English for Supabase Edge Functions
Learn the English vocabulary for discussing Supabase Edge Functions: Deno runtime, cold starts, service role keys, and invoking functions from a client.
Moving logic into an Edge Function changes both where code runs and how it’s secured, and the vocabulary that separates a normal server route from an edge function is exactly what a security or performance review needs to be precise about.
Key Vocabulary
Edge function — a server-side function deployed to run on Deno-based infrastructure distributed close to users, used in Supabase for logic that needs to happen server-side but shouldn’t be embedded directly in client code, like calling a third-party API with a secret key. “That API key can’t live in the client bundle — move that call into an edge function instead, so the key stays server-side and users only ever call our function, never the third-party API directly.”
Cold start — the added latency on an edge function’s first invocation after a period of inactivity, while the runtime initializes, as opposed to a warm invocation that reuses an already-running instance. “The occasional slow response isn’t a bug in the function logic — it’s a cold start. The function hasn’t been invoked in a while, so this particular request is paying the initialization cost that a warm invocation wouldn’t have.”
Service role key — a privileged API key that bypasses row level security, used inside edge functions for operations that need elevated database access, and never exposed to the client since it grants unrestricted access. “This edge function is using the service role key to insert into the table, which is fine — it runs server-side. But that same key showing up anywhere in client code would mean anyone could bypass our row level security entirely.”
Invocation — a single execution of an edge function, triggered either by an HTTP request, a database webhook, or directly from a Supabase client library call, each producing its own logs and execution context. “We can’t reproduce this bug from the logs because we’re not looking at the right invocation — there were three calls to this function in that time window, and the error is only in the second one.”
Deno runtime — the JavaScript and TypeScript runtime Supabase Edge Functions actually run on, which affects available APIs and module imports, since it isn’t Node.js and doesn’t support Node-specific packages without compatibility shims. “That import is failing because it’s a Node-only package, and edge functions run on the Deno runtime — either find a Deno-compatible alternative or check whether the specific package works through Deno’s npm compatibility layer.”
Common Phrases
- “Does this logic need to be in an edge function, or can the client call the database directly?”
- “Is this latency a cold start, or is the function itself actually slow?”
- “Is the service role key only used inside the edge function, or has it leaked into the client anywhere?”
- “Which invocation are we actually looking at in these logs?”
- “Is this package compatible with the Deno runtime, or is it Node-only?”
Example Sentences
Justifying a security fix: “We moved the payment provider call into an edge function because the API key was previously in client-side code — anyone could open dev tools and extract it. Now the client just invokes our function, and the key never leaves the server.”
Explaining a performance complaint: “The first request after a quiet period is slow because of a cold start, not a bug — the function runtime needs to initialize. If this endpoint needs consistently low latency, we’d need to look at keeping it warm, not at optimizing the function code itself.”
Flagging a dangerous exposure in review: “This client-side code is using the service role key directly, which completely bypasses row level security for whoever has it — that key belongs only inside an edge function, never shipped to the browser.”
Professional Tips
- Move any logic that needs a secret, like an API key, into an edge function rather than the client — the function acts as a boundary that keeps the secret server-side while still letting the client trigger the behavior.
- Explain cold start latency explicitly when a teammate reports “occasional slowness” — distinguishing a cold start from an actual performance bug in the function logic changes what needs fixing.
- Treat the service role key as one of the most sensitive secrets in the system — it bypasses row level security entirely, and it should never appear in client-side code or version control.
- Check the specific invocation in logs, by timestamp or request ID, rather than assuming the most recent log entry is the relevant one — edge functions can be invoked frequently, and misreading which invocation you’re debugging wastes time.
- Verify a package works on the Deno runtime before depending on it inside an edge function — Node-specific packages can fail in ways that aren’t obvious from the import statement alone.
Practice Exercise
- Explain why a secret API key should be called from an edge function rather than the client.
- Describe what a cold start is and how it differs from a normal invocation.
- Write a sentence explaining why the service role key should never appear in client-side code.