supabase · avallete · Jun 18, 2026 · Jun 18, 2026 · Jun 18, 2026 · Jun 18, 2026
@@ -67,12 +67,6 @@ describe("gen", () => {
       expect(result.stderr).toContain("Project not found");
     });
 
-    testBehaviour("exits non-zero with --lang go when using --project-id", async ({ run }) => {
-      const result = await run(["gen", "types", "--project-id", PROJECT_REF, "--lang", "go"]);
-      expect(result.exitCode).not.toBe(0);
-      expect(result.stderr).toContain("db-url");
-    });
-
     testBehaviour("exits non-zero with no data source specified", async ({ runNoProjectId }) => {
       const result = await runNoProjectId(["gen", "types"]);
       expect(result.exitCode).not.toBe(0);

@@ -5,7 +5,7 @@
 | Path                                      | Format     | When                                                                                     |
 | ----------------------------------------- | ---------- | ---------------------------------------------------------------------------------------- |
 | `~/.supabase/access-token`                | plain text | when `SUPABASE_ACCESS_TOKEN` unset and `--linked` or `--project-id`                      |
-| `<workdir>/supabase/config.toml`          | TOML       | when `--local` (required) or `--db-url` (best-effort) is specified                       |
+| `<workdir>/supabase/config.toml`          | TOML       | when selecting schemas from config; required for `--local`, best-effort otherwise        |
 | `<workdir>/supabase/.temp/rest-version`   | plain text | `--local` only, when `db.major_version > 14` — forces v9 compat if the tag contains `v9` |
 | `<workdir>/supabase/.temp/pgmeta-version` | plain text | `--local` only — overrides the pg-meta docker image tag                                  |
 
@@ -21,33 +21,46 @@ passed via `docker run --env KEY=VALUE` arguments, mirroring Go's
 
 ## API Routes
 
-| Method | Path                                  | Auth         | Request body | Response (used fields)           |
-| ------ | ------------------------------------- | ------------ | ------------ | -------------------------------- |
-| `GET`  | `/v1/projects/{ref}/types/typescript` | Bearer token | none         | TypeScript type definitions text |
-
-Called only for `--linked`, `--project-id`, and the implicit linked-project
-fallback. `--local` and `--db-url` do not call the Management API.
+| Method | Path                                        | Auth         | Request body           | Response (used fields)                     |
+| ------ | ------------------------------------------- | ------------ | ---------------------- | ------------------------------------------ |
+| `GET`  | `/v1/projects/{ref}/types/typescript`       | Bearer token | none                   | TypeScript type definitions text           |
+| `GET`  | `/v1/projects/{ref}`                        | Bearer token | none                   | (presence only; `404` ⇒ branch ref)        |
+| `GET`  | `/v1/branches/{branch_id_or_ref}`           | Bearer token | none                   | `db_host`, `db_port`, `db_user`, `db_pass` |
+| `POST` | `/v1/projects/{ref}/cli/login-role`         | Bearer token | `{ read_only: false }` | temporary `role` and `password`            |
+| `GET`  | `/v1/projects/{ref}/config/database/pooler` | Bearer token | none                   | primary pooler `connection_string`         |
+
+The TypeScript endpoint is called for `--linked`, `--project-id`, and the implicit
+linked-project fallback when `--lang=typescript`. For other languages on those
+project-ref paths, the project endpoint is probed first: a `404` means the ref is a
+preview branch (any 404 body), so the branch endpoint supplies the branch database
+host/port and credentials for pg-meta. Otherwise the database connection is resolved
+for the ref and the login-role endpoint supplies temporary credentials for pg-meta.
+On an IPv4-only network where the direct database host is unreachable, an explicit
+`--project-id` ref additionally fetches the primary pooler config for that ref to
+build an IPv4 connection (the saved workdir `.temp/pooler-url` is ignored because the
+ref may differ from the linked workdir).
+`--local` and `--db-url` do not call the Management API.
 
 ## Subprocesses
 
-| Command                                                                       | When                  | Purpose                                            |
-| ----------------------------------------------------------------------------- | --------------------- | -------------------------------------------------- |
-| `docker container inspect supabase_db_<project_id>`                           | `--local`             | assert `supabase start` is running                 |
-| `docker run --rm --network <net> --env … <pgmeta> node dist/server/server.js` | `--local`, `--db-url` | run pg-meta to generate types from a live database |
+| Command                                                                       | When                                                                  | Purpose                                            |
+| ----------------------------------------------------------------------------- | --------------------------------------------------------------------- | -------------------------------------------------- |
+| `docker container inspect supabase_db_<project_id>`                           | `--local`                                                             | assert `supabase start` is running                 |
+| `docker run --rm --network <net> --env … <pgmeta> node dist/server/server.js` | `--local`, `--db-url`, project-ref paths with non-TypeScript `--lang` | run pg-meta to generate types from a live database |
 
 A raw TCP `SSLRequest` probe is also opened to the target database host/port to
 detect TLS support before launching pg-meta (mirrors Go's `isRequireSSL`).
 
 ## Environment Variables
 
-| Variable                           | Purpose                                                           | Required?                                               |
-| ---------------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------- |
-| `SUPABASE_ACCESS_TOKEN`            | auth token for linked/project-id mode                             | no (falls back to keyring → `~/.supabase/access-token`) |
-| `SUPABASE_API_URL`                 | override Management API base URL                                  | no (defaults to `https://api.supabase.com`)             |
-| `SUPABASE_DB_PASSWORD`             | local database password for `--local`                             | no (defaults to `postgres`)                             |
-| `SUPABASE_SERVICES_HOSTNAME`       | host used for the local TLS probe                                 | no (defaults to `127.0.0.1`)                            |
-| `SUPABASE_INTERNAL_IMAGE_REGISTRY` | pg-meta image registry override (`docker.io` → Docker Hub)        | no (defaults to the ECR registry)                       |
-| `SUPABASE_CA_SKIP_VERIFY`          | when `true`, prints a TLS-verification-disabled warning to stderr | no                                                      |
+| Variable                           | Purpose                                                            | Required?                                                                                                     |
+| ---------------------------------- | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------- |
+| `SUPABASE_ACCESS_TOKEN`            | auth token for linked/project-id mode                              | no (falls back to keyring → `~/.supabase/access-token`)                                                       |
+| `SUPABASE_API_URL`                 | override Management API base URL                                   | no (defaults to `https://api.supabase.com`)                                                                   |
+| `SUPABASE_DB_PASSWORD`             | database password for `--local` and the `--linked` workdir project | no (defaults to `postgres`; **ignored** for ad-hoc `--project-id`, which always mints a temporary login role) |
+| `SUPABASE_SERVICES_HOSTNAME`       | host used for the local TLS probe                                  | no (defaults to `127.0.0.1`)                                                                                  |
+| `SUPABASE_INTERNAL_IMAGE_REGISTRY` | pg-meta image registry override (`docker.io` → Docker Hub)         | no (defaults to the ECR registry)                                                                             |
+| `SUPABASE_CA_SKIP_VERIFY`          | when `true`, prints a TLS-verification-disabled warning to stderr  | no                                                                                                            |
 
 ## Exit Codes
 
@@ -79,8 +92,9 @@ Not applicable.
 ## Notes
 
 - Exactly one of `--local`, `--linked`, `--project-id`, or `--db-url` must be specified.
-- `--lang` flag accepts `typescript` (default), `go`, `swift`, or `python`. Non-typescript
-  languages require a direct database connection (`--local` or `--db-url`).
+- `--lang` flag accepts `typescript` (default), `go`, `swift`, or `python`. Project-ref
+  paths use the Management API for TypeScript, and use a project database host +
+  temporary login role + pg-meta for other languages.
 - `--schema` / `-s` accepts a comma-separated list of schemas to include.
 - `--swift-access-control` accepts `internal` (default) or `public`.
 - `--postgrest-v9-compat` generates types compatible with PostgREST v9 and below (requires `--db-url`).