Edge Functions

Serverless functions for operations that must happen on the server — payments, emails, sensitive API calls.

Why First: The API Key in the Browser

You're integrating Razorpay into your app to accept payments. The Razorpay documentation gives you two keys:

A public key (rzp_live_xxxxx) — safe to put in the browser
A secret key (your-secret-key) — must never leave your server

You think: "I'll just put the secret key in my .env file with a VITE_ prefix and use it in my React code."

This is wrong. Every variable with the VITE_ prefix is bundled into your JavaScript and sent to every browser that opens your app. Anyone can open the browser DevTools, look at your JavaScript bundle, search for rzp_, and find your secret key. Within hours, they are using your Razorpay account to process fraudulent transactions.

Edge functions are the solution. They run on Supabase's servers — not in the browser. Your secret keys live there, invisible to any user.

What Edge Functions Are

An edge function is a small server-side function that:

Runs close to your users (on servers distributed globally — "edge" means near the network edge, not the user's device)
Has access to secrets that never reach the browser
Can call any external API with credentials you'd never expose client-side
Is deployed and managed by Supabase — you don't configure servers

Think of it like this — Imagine a trusted accountant who sits between you and the bank. When you need to authorise a payment, you give the accountant a summary (the order details). The accountant has the bank's access codes — which you've never seen and the client has never seen. The accountant talks to the bank on your behalf and reports back: "approved" or "declined." The client never touches the bank's systems directly. Edge functions are your trusted accountant.

When to Use Edge Functions

Use an edge function when the operation:

Requires a secret key — payment processing, email sending, third-party API calls (Razorpay, Resend, Google Maps, Gemini AI)
Must happen server-side for security — verifying a payment signature, checking webhook authenticity
Requires the service_role key — bypassing RLS for admin operations, processing background jobs
Should never be trusted from the client — calculating prices, granting credits, changing sensitive user data

Do NOT use an edge function for:

Simple CRUD operations that RLS can protect
Data that doesn't involve secrets or privilege escalation
Anything you can do safely with the anon key + RLS

The decision rule — If you find yourself thinking "I need to put this API key in my frontend," stop. That is the signal to write an edge function instead. The edge function takes the API key from Supabase secrets, not from your codebase.

The Structure of an Edge Function

Edge functions run on Deno (a secure JavaScript runtime) rather than Node.js — but you write them in the same TypeScript you already know. Claude handles any Deno-specific differences.

Here is the structure of the actual Razorpay payment verification function from Udyogaseva (supabase/functions/razorpay-verify-payment/index.ts).

Every edge function follows this exact pattern:

Handle the CORS preflight request (browsers send this before every real request).

Get secrets from Deno.env.get() — never hardcoded, never from the request body.

Verify the caller is authenticated by checking their JWT token.

Validate the request body — never trust what the client sends.

Do the actual server-side work (call the payment API, send the email, etc.).

Return a response — success or a structured error message.

Always verify the caller's identity (step 3) before using the admin client (step 5). An edge function that skips auth verification and goes straight to privileged operations is a security hole — any request can trigger it, not just your legitimate app users.

The Two Supabase Clients in an Edge Function

Inside an edge function, you create two different Supabase clients with different purposes:

Client 1: The caller's client (anon key + user's JWT)

Client 2: The admin client (service_role key)

The order matters:

Verify who the caller is (client 1)
Verify they are allowed to do what they're requesting (application logic)
Do the privileged operation (client 2)

Never use the admin client before verifying the caller's identity and permissions.

Udyogaseva's Edge Functions

Udyogaseva has 25 edge functions. Here are the categories:

Payment processing:

razorpay-create-order — Creates a Razorpay order (secret key stays server-side)
razorpay-verify-payment — Verifies the payment signature after completion
razorpay-webhook — Processes Razorpay webhook events for payment failures

Email:

send-email — Sends transactional emails via Resend
email-application-received — Notifies recruiters of new applications
email-interview-scheduled — Notifies candidates when an interview is booked
email-status-update — Application status change notifications

AI:

generate-candidate-summary — Calls Google Gemini API to write a profile summary
gemini-proxy — Proxy for Gemini API calls (keeps the API key server-side)

Admin operations:

admin-permanent-delete — Permanently deletes soft-deleted records (super_admin only)
process-account-deletion — Handles GDPR-style account deletion requests
sentry-issues — Proxies the Sentry Issues API (keeps the Sentry token server-side)

Notice: every operation that requires a secret key or elevated privilege is in an edge function. Everything else — CRUD that RLS can protect — is done directly with the Supabase JavaScript client.

Deploying Edge Functions

Write your function in supabase/functions/your-function-name/index.ts.

Set secrets using the CLI: npx supabase secrets set YOUR_SECRET_KEY=value. This stores it encrypted in Supabase's infrastructure — not in your codebase.

Deploy using the CLI: npx supabase functions deploy your-function-name.

Test by calling it from your React app using supabase.functions.invoke('your-function-name', { body: { ... } }).

Secrets set via supabase secrets set are stored encrypted in Supabase's infrastructure — never in your codebase, never in .env, never in Git. This is the only correct way to store API keys used by edge functions. If you put them in .env and reference them from edge function code, they would appear in your codebase and potentially in your Git history.

Your Turn — In the Supabase dashboard, go to Edge Functions. You can see every deployed function, when it was last deployed, and its invocation logs. Click on any function to see its logs — this is where you debug edge function errors in production.

Calling an Edge Function from React

supabase.functions.invoke automatically includes the user's JWT in the request — so your edge function receives the user's authentication without you having to manually attach it.

The Signature Verification Pattern

The Razorpay verification function shows a critical security pattern you will use with any payment provider: cryptographic signature verification.

Razorpay sends a signature with every payment. This signature is a hash of (order_id + "|" + payment_id) using your secret key. You verify it by computing the same hash server-side and comparing. If they match, the payment data is genuine and was not tampered with.

This function runs on the server. The secret key is loaded from Deno.env.get("RAZORPAY_KEY_SECRET"). It never touches the browser. This is why payment integrations require edge functions.

Edge Function File Structure

Each function is in its own folder with an index.ts. Shared code goes in _shared/ and is imported using relative paths.

Keep functions focused. One function, one responsibility. If a function grows beyond ~100 lines, consider splitting it.

Key insight — The structure supabase/functions/function-name/index.ts is not optional. Supabase's deploy command looks for index.ts in each subfolder. Naming it anything else and it will not deploy. Shared utilities go in supabase/functions/_shared/ and are imported with relative paths like ../shared/cors.ts.

Why First: The API Key in the Browser

You're integrating Razorpay into your app to accept payments. The Razorpay documentation gives you two keys:

A public key (rzp_live_xxxxx) — safe to put in the browser
A secret key (your-secret-key) — must never leave your server

You think: "I'll just put the secret key in my .env file with a VITE_ prefix and use it in my React code."

Edge functions are the solution. They run on Supabase's servers — not in the browser. Your secret keys live there, invisible to any user.

What Edge Functions Are

An edge function is a small server-side function that:

Runs close to your users (on servers distributed globally — "edge" means near the network edge, not the user's device)
Has access to secrets that never reach the browser
Can call any external API with credentials you'd never expose client-side
Is deployed and managed by Supabase — you don't configure servers

When to Use Edge Functions

Use an edge function when the operation:

Requires a secret key — payment processing, email sending, third-party API calls (Razorpay, Resend, Google Maps, Gemini AI)
Must happen server-side for security — verifying a payment signature, checking webhook authenticity
Requires the service_role key — bypassing RLS for admin operations, processing background jobs
Should never be trusted from the client — calculating prices, granting credits, changing sensitive user data

Do NOT use an edge function for:

Simple CRUD operations that RLS can protect
Data that doesn't involve secrets or privilege escalation
Anything you can do safely with the anon key + RLS

The Structure of an Edge Function

Edge functions run on Deno (a secure JavaScript runtime) rather than Node.js — but you write them in the same TypeScript you already know. Claude handles any Deno-specific differences.

Here is the structure of the actual Razorpay payment verification function from Udyogaseva (supabase/functions/razorpay-verify-payment/index.ts).

Every edge function follows this exact pattern:

Handle the CORS preflight request (browsers send this before every real request).

Get secrets from Deno.env.get() — never hardcoded, never from the request body.

Verify the caller is authenticated by checking their JWT token.

Validate the request body — never trust what the client sends.

Do the actual server-side work (call the payment API, send the email, etc.).

Return a response — success or a structured error message.

The Two Supabase Clients in an Edge Function

Inside an edge function, you create two different Supabase clients with different purposes:

Client 1: The caller's client (anon key + user's JWT)

Client 2: The admin client (service_role key)

The order matters:

Verify who the caller is (client 1)
Verify they are allowed to do what they're requesting (application logic)
Do the privileged operation (client 2)

Never use the admin client before verifying the caller's identity and permissions.

Udyogaseva's Edge Functions

Udyogaseva has 25 edge functions. Here are the categories:

Payment processing:

razorpay-create-order — Creates a Razorpay order (secret key stays server-side)
razorpay-verify-payment — Verifies the payment signature after completion
razorpay-webhook — Processes Razorpay webhook events for payment failures

Email:

send-email — Sends transactional emails via Resend
email-application-received — Notifies recruiters of new applications
email-interview-scheduled — Notifies candidates when an interview is booked
email-status-update — Application status change notifications

AI:

generate-candidate-summary — Calls Google Gemini API to write a profile summary
gemini-proxy — Proxy for Gemini API calls (keeps the API key server-side)

Admin operations:

admin-permanent-delete — Permanently deletes soft-deleted records (super_admin only)
process-account-deletion — Handles GDPR-style account deletion requests
sentry-issues — Proxies the Sentry Issues API (keeps the Sentry token server-side)

Deploying Edge Functions

Write your function in supabase/functions/your-function-name/index.ts.

Set secrets using the CLI: npx supabase secrets set YOUR_SECRET_KEY=value. This stores it encrypted in Supabase's infrastructure — not in your codebase.

Deploy using the CLI: npx supabase functions deploy your-function-name.

Test by calling it from your React app using supabase.functions.invoke('your-function-name', { body: { ... } }).

Why First: The API Key in the Browser

What Edge Functions Are

When to Use Edge Functions

The Structure of an Edge Function

The Two Supabase Clients in an Edge Function

Udyogaseva's Edge Functions

Deploying Edge Functions

Calling an Edge Function from React

The Signature Verification Pattern

Edge Function File Structure

On this page

Edge Functions

Why First: The API Key in the Browser

What Edge Functions Are

When to Use Edge Functions

The Structure of an Edge Function

The Two Supabase Clients in an Edge Function

Udyogaseva's Edge Functions

Deploying Edge Functions

Calling an Edge Function from React

The Signature Verification Pattern

Edge Function File Structure

On this page