feat: Replace get_anon_key with get_publishable_keys (#167)

* feat: replace get_anon_key with get_anon_or_publishable_keys

- Replace get_anon_key tool with get_anon_or_publishable_keys to support both legacy and modern API keys
- Add ApiKeyType type and apiKeyTypeSchema for proper type safety
- Update getAnonOrPublishableKeys to return array of structured ApiKey objects
- Filter for client-safe keys (legacy 'anon' or 'publishable' type)
- Update tests to verify both legacy and publishable keys are returned
- Update README documentation to reflect new tool
- Improve error messages and provide guidance on key types

Fixes AI-166

* feat: indicate disabled legacy API keys to LLMs

- Add 'disabled' field to ApiKey type to track key status
- Check legacy keys endpoint to determine if legacy keys are disabled
- Mark legacy keys with disabled: true when they are disabled
- Gracefully handle legacy endpoint failures by omitting disabled field
- Update tool description to inform LLMs about disabled keys
- Add test coverage for disabled legacy keys scenario

Addresses feedback from PR #167 about disabled legacy keys not being indicated to LLMs

* fix: correct path parameter in legacy keys mock endpoint

Use :ref instead of :projectId to match the actual API endpoint path parameter

* fix test

* refactor: rename get_anon_or_publishable_keys to get_publishable_keys and update description for LLM compatibility

* refactor: rename getAnonOrPublishableKeys to getPublishableKeys in DevelopmentOperations implementation

Author: Rodriguespn

README.md

@@ -195,7 +195,7 @@ Enabled by default. Use `debugging` to target this group of tools with the [`fea
 Enabled by default. Use `development` to target this group of tools with the [`features`](#feature-groups) option.
 
 - `get_project_url`: Gets the API URL for a project.
-- `get_anon_key`: Gets the anonymous API key for a project.
+- `get_anon_or_publishable_keys`: Gets the anonymous API keys for a project. Returns an array of client-safe API keys including legacy anon keys and modern publishable keys. Publishable keys are recommended for new applications.
 - `generate_typescript_types`: Generates TypeScript types based on the database schema. LLMs can save this to a file and use it in their code.
 
 #### Edge Functions

packages/mcp-server-supabase/src/platform/api-platform.ts

@@ -21,6 +21,8 @@ import {
   getLogsOptionsSchema,
   resetBranchOptionsSchema,
   type AccountOperations,
+  type ApiKey,
+  type ApiKeyType,
   type ApplyMigrationOptions,
   type BranchingOperations,
   type CreateBranchOptions,
@@ -301,7 +303,7 @@ export function createSupabaseApiPlatform(
       const apiUrl = new URL(managementApiUrl);
       return `https://${projectId}.${getProjectDomain(apiUrl.hostname)}`;
     },
-    async getAnonKey(projectId: string): Promise<string> {
+    async getPublishableKeys(projectId: string): Promise<ApiKey[]> {
       const response = await managementApiClient.GET(
         '/v1/projects/{ref}/api-keys',
         {
@@ -318,13 +320,54 @@ export function createSupabaseApiPlatform(
 
       assertSuccess(response, 'Failed to fetch API keys');
 
-      const anonKey = response.data?.find((key) => key.name === 'anon');
+      // Try to check if legacy JWT-based keys are enabled
+      // If this fails, we'll continue without the disabled field
+      let legacyKeysEnabled: boolean | undefined = undefined;
+      try {
+        const legacyKeysResponse = await managementApiClient.GET(
+          '/v1/projects/{ref}/api-keys/legacy',
+          {
+            params: {
+              path: {
+                ref: projectId,
+              },
+            },
+          }
+        );
+
+        if (legacyKeysResponse.response.ok) {
+          legacyKeysEnabled = legacyKeysResponse.data?.enabled ?? true;
+        }
+      } catch (error) {
+        // If we can't fetch legacy key status, continue without it
+        legacyKeysEnabled = undefined;
+      }
+
+      // Filter for client-safe keys: legacy 'anon' or publishable type
+      const clientKeys =
+        response.data?.filter(
+          (key) => key.name === 'anon' || key.type === 'publishable'
+        ) ?? [];
 
-      if (!anonKey?.api_key) {
-        throw new Error('Anonymous key not found');
+      if (clientKeys.length === 0) {
+        throw new Error(
+          'No client-safe API keys (anon or publishable) found. Please create a publishable key in your project settings.'
+        );
       }
 
-      return anonKey.api_key;
+      return clientKeys.map((key) => ({
+        api_key: key.api_key!,
+        name: key.name,
+        type: (key.type === 'publishable'
+          ? 'publishable'
+          : 'legacy') satisfies ApiKeyType,
+        // Only include disabled field if we successfully fetched legacy key status
+        ...(legacyKeysEnabled !== undefined && {
+          disabled: key.type === 'legacy' && !legacyKeysEnabled,
+        }),
+        description: key.description ?? undefined,
+        id: key.id ?? undefined,
+      }));
     },
     async generateTypescriptTypes(projectId: string) {
       const response = await managementApiClient.GET(

packages/mcp-server-supabase/src/platform/types.ts

@@ -212,9 +212,21 @@ export type DebuggingOperations = {
   getPerformanceAdvisors(projectId: string): Promise<unknown>;
 };
 
+export const apiKeyTypeSchema = z.enum(['legacy', 'publishable']);
+export type ApiKeyType = z.infer<typeof apiKeyTypeSchema>;
+
+export type ApiKey = {
+  api_key: string;
+  name: string;
+  type: ApiKeyType;
+  description?: string;
+  id?: string;
+  disabled?: boolean;
+};
+
 export type DevelopmentOperations = {
   getProjectUrl(projectId: string): Promise<string>;
-  getAnonKey(projectId: string): Promise<string>;
+  getPublishableKeys(projectId: string): Promise<ApiKey[]>;
   generateTypescriptTypes(
     projectId: string
   ): Promise<GenerateTypescriptTypesResult>;

packages/mcp-server-supabase/src/server.test.ts

@@ -608,7 +608,7 @@ describe('tools', () => {
     expect(result).toEqual(`https://${project.id}.supabase.co`);
   });
 
-  test('get anon key', async () => {
+  test('get anon or publishable keys', async () => {
     const { callTool } = await setup();
     const org = await createOrganization({
       name: 'My Org',
@@ -623,12 +623,31 @@ describe('tools', () => {
     project.status = 'ACTIVE_HEALTHY';
 
     const result = await callTool({
-      name: 'get_anon_key',
+      name: 'get_publishable_keys',
       arguments: {
         project_id: project.id,
       },
     });
-    expect(result).toEqual('dummy-anon-key');
+
+    expect(result).toBeInstanceOf(Array);
+    expect(result.length).toBe(2);
+
+    // Check legacy anon key
+    const anonKey = result.find((key: any) => key.name === 'anon');
+    expect(anonKey).toBeDefined();
+    expect(anonKey.api_key).toEqual('dummy-anon-key');
+    expect(anonKey.type).toEqual('legacy');
+    expect(anonKey.id).toEqual('anon-key-id');
+    expect(anonKey.disabled).toBe(true);
+
+    // Check publishable key
+    const publishableKey = result.find(
+      (key: any) => key.type === 'publishable'
+    );
+    expect(publishableKey).toBeDefined();
+    expect(publishableKey.api_key).toEqual('sb_publishable_dummy_key_1');
+    expect(publishableKey.type).toEqual('publishable');
+    expect(publishableKey.description).toEqual('Main publishable key');
   });
 
   test('list storage buckets', async () => {
@@ -2609,7 +2628,7 @@ describe('feature groups', () => {
 
     expect(toolNames).toEqual([
       'get_project_url',
-      'get_anon_key',
+      'get_publishable_keys',
       'generate_typescript_types',
     ]);
   });

packages/mcp-server-supabase/src/tools/development-tools.ts

@@ -31,10 +31,11 @@ export function getDevelopmentTools({
         return development.getProjectUrl(project_id);
       },
     }),
-    get_anon_key: injectableTool({
-      description: 'Gets the anonymous API key for a project.',
+    get_publishable_keys: injectableTool({
+      description:
+        'Gets all publishable API keys for a project, including legacy anon keys (JWT-based) and modern publishable keys (format: sb_publishable_...). Publishable keys are recommended for new applications due to better security and independent rotation. Legacy anon keys are included for compatibility, as many LLMs are pretrained on them. Disabled keys are indicated by the "disabled" field; only use keys where disabled is false or undefined.',
       annotations: {
-        title: 'Get anon key',
+        title: 'Get publishable keys',
         readOnlyHint: true,
         destructiveHint: false,
         idempotentHint: true,
@@ -45,7 +46,7 @@ export function getDevelopmentTools({
       }),
       inject: { project_id },
       execute: async ({ project_id }) => {
-        return development.getAnonKey(project_id);
+        return development.getPublishableKeys(project_id);
       },
     }),
     generate_typescript_types: injectableTool({

packages/mcp-server-supabase/test/mocks.ts

@@ -254,10 +254,29 @@ export const mockManagementApi = [
       {
         name: 'anon',
         api_key: 'dummy-anon-key',
+        type: 'legacy',
+        id: 'anon-key-id',
+      },
+      {
+        name: 'publishable-key-1',
+        api_key: 'sb_publishable_dummy_key_1',
+        type: 'publishable',
+        id: 'publishable-key-1-id',
+        description: 'Main publishable key',
       },
     ]);
   }),
 
+  /**
+   * Check if legacy API keys are enabled
+   */
+  http.get(
+    `${API_URL}/v1/projects/:projectId/api-keys/legacy`,
+    ({ params }) => {
+      return HttpResponse.json({ enabled: false });
+    }
+  ),
+
   /**
    * Execute a SQL query on a project's database
    */