impact:

• Functions continue to return 401 "Invalid JWT" errors when called with publishable keys

Other Potential Considerations:

• This may be related to caching or the way the CLI tracks function configuration changes
• The config.toml file setting may not be taking precedence over existing function settings during updates

[sweatybridge]

We are currently in the process of deprecating verify_jwt flag in lieu of the new API keys.

I will update again when we have firmed up a plan here.

[stefan-girlich]

Possible workaround: Use management API to disable JWT verification:

PATCH https://api.supabase.com/v1/projects/your-project-ref/functions/your-function-slug

{
	"verify_jwt": false
}

[sweatybridge]

This should be fixed by #4072

Feel free to reopen if it is still happening.

[bcfox2]

Same issue here. verify_jwt = false in config.toml
doesn't work. Had to disable JWT verification in
dashboard and implement manual verification in
function code. Please fix this.

[ozerum]

i confirm what bcfox2 is saying.
antigravity ide, supabase cli version: 2.75.0

config file
[functions.NAMEOFMYFUNCTION]
verify_jwt = false

gets deployed without it