From 6376d5cc7edff71617735c2112bd2c9e84641a04 Mon Sep 17 00:00:00 2001
From: renee-png <renee@avriacam.com>
Date: Thu, 4 Jun 2026 17:37:11 -0400
Subject: [PATCH] send-bill-approval-invites: forward Authorization on inner
 invoke
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The supabase-js .functions.invoke() call from one edge function to
another doesn't reliably attach the apikey as Authorization, so the
inner send-transactional-email call was failing verify_jwt and
returning 401. Pass the service-role bearer header explicitly.

This is what was actually preventing bill-approval-vote-invite emails
from going out — every Notify Board flow logged 401s on the per-bill
sends, with zero rows ever landing in email_send_log for that template.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 supabase/functions/send-bill-approval-invites/index.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/supabase/functions/send-bill-approval-invites/index.ts b/supabase/functions/send-bill-approval-invites/index.ts
index 1d8eab6..788bcff 100644
--- a/supabase/functions/send-bill-approval-invites/index.ts
+++ b/supabase/functions/send-bill-approval-invites/index.ts
@@ -118,6 +118,10 @@ serve(async (req) => {
         const denyLink = `${reviewLink}&action=deny`;
 
         const { error: sendErr } = await admin.functions.invoke("send-transactional-email", {
+          // Explicit Authorization header — supabase-js doesn't reliably
+          // forward the service-role apikey when one edge function invokes
+          // another, so verify_jwt on the inner function returns 401.
+          headers: { Authorization: `Bearer ${serviceKey}` },
           body: {
             templateName: "bill-approval-vote-invite",
             recipientEmail: m.member_email,