docs: add SUPABASE_SERVICE_KEY to API deployment instructions

Author: eldinmiller

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to BluePLM will be documented in this file.
 
+## [2.16.1] - 2025-12-30
+
+### Fixed
+- **User invite**: Added REST API deployment step to main README and API docs (SUPABASE_SERVICE_KEY required for invite emails)
+
+---
+
 ## [2.16.0] - 2025-12-29
 
 ### Added

README.md

@@ -327,7 +327,35 @@ This creates the standard release workflow: **WIP → In Review → Released →
 </details>
 
 <details>
-<summary><strong>9. Customize Email Templates (Optional)</strong></summary>
+<summary><strong>9. Deploy REST API (Required for User Invites)</strong></summary>
+
+The REST API is needed for sending invite emails and ERP integrations.
+
+**One-Click Deploy to Railway:**
+1. Go to [railway.app/new](https://railway.app/new)
+2. Select **"Deploy from Docker Image"**
+3. Enter: `ghcr.io/bluerobotics/blueplm-api:latest`
+4. Add these environment variables (from Supabase Dashboard → Settings → API):
+   | Variable | Value |
+   |----------|-------|
+   | `SUPABASE_URL` | Your Project URL |
+   | `SUPABASE_KEY` | anon/public key |
+   | `SUPABASE_SERVICE_KEY` | service_role key ⚠️ |
+5. Deploy and copy your API URL (e.g., `https://your-app.railway.app`)
+
+**Configure in BluePLM:**
+1. Go to **Settings → Organization → REST API**
+2. Enable **"Use External API"**
+3. Enter your Railway API URL
+4. Click **Test Connection** to verify
+
+> ⚠️ **Keep `SUPABASE_SERVICE_KEY` secret!** It bypasses Row Level Security. Only use in server-side code.
+
+See [API README](api/README.md) for alternative deployment options (Render, Fly.io, Docker).
+</details>
+
+<details>
+<summary><strong>10. Customize Email Templates (Optional)</strong></summary>
 
 BluePLM includes branded email templates in [`supabase/email-templates/`](supabase/email-templates/).
 

api/README.md

@@ -16,7 +16,7 @@ Integration API for external systems (ERP, CI/CD, automation) built with [Fastif
 ┌─────────────────────────────────────────────────────────────┐
 │  Step 1: Deploy API (5 min)                                 │
 │  Click "Deploy to Railway" button below                     │
-│  Set your Supabase URL and Key                              │
+│  Set: SUPABASE_URL, SUPABASE_KEY, SUPABASE_SERVICE_KEY      │
 ├─────────────────────────────────────────────────────────────┤
 │  Step 2: Get API URL                                        │
 │  Railway gives you: https://your-app.railway.app            │
@@ -94,6 +94,7 @@ The server will start on `http://127.0.0.1:3001` by default.
 |----------|---------|-------------|
 | `SUPABASE_URL` | - | Supabase project URL (required) |
 | `SUPABASE_KEY` | - | Supabase anon key (required) |
+| `SUPABASE_SERVICE_KEY` | - | Service role key (required for user invites) |
 | `API_PORT` | `3001` | Port to listen on |
 | `API_HOST` | `0.0.0.0` | Host to bind to |
 | `RATE_LIMIT_MAX` | `100` | Max requests per window |
@@ -114,20 +115,20 @@ The easiest way - no repo access needed:
 1. Go to [railway.app/new](https://railway.app/new)
 2. Select **"Deploy from Docker Image"**
 3. Enter: `ghcr.io/bluerobotics/blueplm-api:latest`
-4. Add variables: `SUPABASE_URL`, `SUPABASE_KEY`
+4. Add variables: `SUPABASE_URL`, `SUPABASE_KEY`, `SUPABASE_SERVICE_KEY`
 5. Deploy!
 
 **Render:**
 1. Go to [render.com](https://render.com) → New → Web Service
 2. Select **"Deploy an existing image from a registry"**
 3. Enter: `ghcr.io/bluerobotics/blueplm-api:latest`
-4. Add environment variables
+4. Add environment variables: `SUPABASE_URL`, `SUPABASE_KEY`, `SUPABASE_SERVICE_KEY`
 5. Deploy!
 
 **Fly.io:**
 ```bash
 fly launch --image ghcr.io/bluerobotics/blueplm-api:latest
-fly secrets set SUPABASE_URL=https://xxx.supabase.co SUPABASE_KEY=your-key
+fly secrets set SUPABASE_URL=https://xxx.supabase.co SUPABASE_KEY=your-anon-key SUPABASE_SERVICE_KEY=your-service-key
 fly deploy
 ```
 
@@ -136,6 +137,7 @@ fly deploy
 docker run -d -p 3001:3001 \
   -e SUPABASE_URL=https://xxx.supabase.co \
   -e SUPABASE_KEY=your-anon-key \
+  -e SUPABASE_SERVICE_KEY=your-service-key \
   ghcr.io/bluerobotics/blueplm-api:latest
 ```
 
@@ -152,6 +154,7 @@ railway init
 # Set environment variables (get these from your Supabase project settings)
 railway variables set SUPABASE_URL=https://xxx.supabase.co
 railway variables set SUPABASE_KEY=your-anon-key
+railway variables set SUPABASE_SERVICE_KEY=your-service-key
 railway variables set CORS_ORIGINS=https://your-erp.com,https://odoo.yourcompany.com
 
 # Deploy
@@ -168,6 +171,9 @@ Your API will be live at `https://your-app.railway.app`
 4. Copy:
    - **Project URL** → `SUPABASE_URL`
    - **anon public** key → `SUPABASE_KEY`
+   - **service_role** key → `SUPABASE_SERVICE_KEY` (required for user invites)
+
+> ⚠️ **Keep your service_role key secret!** It bypasses Row Level Security. Never expose it in client-side code.
 
 ### Render
 
@@ -188,6 +194,7 @@ docker build -f api/Dockerfile -t blueplm-api .
 docker run -p 3001:3001 \
   -e SUPABASE_URL=https://xxx.supabase.co \
   -e SUPABASE_KEY=your-anon-key \
+  -e SUPABASE_SERVICE_KEY=your-service-key \
   blueplm-api
 ```
 
@@ -203,6 +210,7 @@ fly launch
 # Set secrets
 fly secrets set SUPABASE_URL=https://xxx.supabase.co
 fly secrets set SUPABASE_KEY=your-anon-key
+fly secrets set SUPABASE_SERVICE_KEY=your-service-key
 
 # Deploy
 fly deploy
@@ -1251,6 +1259,10 @@ For JSON output (production), remove the `pino-pretty` transport in `server.js`.
 **"Supabase not configured" error**
 - Set the `SUPABASE_URL` and `SUPABASE_KEY` environment variables
 
+**"Service key not configured" error**
+- Set the `SUPABASE_SERVICE_KEY` environment variable (required for `/auth/invite` endpoint)
+- Get the service_role key from Supabase Dashboard → Settings → API
+
 **"Invalid token" error**
 - Token may have expired - use `/auth/refresh` to get a new one
 - Ensure you're using the full token (access tokens are long JWT strings)

api/server.ts

@@ -1,7 +1,7 @@
 #!/usr/bin/env npx ts-node
 /**
  * BluePLM REST API Server (Fastify + TypeScript)
- * Build: 2025-12-14T06:26-v2.1.3-pino
+ * Build: 2025-12-30T00:00-v2.1.4
  * 
  * Integration API for external systems (ERP, CI/CD, Slack, etc.)
  * 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "blue-plm",
-  "version": "2.16.0",
+  "version": "2.16.1",
   "description": "Product Lifecycle Management for everyone who builds",
   "main": "dist-electron/main.js",
   "scripts": {

render.yaml

@@ -12,7 +12,9 @@ services:
       - key: SUPABASE_URL
         sync: false # User must set this
       - key: SUPABASE_KEY
-        sync: false # User must set this
+        sync: false # User must set this (anon key)
+      - key: SUPABASE_SERVICE_KEY
+        sync: false # User must set this (service role key - required for invites)
       - key: CORS_ORIGINS
         value: "*"
       - key: RATE_LIMIT_MAX