Inconsistent JWT behavior in Edge Functions with verify_jwt = true

[savantechavidus]

We are experiencing inconsistent JWT authentication behavior in Supabase Edge Functions when verify_jwt = true is enabled.
Specifically, valid user JWTs sometimes result in 401: Invalid JWT, while using the anon key in the Authorization header works consistently.
Environment
Supabase project: (new project with JWT signing keys enabled – RS256)
Edge Functions: Enabled with verify_jwt = true
Client: @supabase/supabase-js v2
Auth persistence: persistSession: true, autoRefreshToken: true
Runtime: Browser (React/Vite setup)
Observed Behavior
When calling the Edge Function without Authorization header:
Result: 401 Unauthorized (expected)
When calling with:
Result: ✅ Works successfully
When calling with:
Result: ❌ Intermittent 401 Invalid JWT
Logs show that:
In some cases, the Authorization header is missing or contains Bearer undefined
In other cases, valid JWTs are correctly processed
Key Finding
The issue appears to be related to timing of session availability on the client side.
When using:
const { data } = await supabase.auth.getSession();
We observed that:
Immediately after app load, data.session may be null
This results in:
Which leads to 401 Invalid JWT
However:
Once the session is fully restored (async from localStorage), valid JWTs work correctly
Expected Behavior
We expected one of the following:
Either:
supabase.functions.invoke() automatically attaches the current session JWT (if available)
Or:
A clearer error or documented behavior indicating that session restoration is asynchronous and must be awaited before making authenticated requests
Questions
Is it expected that supabase.auth.getSession() may return null during initial app load even when persistSession: true is enabled?
Is there a recommended pattern to ensure JWT is reliably available before invoking Edge Functions?
Is there any plan for automatic JWT injection in functions.invoke() similar to how queries handle auth?
Workaround
We resolved the issue by:
Ensuring session is available before invoking functions:
if (!session) throw new Error("User not authenticated");
Or delaying API calls until onAuthStateChange fires
Additional Note
This behavior can be misleading because:
Using the anon key works (valid JWT with role: anon)
But user JWT fails intermittently due to timing, not validity
Summary
The issue is not JWT validity, but session availability timing, which results in:
Bearer undefined
leading to 401 Invalid JWT
Clarification or improvements in SDK behavior or documentation would help avoid this confusion.
Thank you.

[GaryAustin1]

The new asymmetric jwt's will not work with jwt checking enabled. Also the new publishable and secret keys will not work with it.
https://supabase.com/docs/guides/functions/auth