Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/S4nti4goCoder/cloudsyncpro/llms.txt

Use this file to discover all available pages before exploring further.

The delete-account Edge Function permanently removes a user account from CloudSyncPro. It verifies the caller’s Supabase session, requires the user to confirm their own email address, and then uses the service role key to call auth.admin.deleteUser. Because the auth.users row is the root of the foreign-key graph, the deletion cascades through all Postgres tables — workspace memberships, files, activity logs, notifications, and any other user-owned data — in a single operation.
Account deletion is permanent and irreversible. There is no grace period, soft-delete, or recovery path. All files, workspaces, and associated data are destroyed immediately.

Endpoint

POST /functions/v1/delete-account

Authentication

The request must be made by the account owner using their active session:
HeaderValue
AuthorizationBearer <access_token> — the user’s Supabase session token
apikeyYour Supabase anonymous key
The function resolves the caller’s identity from the JWT. The SUPABASE_SERVICE_ROLE_KEY is used server-side only — it is never exposed to the client — to call the admin delete API after all checks pass.

Request body

confirmEmail
string
required
The user’s own email address, provided as a confirmation step. The value is compared case-insensitively against the email on record in the session. If they do not match, the request is rejected with 400. This prevents accidental deletions triggered by UI bugs or CSRF-style mistakes.

Response

A successful 200 response returns:
success
boolean
Always true when the account has been deleted. The session token used to authenticate the request is immediately invalidated.

What gets deleted

Calling this function triggers the following permanent removals:
  • Supabase auth record — the auth.users row and all associated OAuth identities
  • Workspace memberships — all rows where the user is a member (via FK cascade)
  • Files and folders — all file and folder records owned by or accessible only through the user (via FK cascade)
  • R2 objects — the physical file blobs in Cloudflare R2 that back the deleted file records
  • Activity log entries — all workspace activity attributed to this user
  • Notifications — all in-app notifications for this user
  • User profile data — display name, avatar, and any other profile fields stored in Postgres
Workspaces where the user is the sole member are also removed. Workspaces with other remaining members are preserved; the deleted user is simply removed from the members list.

Error responses

StatusError messageCause
400Confirmation email does not matchconfirmEmail was absent or did not match the session email
401Missing authorization headerNo Authorization header was sent
401Invalid sessionThe bearer token is invalid or expired
500Failed to delete accountThe auth.admin.deleteUser call failed
500Internal server errorAn unexpected error occurred

Example

curl -X POST https://<project>.supabase.co/functions/v1/delete-account \
  -H "Authorization: Bearer <access_token>" \
  -H "apikey: <anon_key>" \
  -H "Content-Type: application/json" \
  -d '{
    "confirmEmail": "user@example.com"
  }'
Users can trigger account deletion from the profile settings page in the app. The UI presents a confirmation dialog that requires the user to type their email address before the button becomes active, mirroring the server-side confirmEmail check.

Build docs developers (and LLMs) love

Get started for freeTalk to us