Supabase Storage MCP

create_signed_urls

Generate multiple secure download URLs for batch file access from Supabase Storage buckets with configurable expiration times.

Instructions

Generate multiple signed download URLs in a single request for batch operations

Input Schema

TableJSON Schema

Name	Required	Description
`bucket_name`	Yes	Source bucket
`file_paths`	Yes	Array of file paths to generate URLs for
`expires_in`	No	URL expiration in seconds (default: 3600)

Implementation Reference

src/index.ts:842-932 (handler)

The primary handler function for the 'create_signed_urls' tool. It destructures arguments (bucket_name, file_paths, expires_in), performs input validation, iterates over each file_path to generate signed URLs via supabase.storage.createSignedUrl(), handles individual errors, tracks success/failure counts, audits the request, and returns a comprehensive batch result including per-file details and overall statistics.

async function handleCreateSignedUrls(args: any, requestId: string, startTime: number) {
  const { bucket_name, file_paths, expires_in = 3600 } = args;
  
  const inputHash = generateSecureHash(JSON.stringify({ bucket_name, file_count: file_paths.length, expires_in }));
  
  try {
    // Input validation
    if (!bucket_name || typeof bucket_name !== 'string') {
      throw new Error('Invalid bucket_name parameter');
    }
    
    if (!Array.isArray(file_paths) || file_paths.length === 0) {
      throw new Error('file_paths must be a non-empty array');
    }
    
    if (file_paths.length > 100) {
      throw new Error('Cannot generate more than 100 URLs in a single request');
    }
    
    const results = [];
    let successCount = 0;
    let errorCount = 0;
    
    // Process each file path
    for (const filePath of file_paths) {
      try {
        const { data, error } = await supabase.storage
          .from(bucket_name)
          .createSignedUrl(filePath, expires_in);
        
        if (error) {
          results.push({
            file_path: filePath,
            signed_url: '',
            expires_at: '',
            success: false,
            error: error.message
          });
          errorCount++;
        } else {
          const expiresAt = new Date(Date.now() + expires_in * 1000).toISOString();
          results.push({
            file_path: filePath,
            signed_url: data.signedUrl,
            expires_at: expiresAt,
            success: true
          });
          successCount++;
        }
      } catch (error) {
        results.push({
          file_path: filePath,
          signed_url: '',
          expires_at: '',
          success: false,
          error: getErrorMessage(error)
        });
        errorCount++;
      }
    }
    
    const successRate = file_paths.length > 0 ? `${Math.round((successCount / file_paths.length) * 100)}%` : '0%';
    
    auditRequest('create_signed_urls', successCount > 0, inputHash);
    
    const result: SignedUrlBatchResult = {
      urls: results,
      total_files: file_paths.length,
      successful_urls: successCount,
      failed_urls: errorCount,
      success_rate: successRate,
      expires_in
    };
    
    return {
      content: [
        {
          type: 'text',
          text: JSON.stringify({
            ...result,
            request_id: requestId,
            processing_time: Date.now() - startTime
          }, null, 2)
        }
      ]
    };
  } catch (error) {
    auditRequest('create_signed_urls', false, inputHash, getErrorMessage(error));
    throw error;
  }
}

src/index.ts:246-275 (schema)

Input schema definition for the create_signed_urls tool, specifying required bucket_name and file_paths array (1-100 items), optional expires_in (60s-7d, default 3600s), with length constraints and no additional properties.

inputSchema: {
  type: 'object',
  properties: {
    bucket_name: {
      type: 'string',
      description: 'Source bucket',
      minLength: 3,
      maxLength: 63
    },
    file_paths: {
      type: 'array',
      description: 'Array of file paths to generate URLs for',
      items: {
        type: 'string',
        maxLength: 1024
      },
      minItems: 1,
      maxItems: 100
    },
    expires_in: {
      type: 'number',
      description: 'URL expiration in seconds (default: 3600)',
      minimum: 60,
      maximum: 604800,
      default: 3600
    }
  },
  required: ['bucket_name', 'file_paths'],
  additionalProperties: false
}

src/index.ts:244-276 (registration)

MCP tool registration block in the ListToolsRequestSchema handler, defining the tool's name, description, and inputSchema for discovery by MCP clients.

  name: 'create_signed_urls',
  description: 'Generate multiple signed download URLs in a single request for batch operations',
  inputSchema: {
    type: 'object',
    properties: {
      bucket_name: {
        type: 'string',
        description: 'Source bucket',
        minLength: 3,
        maxLength: 63
      },
      file_paths: {
        type: 'array',
        description: 'Array of file paths to generate URLs for',
        items: {
          type: 'string',
          maxLength: 1024
        },
        minItems: 1,
        maxItems: 100
      },
      expires_in: {
        type: 'number',
        description: 'URL expiration in seconds (default: 3600)',
        minimum: 60,
        maximum: 604800,
        default: 3600
      }
    },
    required: ['bucket_name', 'file_paths'],
    additionalProperties: false
  }
},

src/index.ts:482-483 (registration)
Dispatch case in the main CallToolRequestSchema switch statement that routes 'create_signed_urls' requests to the handleCreateSignedUrls handler function.
```
case 'create_signed_urls':
  return await handleCreateSignedUrls(args, requestId, startTime);
```

Tool Definition Quality

C2.9/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It mentions generating 'signed download URLs' which implies authentication/authorization needs, but doesn't specify what permissions are required, whether URLs are time-limited (beyond the 'expires_in' parameter), or what happens on failure. The batch nature suggests efficiency gains, but no rate limits or error handling details are provided.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, well-structured sentence that efficiently communicates the core functionality. Every word earns its place: 'Generate' (action), 'multiple signed download URLs' (what), 'in a single request' (how), 'for batch operations' (why). No wasted words or redundant information.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a tool that generates authenticated URLs (a security-sensitive operation) with no annotations and no output schema, the description is insufficient. It doesn't explain what the signed URLs enable, what format they return in, error conditions, or security implications. The batch operation context is mentioned but not elaborated, leaving significant gaps in understanding the tool's complete behavior.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The description doesn't add any meaningful parameter information beyond what's already in the schema (which has 100% coverage). It mentions 'multiple signed download URLs' which aligns with the 'file_paths' array parameter, but provides no additional context about path formats, bucket naming conventions, or expiration behavior that isn't already documented in the schema descriptions.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the action ('Generate multiple signed download URLs') and resource ('in a single request for batch operations'), making the purpose immediately understandable. However, it doesn't explicitly differentiate from siblings like 'get_file_url' or 'download_file', which likely serve similar purposes but for single files or different contexts.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description mentions 'batch operations' which implies usage when multiple URLs are needed, but provides no explicit guidance on when to use this tool versus alternatives like 'get_file_url' or 'download_file'. There's no mention of prerequisites, performance considerations, or specific scenarios where this tool is preferred over others.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Desmond-Labs/supabase-storage-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server