[pull] master from supabase:master

apps/docs/content/guides/self-hosting.mdx

@@ -1,45 +1,37 @@
 ---
 title: 'Self-Hosting'
 description: 'Host Supabase on your own infrastructure.'
-subtitle: 'Install and run your own Supabase.'
+subtitle: 'Install and run your own Supabase on your computer, server, or cloud infrastructure.'
 hideToc: true
 ---
 
-Self-hosted Supabase lets you run the entire Supabase stack on your own computer, server, or cloud infrastructure.
+## Get started
 
-This is different from:
-
-- **Supabase CLI / Local Development**: A lightweight [local environment](/docs/guides/local-development) for development and testing only.
-- **Managed Supabase** platform: If you want to try managed Supabase for free, visit [supabase.com/dashboard](/dashboard).
-
-Self-hosting is a good fit if you need full control over your data, have compliance requirements that prevent using managed services, or want to run Supabase in an isolated environment.
-
-## No telemetry
-
-Self-hosted Supabase does not phone home or collect any telemetry.
-
-## Enterprise
-
-If you're an enterprise using self-hosted Supabase, we'd love to hear from you. Reach out to our [Growth Team](https://forms.supabase.com/enterprise) to discuss your use case, share feedback, or explore design partnership opportunities.
-
-## Officially supported
+The fastest and recommended way to self-host Supabase is using Docker.
 
 <div className="grid md:grid-cols-12 gap-4 not-prose">
-  <div className="md:col-span-6 xl:col-span-3 relative" key="/guides/self-hosting/docker">
+  <div className="md:col-span-6 xl:col-span-4 relative" key="/guides/self-hosting/docker">
     <Link href="/guides/self-hosting/docker" passHref>
-      <GlassPanel title="Docker">
-
+      <GlassPanel icon={'/docs/img/icons/docker'} hasLightIcon={true}
+        title={
+            <span className="flex items-center gap-2">
+              Docker
+              <Badge variant="success">Official</Badge>
+            </span>
+          }
+        showIconBg={true}
+      >
       Deploy Supabase within your own infrastructure using Docker Compose.
       </GlassPanel>
     </Link>
 
   </div>
 </div>
 
-## Community supported
+## Other deployment options
 
 {/* supa-mdx-lint-disable-next-line Rule004ExcludeWords */}
-There are several community-driven projects to help you deploy Supabase. These projects may be outdated and are seeking active maintainers. If you're interested in maintaining one of these projects, [contact the community team](/open-source/contributing/supasquad).
+There are several other ways to deploy Supabase with the help of community-driven projects. These projects may be outdated and are seeking active maintainers. If you're interested in maintaining one of these projects, [contact the Community team](/open-source/contributing/supasquad).
 
 <div className="grid md:grid-cols-12 gap-4 not-prose">
   {community.map((x) => (
@@ -49,17 +41,17 @@ There are several community-driven projects to help you deploy Supabase. These p
           title={
             <span className="flex items-center gap-2">
               {x.name}
-              <span className="uppercase text-xs whitespace-nowrap text-foreground-lighter font-mono border rounded-full px-2 py-0.5">
-                Maintainer needed
-              </span>
+                  <Badge>Maintainer needed</Badge>
             </span>
           }
         >
           {x.description}
         </GlassPanel>
       </Link>
     </div>
-  ))}
+
+))}
+
 </div>
 
 export const community = [
@@ -75,7 +67,22 @@ export const community = [
   },
 ]
 
-## Responsibility model
+## About self-hosting
+
+Self-hosting is a good fit if you need full control over your data, have compliance requirements that prevent using managed services, or want to run Supabase in an isolated environment.
+
+### How self-hosted Supabase differs
+
+Self-hosted Supabase is different from:
+
+- **Supabase CLI** (local development), which is intended for development and testing only.
+- **Managed Supabase** platform, which is fully hosted and operated by Supabase.
+
+### Telemetry
+
+Self-hosted Supabase does not phone home or collect any telemetry.
+
+### Your responsibilities when self-hosting
 
 When you self-host, **you are responsible for**:
 
@@ -85,14 +92,16 @@ When you self-host, **you are responsible for**:
 - Backups and disaster recovery
 - Monitoring and uptime
 
-## Support and troubleshooting
+## Support and community
+
+Self-hosted Supabase is community-supported.
 
-For resolving common issues, see:
+For resolving common issues:
 
 - [GitHub Discussions](https://github.com/orgs/supabase/discussions?discussions_q=is%3Aopen+label%3Aself-hosted) - Questions, feature requests, and workarounds
 - [GitHub Issues](https://github.com/supabase/supabase/issues?q=is%3Aissue%20state%3Aopen%20label%3Aself-hosted) - Known issues
 
-Self-hosted Supabase is community-supported. Get help and connect with other users:
+Get help and connect with other users:
 
 - [Discord](https://discord.supabase.com) - Real-time chat and community support
   {/* supa-mdx-lint-disable-next-line Rule003Spelling */}
@@ -101,3 +110,7 @@ Self-hosted Supabase is community-supported. Get help and connect with other use
 Share your self-hosting experience:
 
 - [GitHub Discussions](https://github.com/orgs/supabase/discussions/39820) - "Self-hosting: What's working (and what's not)?"
+
+### Enterprise self-hosting
+
+If you're an enterprise using self-hosted Supabase, we'd love to hear from you. Reach out to our [Growth Team](https://forms.supabase.com/enterprise) to discuss your use case, share feedback, or explore design partnership opportunities.

apps/docs/content/guides/self-hosting/docker.mdx

@@ -133,13 +133,25 @@ While we provided example placeholder passwords and keys in the `.env.example` f
 
 <Admonition type="danger">
 
-  Follow all of the steps in this section to ensure you have a secure setup, and only then start all services.
+  Review the configuration options below and ensure you set all secrets before starting the services.
 
 </Admonition>
 
+### Quick setup (experimental)
+
+To generate and apply all secrets at once you can run:
+
+```sh
+sh ./utils/generate-keys.sh
+```
+
+The script is experimental, so review the output before proceeding and also check `.env` after it's updated by the script.
+
+Alternatively, configure all secrets manually as follows.
+
 ### Configure database password
 
-Change the placeholder password in the `.env` file **before** starting your Supabase for the first time.
+Change the placeholder password in the `.env` file **before** starting Supabase for the first time.
 
 - `POSTGRES_PASSWORD`: the password for the `postgres` and `supabase_admin` database roles
 
@@ -264,7 +276,9 @@ psql 'postgres://postgres.[POOLER_TENANT_ID]:[POSTGRES_PASSWORD]@[your-domain]:6
 
 When using `psql` with command-line parameters instead of a connection string to connect to Supavisor, the `-U` parameter should also be `postgres.[POOLER_TENANT_ID]`, and not just `postgres`.
 
-If for some reason you need to configure Postgres to be directly accessible from the Internet, read [Exposing your Postgres database](#exposing-your-postgres-database) below.
+If you need to configure Postgres to be directly accessible from the Internet, read [Exposing your Postgres database](#exposing-your-postgres-database).
+
+To change the database password, read [Changing database password](#changing-database-password).
 
 ### Accessing Edge Functions
 
@@ -479,6 +493,16 @@ After restarting, you can connect to the database directly using a standard Post
 postgres://postgres:[POSTGRES_PASSWORD]@[your-server-ip]:5432/[POSTGRES_DB]
 ```
 
+### Changing database password
+
+To change the database password after initial setup, run:
+
+```sh
+sh ./utils/db-passwd.sh
+```
+
+The script generates a new password, updates all database roles, and modifies your `.env` file. After running it, restart the services with `docker compose up -d --force-recreate`.
+
 #### File storage backend on macOS
 
 By default, Storage backend is set to `file`, which is to use local files as the storage backend. For macOS compatibility, you need to choose `VirtioFS` as the Docker container file sharing implementation (in Docker Desktop -> Preferences -> General).

apps/docs/content/guides/telemetry/metrics/grafana-cloud.mdx

@@ -59,5 +59,3 @@ The [`docs/example-alerts.md`](https://github.com/supabase/supabase-grafana/blob
 - Metrics missing? Ensure the Grafana Cloud agent can reach `https://<project-ref>.supabase.co` and that the selected service role key is still valid.
 - 401 errors? Rotate the service role key from the [API settings page](/dashboard/project/_/settings/api-keys) and update the Grafana Cloud credentials.
 - Long scrape durations? Reduce label cardinality in your Grafana queries or lower the time range to focus on recent data.
-
-[← Back to the Metrics API landing](/guides/telemetry/metrics)

apps/docs/content/guides/telemetry/metrics/grafana-self-hosted.mdx

@@ -80,5 +80,3 @@ You now have over 200 production-ready panels covering CPU, IO, WAL, replication
 - **Multiple projects:** add one scrape job per project ref so you can separate metrics and labels cleanly.
 - **Right-sizing guidance:** pair the dashboards with Supabase’s [Query Performance report](/dashboard/project/_/observability/query-performance) and [Advisors](/dashboard/project/_/observability/database) to decide when to optimize vs upgrade.
 - **Security:** rotate the service role key on a regular cadence and update the Prometheus config accordingly.
-
-[← Back to the Metrics API landing](/guides/telemetry/metrics)

apps/docs/content/guides/telemetry/metrics/vendor-agnostic.mdx

@@ -68,5 +68,3 @@ No matter which collector you use, you need to hit the Metrics API once per minu
 - Create one scrape job per project ref so you can control sampling individually.
 - If you run many projects, consider templating the scrape jobs via Helm, Terraform, or the Grafana Agent Operator.
 - Use label joins (`project`, `instance_class`, `org`) to aggregate across tenants or environments.
-
-[← Back to the Metrics API landing](/guides/telemetry/metrics)

apps/docs/features/docs/MdxBase.shared.tsx

@@ -1,6 +1,6 @@
 import { ArrowDown, Check, X } from 'lucide-react'
 import Link from 'next/link'
-import { Button, Image } from 'ui'
+import { Badge, Button, Image } from 'ui'
 import { Admonition, type AdmonitionProps } from 'ui-patterns/admonition'
 import { GlassPanel } from 'ui-patterns/GlassPanel'
 import { IconPanel } from 'ui-patterns/IconPanel'
@@ -45,6 +45,7 @@ const components = {
   AuthSmsProviderConfig,
   AppleSecretGenerator,
   AuthProviders,
+  Badge,
   Button,
   ButtonCard,
   CodeSampleDummy,

apps/docs/spec/supabase_js_v2.yml

@@ -1235,7 +1235,7 @@ functions:
         3. `invite` – Used when verifying an OTP sent as part of an invitation to join a project or organization.
         4. `email_change` – Used when verifying an OTP sent to a new email address during an email update process.
       - The verification type used should be determined based on the corresponding auth method called before `verifyOtp` to sign up / sign-in a user.
-      - The `TokenHash` is contained in the [email templates](/docs/guides/auth/auth-email-templates) and can be used to sign in. You may wish to use the hash with Magic Links for the PKCE flow for Server Side Auth. See [this guide](/docs/guides/auth/server-side/email-based-auth-with-pkce-flow-for-ssr) for more details.
+      - The `TokenHash` is contained in the [email templates](/docs/guides/auth/auth-email-templates) and can be used to sign in.  You may wish to use the hash for the PKCE flow for Server Side Auth. Read [the Password-based Auth guide](/docs/guides/auth/passwords) for more details.
     examples:
       - id: verify-signup-one-time-password(otp)
         name: Verify Signup One-Time Password (OTP)

apps/docs/spec/supabase_py_v2.yml

@@ -1059,7 +1059,7 @@ functions:
     notes: |
       - The `verify_otp` method takes in different verification types. If a phone number is used, the type can either be `sms` or `phone_change`. If an email address is used, the type can be one of the following: `email`, `recovery`, `invite` or `email_change` (`signup` and `magiclink` types are deprecated).
       - The verification type used should be determined based on the corresponding auth method called before `verify_otp` to sign up / sign-in a user.
-      - The `TokenHash` is contained in the [email templates](/docs/guides/auth/auth-email-templates) and can be used to sign in. You may wish to use the hash with Magic Links for the PKCE flow for Server Side Auth. See [this guide](/docs/guides/auth/server-side/email-based-auth-with-pkce-flow-for-ssr) for more details.
+      - The `TokenHash` is contained in the [email templates](/docs/guides/auth/auth-email-templates) and can be used to sign in. You may wish to use the hash for the PKCE flow for Server Side Auth. Read [the Password-based Auth guide](/docs/guides/auth/passwords) for more details.
     examples:
       - id: verify-signup-one-time-password(otp)
         name: Verify Signup One-Time Password (OTP)

apps/www/lib/redirects.js

@@ -2649,12 +2649,12 @@ module.exports = [
   {
     permanent: true,
     source: '/docs/guides/auth/server-side/email-based-auth-with-pkce-flow-for-ssr',
-    destination: '/docs/guides/auth/server-side',
+    destination: '/docs/guides/auth/passwords',
   },
   {
     permanent: true,
     source: '/docs/guides/auth/server-side/oauth-with-pkce-flow-for-ssr',
-    destination: '/docs/guides/auth/server-side',
+    destination: '/docs/guides/auth/passwords',
   },
   {
     permanent: true,