To trigger a map refresh via Supabase webhooks, configure a database webhook to POST to a secure HTTP endpoint whenever your geospatial table receives an INSERT, UPDATE, or DELETE event. The endpoint validates the HMAC signature, extracts the modified record IDs, and pushes a lightweight update signal to connected frontend clients via WebSocket or Server-Sent Events. The frontend listener fetches only the affected GeoJSON features and patches the active map layer using incremental updates, avoiding full dataset reloads and preserving rendering performance.
This architecture decouples spatial data ingestion from client rendering, enabling Webhook-Triggered Updates without polling overhead or Realtime channel subscription limits.
Architecture & Payload Flow
Supabase webhooks operate outside the Realtime engine, making them ideal for event-driven spatial updates that don’t require row-level subscription overhead. When a GIS analyst edits a feature in your dashboard or an ETL pipeline appends new coordinates, Supabase serializes the change into a JSON payload and delivers it to your configured endpoint. Your backend bridges this HTTP event to a persistent client connection, enabling near-instantaneous synchronization.
The payload follows Supabase’s standard webhook schema:
{
"type": "UPDATE",
"table": "geo_features",
"record": { "id": "f8a2c1", "geom": "...", "properties": { "status": "active" } },
"old_record": { "id": "f8a2c1", "geom": "...", "properties": { "status": "pending" } }
}Why webhooks over Realtime for maps?
- Realtime channels broadcast every row change to all subscribers, which quickly saturates bandwidth when rendering thousands of vector tiles or GeoJSON features.
- Webhooks deliver a single HTTP request per transaction, allowing your backend to debounce, batch, or filter events before broadcasting lightweight signals.
- You retain full control over payload transformation, stripping heavy geometry payloads before they reach the client.
Secure Payload Validation
Always validate the x-webhook-signature header before processing. Supabase uses HMAC-SHA256 with your webhook secret to sign the raw request body. Skipping validation exposes your endpoint to replay attacks and spoofed payloads that could corrupt map state.
Supabase’s official documentation details the exact signing algorithm and header expectations. For cryptographic verification in Node.js, refer to the Node.js crypto.createHmac() API.
Critical implementation note: Express’s express.json() middleware parses the request stream into an object, destroying the exact byte sequence required for HMAC verification. You must capture the raw string before parsing, or use express.raw() and parse manually.
Backend Handler Implementation
The following production-ready Node.js/Express example demonstrates signature verification, table filtering, and WebSocket broadcasting. It strips geometry and transmits only record IDs and timestamps to minimize latency.
// server.js
import express from 'express';
import { createServer } from 'http';
import { WebSocketServer } from 'ws';
import crypto from 'crypto';
const app = express();
const SUPABASE_WEBHOOK_SECRET = process.env.SUPABASE_WEBHOOK_SECRET;
// Use raw middleware to preserve exact payload bytes for HMAC verification
app.use(express.raw({ type: 'application/json', limit: '1mb' }));
function verifySignature(rawBody, signature) {
const expected = crypto
.createHmac('sha256', SUPABASE_WEBHOOK_SECRET)
.update(rawBody)
.digest('hex');
return `sha256=${expected}` === signature;
}
const server = createServer(app);
const wss = new WebSocketServer({ server });
app.post('/webhooks/map-sync', (req, res) => {
const signature = req.headers['x-webhook-signature'];
if (!signature || !verifySignature(req.body, signature)) {
return res.status(401).json({ error: 'Invalid webhook signature' });
}
let payload;
try {
payload = JSON.parse(req.body);
} catch {
return res.status(400).json({ error: 'Malformed JSON' });
}
const { type, table, record } = payload;
if (table !== 'geo_features') return res.status(200).send('Ignored');
const updateSignal = {
event: type,
id: record.id,
updated_at: record.updated_at || Date.now()
};
// Broadcast to all connected frontend clients
const message = JSON.stringify(updateSignal);
wss.clients.forEach(client => {
if (client.readyState === 1) { // WebSocket.OPEN
client.send(message);
}
});
res.status(200).json({ received: true, id: record.id });
});
server.listen(3000, () => console.log('Map sync server running on :3000'));Frontend Listener & Incremental Map Patching
On the client, establish a persistent WebSocket connection and listen for the lightweight update signals. When an event arrives, fetch only the modified GeoJSON features from your API and apply incremental patches to the active map layer. This approach is foundational to scalable Data Refresh & Automation Pipelines for spatial dashboards.
// map-client.js
const ws = new WebSocket('wss://your-domain.com');
const map = initializeMap(); // Leaflet, MapLibre, or Mapbox GL instance
ws.onmessage = async (event) => {
const { event: type, id, updated_at } = JSON.parse(event.data);
// Fetch only the affected feature(s)
const response = await fetch(`/api/geo-features/${id}?updated_at=${updated_at}`);
const feature = await response.json();
if (type === 'DELETE') {
map.removeLayer(feature.id);
} else if (type === 'INSERT' || type === 'UPDATE') {
// Incremental patch: replace existing feature or add new
if (map.getLayer(feature.id)) {
map.removeLayer(feature.id);
}
map.addGeoJSONFeature(feature);
}
};Why incremental patching matters: Full GeoJSON reloads block the main thread, cause visual flickering, and waste bandwidth. By fetching only changed records and using layer-specific add/remove methods, you maintain 60fps rendering even during high-frequency spatial edits.
Performance & Scaling Best Practices
| Optimization | Implementation |
|---|---|
| Debouncing | Queue incoming webhook signals and flush every 200–500ms to batch rapid edits from ETL jobs. |
| Connection Limits | Use a Redis-backed pub/sub adapter instead of in-memory wss.clients when scaling across multiple backend instances. |
| Geometry Compression | Store coordinates in PostGIS geometry format, but serve clients as TopoJSON or quantized GeoJSON to reduce payload size by 40–60%. |
| Error Recovery | Implement exponential backoff on the frontend WebSocket reconnect. Cache last-known updated_at timestamps to request missed features on reconnect. |
Webhook delivery is asynchronous and best-effort. Always design your frontend to tolerate missed signals by periodically reconciling state with a lightweight GET /api/geo-features/sync-check endpoint. For high-throughput spatial applications, consider pairing webhooks with a message queue (e.g., RabbitMQ or AWS SQS) to guarantee at-least-once delivery and enable horizontal scaling.
By routing geospatial mutations through validated webhooks, broadcasting minimal update signals, and patching map layers incrementally, you achieve real-time spatial visualization without the overhead of continuous polling or heavy payload transfers.