feat(supabase): W3C/OpenTelemetry trace context propagation

[grdsdev]

Summary

Adds opt-in W3C / OpenTelemetry trace context propagation for HTTP requests to Supabase services (Auth, Storage, PostgREST, Functions). Enables end-to-end distributed tracing from client applications through Supabase services.

Design principles:

• Opt-in by default — zero behavior change for existing consumers; trace headers are never attached unless explicitly enabled.
• Security-scoped — when enabled, headers are propagated only to Supabase domains (*.supabase.co, *.supabase.in, localhost) so trace context never leaks to third-party services.
• Optional peer dep — uses @opentelemetry/api via runtime dynamic import; if it's not installed, the SDK silently no-ops.
• Zero breaking changes — existing API untouched; one new optional field on SupabaseClientOptions.
• Centralized injection — single fetchWithAuth injection point covers Auth, Storage, PostgREST, and Functions.

How to opt in

The simplest form is a boolean:

import { createClient } from '@supabase/supabase-js'

const supabase = createClient('https://xyzcompany.supabase.co', 'publishable-key', {
  tracePropagation: true,
})

Once enabled, requests issued inside an active OTel span automatically carry traceparent / tracestate / baggage:

import { trace } from '@opentelemetry/api'

const tracer = trace.getTracer('my-app')
await tracer.startActiveSpan('fetch-users', async (span) => {
  // traceparent / tracestate / baggage are injected on this request
  const { data, error } = await supabase.from('users').select('*')
  span.end()
})

For advanced configuration, pass an object:

const supabase = createClient(url, key, {
  tracePropagation: {
    enabled: true,
    respectSamplingDecision: false, // always propagate, even for non-sampled traces
  },
})

TracePropagationOptions

interface TracePropagationOptions {
  // Enable trace propagation. Default: false (opt-in).
  enabled?: boolean

  // When true, skip propagation if the upstream traceparent's sampled flag is 0.
  // Default: true.
  respectSamplingDecision?: boolean
}

Changes

New package: @supabase/tracing (internal)

Shared package in packages/shared/tracing/ providing:

• extractTraceContext() — extracts W3C traceparent, tracestate, and baggage from the active OpenTelemetry context. The dynamic import to @opentelemetry/api is cached at module scope (one resolution per process) and routed through a variable specifier with bundler-ignore comments so webpack / turbopack / vite / rollup don't try to statically resolve the optional peer dep at build time.
• parseTraceParent() — validates and parses W3C traceparent format.
• shouldPropagateToTarget() — URL validation against allowed targets (string exact, wildcard, RegExp, or function matcher). Accepts either a string or a pre-parsed URL to avoid double-parsing on the hot path.
• getDefaultPropagationTargets() — returns the allowlist for a given project URL: the exact project hostname, the wildcard strings *.supabase.co / *.supabase.in, and the localhost loopback addresses. Wildcards are linear-time string suffix checks (no regex, no ReDoS surface).

@supabase/supabase-js

• SupabaseClient.ts — threads tracePropagation settings through to fetchWithAuth.
• fetch.ts — when enabled is true, propagation targets are computed once at client construction (not per request). When disabled (the default), the per-request path skips all tracing work behind a single truthy check.
• types.ts — adds tracePropagation?: TracePropagationOptions | boolean to SupabaseClientOptions.
• helpers.ts — applySettingDefaults normalizes boolean → { enabled } and falls back to the disabled-by-default object.

Architecture

User code (with active OTel span)
  ↓
SupabaseClient (tracePropagation enabled?)
  ↓
Auth / Storage / PostgREST / Functions
  ↓
fetchWithAuth  ← single injection point, targets pre-computed
  ↓
HTTP request with traceparent / tracestate / baggage (when enabled and matched)

Per-request overhead

• Disabled (default): sub-microsecond — one boolean check.
• Enabled, no OTel installed: under 10 µs — hostname suffix check; the OTel import() is cached after the first attempt.
• Enabled, OTel active, Supabase target: ~100–300 µs — dominated by propagation.inject(). Negligible compared to a typical 5–50 ms network RTT.

Testing

• 60 unit tests in packages/shared/tracing/test/.
• 10 fetch / trace-propagation tests in packages/core/supabase-js/test/unit/fetch.test.ts (covers default-off, boolean shorthand, non-Supabase domains, sampling decisions, existing-header preservation).
• All unit tests passing.

Test plan

npx nx build supabase-js
npx nx test @supabase/tracing
npx nx test supabase-js

References

• W3C Trace Context Specification
• OpenTelemetry Context Propagation
• Linear SDK-578

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 2cfd0095-8111-44c8-b7d2-e794cb4a3ab1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@supabase/auth-js

npm i https://pkg.pr.new/@supabase/auth-js@2163

@supabase/functions-js

npm i https://pkg.pr.new/@supabase/functions-js@2163

@supabase/postgrest-js

npm i https://pkg.pr.new/@supabase/postgrest-js@2163

@supabase/realtime-js

npm i https://pkg.pr.new/@supabase/realtime-js@2163

@supabase/storage-js

npm i https://pkg.pr.new/@supabase/storage-js@2163

@supabase/supabase-js

npm i https://pkg.pr.new/@supabase/supabase-js@2163

commit: 21a3186

[Tofandel]

This PR breaks the build on react native ios builds (metro bundler), specifically this

otelModulePromise = import(/* webpackIgnore: true */
                                                        ^ Invalid expression encountered
(warning truncated)

I believe a
/* @metro-ignore */ is needed as well

[mandarini]

Working on it! @Tofandel

[mandarini]

@Tofandel Can you please test 2.106.1-beta.0? It's a beta release from #2381

[mandarini]

Ref: #2380