Complete Supabase integration skill pack with 30 skills covering authentication, database, storage, realtime, edge functions, and production operations. Flagship+ tier vendor pack.

30 Skills

MIT License

Free Pricing

Installation

Open Claude Code and run this command:

/plugin install supabase-pack@claude-code-plugins-plus

Use --global to install for all projects, or --project for current project only.

Skills (30)

supabase-advanced-troubleshooting SKILL.md View full skill →

Deep Supabase diagnostics: pg_stat_statements for slow queries, lock debugging with pg_locks, connection leak detection, RLS policy conflicts, Edge Function cold starts, and Realtime connection drop analysis.

ReadGrepBash(npx supabase:*)Bash(supabase:*)Bash(curl:*)Bash(psql:*)

Supabase Advanced Troubleshooting

Overview

When basic debugging does not reveal the root cause, you need deep PostgreSQL diagnostics: pgstatstatements to find the slowest queries by cumulative execution time, pglocks to detect lock contention and deadlocks, pgstat_activity to find connection leaks, RLS policy conflict analysis to diagnose silent data filtering, Edge Function cold start profiling, and Realtime channel drop investigation. This skill covers every advanced diagnostic technique with real SQL queries and createClient from @supabase/supabase-js.

When to use: Slow query investigation, lock contention causing timeouts, connection pool exhaustion from leaks, RLS policies that silently filter or conflict, Edge Functions with unpredictable latency, or Realtime subscriptions that disconnect intermittently.

Prerequisites

Supabase project with pgstatstatements extension enabled
Direct database access via SQL Editor or psql
@supabase/supabase-js v2+ installed in your project
Supabase CLI for Edge Function logs
Familiarity with PostgreSQL system catalogs

Instructions

Step 1: pgstatstatements and Slow Query Analysis

Enable and query pgstatstatements to find the most expensive queries by total execution time, calls, and rows processed.

Enable the extension and query slow queries:


-- Enable pg_stat_statements (run once)
CREATE EXTENSION IF NOT EXISTS pg_stat_statements;

-- Top 10 slowest queries by total execution time
SELECT
  queryid,
  calls,
  round(total_exec_time::numeric, 2) AS total_ms,
  round(mean_exec_time::numeric, 2) AS avg_ms,
  round(max_exec_time::numeric, 2) AS max_ms,
  rows AS total_rows,
  round(100.0 * shared_blks_hit / nullif(shared_blks_hit + shared_blks_read, 0), 2) AS cache_hit_pct,
  left(query, 150) AS query_preview
FROM pg_stat_statements
WHERE userid = (SELECT usesysid FROM pg_user WHERE usename = current_user)
ORDER BY total_exec_time DESC
LIMIT 10;

-- Top queries by frequency (most called)
SELECT
  queryid,
  calls,
  round(mean_exec_time::numeric, 2) AS avg_ms,
  rows / nullif(calls, 0) AS rows_per_call,
  left(query, 150) AS query_preview
FROM pg_stat_statements
WHERE calls > 100
ORDER BY calls DESC
LIMIT 10;

-- Queries with poor cache hit ratio (reading from disk)
SELECT
  queryid,
  calls,
  shared_blks_hit,
  shared_blks_read,
  round(100.0 * shared_blks_hit / nullif(shared_blks_hit + shared_blks_read, 0), 2) AS cache_hit_pct,
  left(query, 150) AS query_preview
FROM pg_stat_statements
WHERE shared_blks_read > 100
ORDER BY shared_blks_read DESC
LIMIT 10;

-- Reset statistics after optimization (to measure improvement)
-- SELECT pg_stat_statements_reset();


                
                  
                  
                  supabase-architecture-variants
                  SKILL.md
                  View full skill →
                
                
                  Implement Supabase across different app architectures: Next.
                  
                      ReadWriteEditBash(supabase:*)Bash(npx:*)Grep
                    
                
                
                  Supabase Architecture Variants
Overview
Different application architectures require fundamentally different Supabase createClient configurations. The critical distinction is where the client runs (browser vs server) and which key it uses (anon key respects RLS; servicerole bypasses it). This skill provides production-ready patterns for five architectures: Next.js SSR (server components with servicerole, client components with anon), SPA (React/Vue with browser-only client), Mobile (React Native with deep link auth), Serverless (Edge Functions with per-request clients), and Multi-tenant (RLS-based or schema-per-tenant isolation).
Prerequisites

@supabase/supabase-js v2+ installed
@supabase/ssr package for Next.js SSR (v0.5+)
Supabase project with URL, anon key, and service role key
TypeScript project with generated database types (supabase gen types typescript)
For mobile: React Native with Expo or bare workflow

Step 1 — Next.js SSR (App Router with Server and Client Components)
Next.js App Router requires two separate clients: a server-side client using cookies for auth (with @supabase/ssr) and a browser client for client components. Never expose service_role to the client.
Server-Side Client (for Server Components, Route Handlers, Server Actions)

// lib/supabase/server.ts
import { createServerClient } from '@supabase/ssr'
import { cookies } from 'next/headers'
import type { Database } from '../database.types'

export async function createSupabaseServer() {
  const cookieStore = await cookies()

  return createServerClient<Database>(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookies: {
        getAll() {
          return cookieStore.getAll()
        },
        setAll(cookiesToSet) {
          try {
            cookiesToSet.forEach(({ name, value, options }) =>
              cookieStore.set(name, value, options)
            )
          } catch {
            // Called from Server Component — cookies are read-only
          }
        },
      },
    }
  )
}

// Admin client for server-only operations (bypasses RLS)
// NEVER import this in client components or expose to the browser
import { createClient } from '@supabase/supabase-js'

export function createSupabaseAdmin() {
  return createClient<Database>(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.SUPABASE_SERVICE_ROLE_KEY!,  // NOT NEXT_PUBLIC_ — server only
    {
      auth: { autoRefreshToken: false, persistSession: false },
    }
  )
}

Client-Side Client (for Client Components)
                
              

                
                  
                  
                  supabase-auth-storage-realtime-core
                  SKILL.md
                  View full skill →
                
                
                  Implement Supabase Auth (signUp, signIn, OAuth, session management), Storage (upload, download, signed URLs, bucket policies), and Realtime (Postgres changes, broadcast, presence).
                  
                      ReadWriteEditBash(npm:*)Bash(supabase:*)Grep
                    
                
                
                  Supabase Auth + Storage + Realtime Core
Overview
Implement the three pillars that turn a Supabase database into a full application backend: user authentication (email/password, OAuth, magic links, session lifecycle), file storage (uploads, downloads, signed URLs, bucket-level RLS policies), and real-time subscriptions (Postgres change events, client-to-client broadcast, presence tracking). Every operation integrates with Row-Level Security through auth.uid().
Prerequisites

Supabase project created at supabase.com/dashboard
@supabase/supabase-js v2 installed (npm install @supabase/supabase-js)
SUPABASEURL and SUPABASEANON_KEY available from project Settings > API
For Python: pip install supabase (wraps postgrest-py, gotrue-py, storage3, realtime-py)

Instructions
Step 1: Auth — User Registration, Login, and OAuth
Initialize the client and implement the three primary auth flows: email/password, OAuth provider, and passwordless magic link.
TypeScript

import { createClient } from '@supabase/supabase-js'

const supabase = createClient(
  process.env.SUPABASE_URL!,
  process.env.SUPABASE_ANON_KEY!
)

// ── Sign up a new user ──
const { data: signUpData, error: signUpError } = await supabase.auth.signUp({
  email: 'user@example.com',
  password: 'secure-password-123',
  options: {
    data: { username: 'newuser', full_name: 'New User' },  // → raw_user_meta_data
  },
})
// If email confirmation enabled: data.user exists but data.session is null
// If email confirmation disabled: both data.user and data.session are present

// ── Sign in with password ──
const { data: signInData, error: signInError } = await supabase.auth.signInWithPassword({
  email: 'user@example.com',
  password: 'secure-password-123',
})
const { user, session } = signInData
// session.access_token → JWT for authenticated API calls

// ── Sign in with OAuth (Google) ──
const { data: oauthData, error: oauthError } = await supabase.auth.signInWithOAuth({
  provider: 'google',
  options: {
    redirectTo: 'https://myapp.com/auth/callback',
    queryParams: { access_type: 'offline', prompt: 'consent' },
  },
})
// Redirect user to oauthData.url in the browser

// ── Sign in with GitHub ──
const { data, error } = await supabase.auth.signInWithOAuth({
  provider: 'github',
  options: { redirectTo: 'https://myapp.com/auth/callback' },
})

// ── Passwordless magic link ──
const { error: otpError } = await supabase.auth.signInWithOtp({
  email: 'user@example.com',
  options: { emailRedirectTo: 'https://myapp.com/auth/callback' },
})


                

              

                
                  
                  
                  supabase-ci-integration
                  SKILL.md
                  View full skill →
                
                
                  Configure Supabase CI/CD pipelines with GitHub Actions: link projects, push migrations, deploy Edge Functions, generate types, and run tests against local Supabase instances.
                  
                      ReadWriteEditBash(npx:*)Bash(gh:*)Grep
                    
                
                
                  Supabase CI Integration
Overview
Build GitHub Actions workflows that automate the full Supabase lifecycle: link projects in CI, push migrations on merge, deploy Edge Functions, generate TypeScript types, run tests against a local Supabase instance, and create preview branches for pull requests. Every database change gets validated before it reaches production.
Prerequisites

GitHub repository with Actions enabled
Supabase project created at supabase.com/dashboard
Supabase CLI initialized locally (npx supabase init)
Node.js 18+ in your project
@supabase/supabase-js installed:


npm install @supabase/supabase-js

Instructions
Step 1: Configure GitHub Secrets and Link in CI
Store credentials as GitHub repository secrets. The CI pipeline uses these to authenticate with your Supabase project without exposing tokens in code.

# Set secrets via GitHub CLI
gh secret set SUPABASE_ACCESS_TOKEN --body "<your-access-token>"
gh secret set SUPABASE_DB_PASSWORD --body "<your-database-password>"
gh secret set SUPABASE_PROJECT_REF --body "<your-project-ref>"

Generate your access token at supabase.com/dashboard/account/tokens. Find your project ref in Project Settings > General.
Link the project in any CI job that needs remote access:

- name: Install Supabase CLI
  uses: supabase/setup-cli@v1
  with:
    version: latest

- name: Link Supabase project
  run: npx supabase link --project-ref ${{ secrets.SUPABASE_PROJECT_REF }}
  env:
    SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}

Step 2: CI Workflow — Test, Validate Migrations, and Generate Types
This workflow starts a local Supabase instance, applies migrations, generates types, and runs your test suite on every pull request. It catches schema drift, broken migrations, and test failures before merge.

# .github/workflows/supabase-ci.yml
name: Supabase CI

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Install dependencies
        run: npm ci

      - name: Install Supabase CLI
        uses: supabase/setup-cli@v1
        with:
          version: latest

      # Start local Supabase (disable unused services for speed)
      - name: Start local Supabase
        run: npx supabase start -x realtime,storage-api,imgproxy,inbucket

      # Apply all migrations and seed data from scratch
      - name: Validate migrations
        run: npx supa

                

              

                
                  
                  
                  supabase-common-errors
                  SKILL.md
                  View full skill →
                
                
                  Diagnose and fix Supabase errors across PostgREST, PostgreSQL, Auth, Storage, and Realtime.
                  
                      ReadGrepBash(curl:*)Bash(supabase:*)Bash(npx:*)
                    
                
                
                  Supabase Common Errors
Overview
Diagnostic guide for Supabase errors across PostgREST (PGRST*), PostgreSQL (numeric codes), Auth, Storage, and Realtime. Identify the error layer, trace the root cause, and apply the correct fix — every SDK call returns { data, error } where data is null when error exists.
Prerequisites

@supabase/supabase-js installed (npm install @supabase/supabase-js)
SUPABASEURL and SUPABASEANONKEY (or SUPABASESERVICEROLEKEY) configured
Access to Supabase Dashboard (for log inspection and SQL Editor)
Supabase CLI installed for local development (npx supabase --version)

Instructions
Step 1 — Capture the Error Object
Every Supabase SDK call returns a { data, error } tuple. Never assume data exists — always check error first.

import { createClient } from '@supabase/supabase-js'

const supabase = createClient(
  process.env.SUPABASE_URL!,
  process.env.SUPABASE_ANON_KEY!
)

// WRONG — data is null when error exists
const { data } = await supabase.from('todos').select('*')
console.log(data.length) // TypeError: Cannot read property 'length' of null

// CORRECT — always check error first
const { data, error } = await supabase.from('todos').select('*')
if (error) {
  console.error(`[${error.code}] ${error.message}`)
  console.error('Details:', error.details)
  console.error('Hint:', error.hint)
  // error.code tells you the layer:
  //   PGRST* = PostgREST (API gateway)
  //   5-digit numeric = PostgreSQL (database)
  //   AuthApiError = Auth service
  //   StorageApiError = Storage service
  return
}
// Safe to use data here
console.log(`Found ${data.length} rows`)

Troubleshooting: If error is undefined (not null), you may be using an older SDK version. Upgrade to @supabase/supabase-js@2.x or later.
Step 2 — Identify the Error Layer and Code
Match the error code prefix to the correct subsystem, then look up the specific code in the tables below.
PostgREST errors start with PGRST and correspond to API-layer issues (JWT, query parsing, schema).
PostgreSQL errors are 5-character codes (e.g., 42501, 23505) from the database engine.
Auth errors come as AuthApiError with a human-readable message.
Storage errors come as StorageApiError with an HTTP status.

// Diagnostic helper — paste into your codebase to classify errors automatically
function diagnoseSupabaseError(error: { co

                

              

                
                  
                  
                  supabase-cost-tuning
                  SKILL.md
                  View full skill →
                
                
                  Optimize Supabase costs through plan selection, database tuning, storage cleanup, connection pooling, and Edge Function optimization.
                  
                      ReadWriteEditGrepBash(supabase:*)
                    
                
                
                  Supabase Cost Tuning
Overview
Reduce Supabase spend by auditing usage against plan limits, eliminating database and storage waste, and right-sizing compute resources. The three biggest levers: database optimization (vacuum, index cleanup, archival), storage lifecycle management (compress before upload, orphan cleanup), and connection pooling to reduce compute add-on requirements.
Prerequisites

Supabase project with Dashboard access (Settings > Billing)
@supabase/supabase-js installed: npm install @supabase/supabase-js
Service role key for admin operations (storage audit, cleanup scripts)
SQL editor access (Dashboard > SQL Editor or psql connection)

Pricing Reference

Resource
Free Tier
Pro ($25/mo)
Team ($599/mo)


Database
500 MB
8 GB included, $0.125/GB extra
8 GB included


Storage
1 GB
100 GB included, $0.021/GB extra
100 GB included


Bandwidth
5 GB
250 GB included, $0.09/GB extra
250 GB included


Edge Functions
500K invocations
2M invocations, $2/million extra
2M invocations


Realtime
200 concurrent
500 concurrent
500 concurrent


Auth MAU
50,000
100,000
100,000


Compute add-ons (Pro and above):

Instance
vCPUs
RAM
Price


Micro
2
1 GB
Included with Pro


Small
2
2 GB
$25/mo


Medium
2
4 GB
$50/mo


Large
4
8 GB
$100/mo


XL
8
16 GB
$200/mo


2XL
16
32 GB
$400/mo


Decision framework: Read replicas ($25/mo each) beat scaling up when reads dominate and you need geographic distribution. Connection pooling (Supavisor, free) reduces compute pressure from idle connections.
Instructions
Step 1: Audit Current Usage and Identify Cost Drivers
Run these queries in the SQL Editor to understand where your database budget is going:

-- Total database size
select pg_size_pretty(pg_database_size(current_database())) as total_db_size;

-- Database size by table (find the biggest offenders)
select
  relname as table_name,
  pg_size_pretty(pg_total_relation_size(relid)) as total_size,
  pg_size_pretty(pg_relation_size(relid)) as table_size,
  pg_size_pretty(pg_total_relation_size(relid) - pg_relation_size(relid)) as index_si

                

              

                
                  
                  
                  supabase-data-handling
                  SKILL.md
                  View full skill →
                
                
                  Implement GDPR/CCPA compliance with Supabase: RLS for data isolation, user deletion via auth.
                  
                      ReadWriteEditBash(npx supabase:*)Bash(supabase:*)Bash(psql:*)GrepGlob
                    
                
                
                  Supabase Data Handling
Overview
GDPR and CCPA compliance with Supabase requires a layered approach: Row Level Security (RLS) for tenant data isolation, supabase.auth.admin.deleteUser() for right-to-deletion requests, SQL-based data exports for subject access requests, PII detection across database columns, automated retention policies using pg_cron, and point-in-time recovery for backup/restore. This skill implements every compliance requirement using real Supabase SDK methods and PostgreSQL features.
When to use: Implementing GDPR right-to-deletion, responding to data subject access requests (DSARs), auditing PII in your database, configuring automated data retention, setting up tenant isolation with RLS, or planning backup/restore procedures.
Prerequisites

@supabase/supabase-js v2+ with service role key for admin operations
Supabase project on Pro plan (for pg_cron and point-in-time recovery)
Understanding of GDPR Articles 15-17 (access, rectification, erasure)
Database access via SQL Editor or psql for schema changes

Instructions
Step 1: RLS for Data Isolation and PII Column Management
Configure Row Level Security to ensure users can only access their own data, and identify which columns contain PII.
Tenant isolation with RLS:

-- Enable RLS on all tables containing user data
ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.orders ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.documents ENABLE ROW LEVEL SECURITY;

-- Users can only read their own profile
CREATE POLICY "users_read_own_profile" ON public.profiles
  FOR SELECT USING (auth.uid() = id);

-- Users can update their own profile
CREATE POLICY "users_update_own_profile" ON public.profiles
  FOR UPDATE USING (auth.uid() = id)
  WITH CHECK (auth.uid() = id);

-- Users can only see their own orders
CREATE POLICY "users_read_own_orders" ON public.orders
  FOR SELECT USING (auth.uid() = user_id);

-- Organization-scoped isolation (multi-tenant)
CREATE POLICY "org_members_read_documents" ON public.documents
  FOR SELECT USING (
    org_id IN (
      SELECT org_id FROM public.org_members
      WHERE user_id = auth.uid()
    )
  );

PII column audit — identify sensitive data across your schema:

-- Find columns likely containing PII based on naming patterns
SELECT table_schema, table_name, column_name, data_type
FROM information_schema.columns
WHERE table_schema = 'public'
  AND (
    column_name ILIKE '%email%'
    OR column_name ILIKE '%phone%'
    OR column_name ILIKE '%name%'
    OR column_name ILIKE '%address%'
    OR column_name ILIKE '%ssn%'
    OR column_name ILIKE '%b

                

              

                
                  
                  
                  supabase-debug-bundle
                  SKILL.md
                  View full skill →
                
                
                  Collect Supabase diagnostic info for troubleshooting and support tickets.
                  
                      ReadBash(npx:*)Bash(node:*)Bash(curl:*)Bash(supabase:*)Bash(tar:*)GrepGlob
                    
                
                
                  Supabase Debug Bundle
Collect a comprehensive, redacted diagnostic bundle from a Supabase project. Tests connectivity, auth, Realtime, Storage, RLS policy behavior, and database health — then packages everything into a single archive safe for sharing with Supabase support.
Current State
!node --version 2>/dev/null || echo 'Node.js not found'
!npx supabase --version 2>/dev/null || echo 'Supabase CLI not found'
!npm list @supabase/supabase-js 2>/dev/null | grep supabase || echo '@supabase/supabase-js not installed'
Prerequisites

Node.js 18+ with @supabase/supabase-js v2 installed in the project
Supabase CLI installed (npm i -g supabase or npx supabase)
Environment variables set: SUPABASEURL and SUPABASEANONKEY (minimum); SUPABASESERVICEROLEKEY for full diagnostics
Project linked via supabase link --project-ref  (for CLI commands)

Instructions
Step 1: Gather Environment and Connectivity
Collect SDK version, project URL, key type, and test basic connectivity against the REST and Auth endpoints.

import { createClient } from '@supabase/supabase-js'

const url = process.env.SUPABASE_URL!
const anonKey = process.env.SUPABASE_ANON_KEY!
const serviceKey = process.env.SUPABASE_SERVICE_ROLE_KEY

// Identify which key is in use
const keyType = serviceKey ? 'service_role' : 'anon'
const supabase = createClient(url, serviceKey ?? anonKey, {
  auth: { autoRefreshToken: false, persistSession: false }
})

const diagnostics: Record<string, unknown> = {}

// 1a — SDK + environment
diagnostics.environment = {
  supabase_js_version: require('@supabase/supabase-js/package.json').version,
  node_version: process.version,
  project_url: url.replace(/https:\/\/([^.]+)\..*/, 'https://$1.***'),
  key_type: keyType,
  timestamp: new Date().toISOString(),
}

// 1b — REST API connectivity
const restStart = Date.now()
const restRes = await fetch(`${url}/rest/v1/`, {
  headers: { apikey: anonKey, Authorization: `Bearer ${anonKey}` },
})
diagnostics.rest_api = {
  status: restRes.status,
  latency_ms: Date.now() - restStart,
  ok: restRes.ok,
}

// 1c — Auth health
const authStart = Date.now()
const { data: sessionData, error: sessionErr } = await supabase.auth.getSession()
diagnostics.auth = {
  status: sessionErr ? `error: ${sessionErr.message}` : 'ok',
  has_session: !!sessionData?.session,
  latency_ms: Date.now() - authStart,
}

// 1d — Database connectivity probe
const dbStart = Date.now()
const { error: dbErr } = await supabase.from('_test_ping').select('*').limit(1)
diagnostics.database = {
  // 42P01 = table doesn't exist, which p

                

              

                
                  
                  
                  supabase-deploy-integration
                  SKILL.md
                  View full skill →
                
                
                  Deploy and manage Supabase projects in production.
                  
                      ReadWriteEditBash(npx:supabase)Bash(supabase:*)Bash(curl:*)
                    
                
                
                  Supabase Deploy Integration
Overview
Deploy and manage Supabase projects in production with confidence. This skill covers the full deployment lifecycle: pushing database migrations, deploying Edge Functions, managing secrets, executing zero-downtime rollouts with blue/green database branching, rolling back failed migrations, and verifying deployment health. All commands use the Supabase CLI with --project-ref for explicit project targeting.
SDK: @supabase/supabase-js — supabase.com/docs
Prerequisites

Supabase CLI installed (npm install -g supabase or npx supabase)
Supabase project linked (npx supabase link --project-ref )
Database migrations in supabase/migrations/ directory
Edge Functions in supabase/functions/ directory (if deploying functions)
SUPABASEACCESSTOKEN set for CI/non-interactive environments

Instructions
Step 1 — Push Database Migrations and Deploy Edge Functions
Apply pending database migrations to your production project, then deploy Edge Functions with their required secrets.
Database migrations:

# Apply all pending migrations to production
npx supabase db push --project-ref $PROJECT_REF

# Preview what will run without applying (dry run)
npx supabase db push --project-ref $PROJECT_REF --dry-run

# Check current migration status
npx supabase migration list --project-ref $PROJECT_REF

Each migration file in supabase/migrations/ is applied in timestamp order. The CLI tracks which migrations have already been applied and only runs new ones.
Edge Functions deployment:

# Deploy a single Edge Function
npx supabase functions deploy process-webhook --project-ref $PROJECT_REF

# Deploy all Edge Functions at once
npx supabase functions deploy --project-ref $PROJECT_REF

Secrets management — set environment variables for Edge Functions:

# Set individual secrets
npx supabase secrets set STRIPE_KEY=sk_live_xxx --project-ref $PROJECT_REF
npx supabase secrets set WEBHOOK_SECRET=whsec_xxx --project-ref $PROJECT_REF

# Set multiple secrets at once
npx supabase secrets set API_KEY=value1 SIGNING_KEY=value2 --project-ref $PROJECT_REF

# List current secrets (names only, values hidden)
npx supabase secrets list --project-ref $PROJECT_REF

# Remove a secret
npx supabase secrets unset OLD_KEY --project-ref $PROJECT_REF

Step 2 — Zero-Downtime Deployments and Blue/Green Branching
Use Supabase database branching to test migrations against a production-like environment before cutting over.
Blue/green deployment via da

                

              

                
                  
                  
                  supabase-enterprise-rbac
                  SKILL.md
                  View full skill →
                
                
                  Implement custom role-based access control via JWT claims in Supabase: app_metadata.
                  
                      ReadWriteEditBash(npx supabase:*)Bash(supabase:*)Bash(psql:*)GrepGlob
                    
                
                
                  Supabase Enterprise RBAC
Overview
Supabase supports custom role-based access control (RBAC) by storing role information in appmetadata on the user's JWT, then reading those claims in RLS policies via auth.jwt() ->> 'role'. This skill implements a complete RBAC system: defining roles in appmetadata, writing RLS policies that enforce role hierarchies, scoping access by organization, managing roles through the Admin API, and protecting API endpoints with role checks — all using real createClient from @supabase/supabase-js.
When to use: Building multi-role applications (admin/editor/viewer), implementing organization-scoped access, creating custom permission systems beyond Supabase's built-in anon/authenticated roles, or scoping API operations by user role.
Prerequisites

@supabase/supabase-js v2+ with service role key for admin operations
Understanding of JWT claims and Supabase's auth.jwt() SQL function
Database access via SQL Editor or psql for RLS policy creation
Supabase project with authentication configured

Instructions
Step 1: Define Roles via app_metadata and JWT Claims
Store custom roles in the user's app_metadata using the Admin API. These claims appear in every JWT the user receives and are available in RLS policies.
Set user roles with the Admin API:

import { createClient } from '@supabase/supabase-js';

const supabase = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.SUPABASE_SERVICE_ROLE_KEY!,
  { auth: { autoRefreshToken: false, persistSession: false } }
);

// Define the role hierarchy
type AppRole = 'admin' | 'editor' | 'viewer' | 'member';

interface AppMetadata {
  role: AppRole;
  org_id: string;
  permissions?: string[];
}

// Assign a role to a user (admin operation)
async function setUserRole(userId: string, role: AppRole, orgId: string) {
  const { data, error } = await supabase.auth.admin.updateUserById(userId, {
    app_metadata: {
      role,
      org_id: orgId,
    },
  });

  if (error) throw new Error(`Failed to set role: ${error.message}`);

  console.log(`User ${userId} assigned role "${role}" in org "${orgId}"`);
  return data.user;
}

// Assign granular permissions (optional, for fine-grained control)
async function setUserPermissions(
  userId: string,
  permissions: string[]
) {
  const { data, error } = await supabase.auth.admin.updateUserById(userId, {
    app_metadata: { permissions },
  });

  if (error) throw new Error(`Failed to set permissions: ${error.message}`);
  return data.user;
}

// Bulk role assignment (e.g., onboarding a team)
async function assignTeamRoles(
  orgId: string,
  assignm

                

              

                
                  
                  
                  supabase-hello-world
                  SKILL.md
                  View full skill →
                
                
                  Run your first Supabase query — insert a row and read it back.
                  
                      ReadWriteEditBash(npm:*)Bash(npx:*)Bash(supabase:*)
                    
                
                
                  Supabase Hello World — First Query
Overview
Execute your first real Supabase query: create a todos table in the dashboard, insert a row with the JS client, and read it back. This validates that your project URL, anon key, and Row Level Security are configured correctly before you build anything else.
Prerequisites

Completed supabase-install-auth setup (project URL + anon key in .env)
@supabase/supabase-js v2+ installed (npm install @supabase/supabase-js)
A Supabase project at supabase.com/dashboard

Instructions
Step 1: Create the todos Table
Open your Supabase dashboard SQL Editor and run:

-- Create a simple todos table
create table public.todos (
  id bigint generated always as identity primary key,
  task text not null,
  is_complete boolean default false,
  inserted_at timestamptz default now()
);

-- Enable Row Level Security (required for anon key access)
alter table public.todos enable row level security;

-- Allow anyone with the anon key to read and insert
-- (permissive for hello-world; lock down before production)
create policy "Allow public read" on public.todos
  for select using (true);

create policy "Allow public insert" on public.todos
  for insert with check (true);

Verify the table appears under Table Editor in the dashboard before continuing.
Step 2: Insert a Row

import { createClient } from '@supabase/supabase-js'

const supabase = createClient(
  process.env.SUPABASE_URL!,
  process.env.SUPABASE_ANON_KEY!
)

// Insert a row and return it with .select()
const { data, error } = await supabase
  .from('todos')
  .insert({ task: 'Hello from Supabase!' })
  .select()

if (error) {
  console.error('Insert failed:', error.message)
  // e.g. "new row violates row-level security policy"
  process.exit(1)
}

console.log('Inserted:', data)
// [{ id: 1, task: "Hello from Supabase!", is_complete: false, inserted_at: "2026-03-22T..." }]

Key detail: .insert() alone returns { data: null }. You must chain .select() to get the inserted row back.
Step 3: Read It Back

// Select all rows from todos
const { data: todos, error: selectError } = await supabase
  .from('todos')
  .select('*')

if (selectError) {
  console.error('Select failed:', selectError.message)
  process.exit(1)
}

console.log('Todos:', todos)
// [{ id: 1, task: "Hello from Supabase!", is_complete: false, inserted_at: "2026-03-22T..." }]

// Verify the round-trip
if (todos && todos.length > 0) {
  consol

                

              

                
                  
                  
                  supabase-incident-runbook
                  SKILL.md
                  View full skill →
                
                
                  Execute Supabase incident response: dashboard health checks, connection pool status, pg_stat_activity queries, RLS debugging, Edge Function logs, storage health, and escalation.
                  
                      ReadGrepBash(npx supabase:*)Bash(supabase:*)Bash(curl:*)Bash(psql:*)
                    
                
                
                  Supabase Incident Runbook
Overview
When a Supabase-backed application experiences failures, you need a structured response: verify the Supabase platform status, check your connection pool, inspect pgstatactivity for stuck queries, debug RLS policies that silently filter data, review Edge Function execution logs, verify storage bucket health, and escalate to Supabase support with a complete evidence bundle. This runbook covers every layer from the SDK client through the database to platform services.
When to use: Production errors involving Supabase, degraded API response times, connection pool exhaustion, silent data filtering from RLS, Edge Function cold start failures, or storage upload/download errors.
Prerequisites

Supabase project with dashboard access at supabase.com/dashboard
@supabase/supabase-js v2+ installed in your project
Supabase CLI installed for Edge Function log access
Direct database connection string (for psql diagnostics)
Access to status.supabase.com for platform health

Instructions
Step 1: Triage — Platform vs. Application
Determine whether the issue is a Supabase platform incident or an application-level bug. Check platform status first, then verify your SDK client connectivity.
Check Supabase platform status:

# Check official status page
curl -sf https://status.supabase.com/api/v2/status.json | jq '{
  indicator: .status.indicator,
  description: .status.description
}'
# Expected: { "indicator": "none", "description": "All Systems Operational" }

# Check for active incidents
curl -sf https://status.supabase.com/api/v2/incidents/unresolved.json | jq '.incidents[] | {
  name: .name,
  status: .status,
  impact: .impact,
  created_at: .created_at
}'

Verify SDK client connectivity from your application:

import { createClient } from '@supabase/supabase-js';

const supabase = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
);

// Quick health check — select 1 from a small table
async function healthCheck(): Promise<{
  status: 'healthy' | 'degraded' | 'down';
  latencyMs: number;
  error?: string;
}> {
  const start = performance.now();
  try {
    const { data, error } = await supabase
      .from('_health_check')
      .select('id')
      .limit(1)
      .maybeSingle();

    const latencyMs = Math.round(performance.now() - start);

    if (error) {
      return { status: 'degraded', latencyMs, error: error.message };
    }

    return {
      status: latencyMs > 200

                

              

                
                  
                  
                  supabase-install-auth
                  SKILL.md
                  View full skill →
                
                
                  Install and configure Supabase SDK, CLI, and project authentication.
                  
                      ReadWriteEditBash(npm:*)Bash(npx:*)Bash(pnpm:*)Bash(pip:*)Bash(supabase:*)GrepGlob
                    
                
                
                  Supabase Install & Auth
Overview
Install the Supabase SDK, CLI, and project credentials from scratch — covering package install, environment configuration, client initialization, and connection verification for both TypeScript (@supabase/supabase-js) and Python (supabase).
Key facts:

npm package: @supabase/supabase-js
Python package: supabase (via pip)
Client factory: createClient() — never new SupabaseClient()
Dashboard: https://supabase.com/dashboard (Settings > API for keys)
Docs: https://supabase.com/docs

Prerequisites

Node.js 18+ (for JS/TS) or Python 3.8+ (for Python)
Package manager: npm, pnpm, or yarn (JS) / pip (Python)
A Supabase project created at https://supabase.com/dashboard
Docker Desktop (only if using local development via supabase start)

Instructions
Step 1 — Install the SDK and CLI
Install the SDK and the Supabase CLI:
JavaScript / TypeScript:

# Install the SDK
npm install @supabase/supabase-js

# For SSR frameworks (Next.js, SvelteKit, Nuxt), also install:
npm install @supabase/ssr

# Install the Supabase CLI (for types, migrations, local dev)
npm install -D supabase

Python:

# Install the SDK
pip install supabase

# Install the CLI (alternative: brew install supabase/tap/supabase)
npm install -g supabase

Verify the CLI is available:

npx supabase --version

Step 2 — Configure Environment Variables
Retrieve project credentials from the Supabase Dashboard (Settings > API) and create the env file:

# .env.local (or .env)
SUPABASE_URL=https://<project-ref>.supabase.co
SUPABASE_KEY=eyJhbGciOiJIUzI1NiIs...          # anon key — safe for client-side
SUPABASE_SERVICE_ROLE_KEY=eyJhbGciOiJIUzI1...  # admin key — server-side ONLY

Add env files to .gitignore immediately:

.env
.env.local
.env.*.local

Security rules:

The anon key (SUPABASE_KEY) is safe for client-side code. It respects Row Level Security (RLS) policies.
The service role key (SUPABASESERVICEROLE_KEY) bypasses RLS entirely. Use only on the server. Never bundle into client code or expose in browser.

Step 3 — Initialize the Client and Verify
Create a client singleton and verify connectivity:
TypeScript — client-side (anon key):

// lib/supabase

                

              

                
                  
                  
                  supabase-known-pitfalls
                  SKILL.md
                  View full skill →
                
                
                  Avoid and fix the most common Supabase mistakes: exposing service_role key in client bundles, forgetting to enable RLS, not using connection pooling in serverless, .
                  
                      ReadGrep
                    
                
                
                  Supabase Known Pitfalls
Overview
The twelve most common Supabase mistakes, ranked by severity: security (service_role exposure, missing RLS, permissive policies), data integrity (ignoring { data, error }, missing .select() after mutations, .single() on optional results), performance (select('*'), N+1 queries, missing FK indexes, synchronous auth checks), and maintainability (no generated types, multiple client instances, hardcoded connection strings). Each pitfall shows the broken code, explains why it fails, and provides the correct pattern using createClient from @supabase/supabase-js.
Prerequisites

Access to a Supabase project codebase for review
@supabase/supabase-js v2+ installed
Basic understanding of Row Level Security (RLS)

Step 1 — Security Pitfalls (Critical)
These mistakes can expose all your data to any user with browser dev tools.
Pitfall 1: Exposing service_role Key in Client Code

// BAD: service_role key in a NEXT_PUBLIC_ variable — shipped to every browser
import { createClient } from '@supabase/supabase-js'

const supabase = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY!  // CATASTROPHIC
)
// This key bypasses ALL RLS. Anyone can:
// - Read every row in every table
// - Delete the entire database
// - Create admin users
// - Access every file in storage

// CORRECT: anon key on client, service_role only on server
// Client (browser):
const supabase = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!  // respects RLS
)

// Server only (API routes, server actions):
const supabaseAdmin = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.SUPABASE_SERVICE_ROLE_KEY!,  // NO NEXT_PUBLIC_ prefix
  { auth: { autoRefreshToken: false, persistSession: false } }
)

Detection:

# Find service_role references in client-side files
grep -rn 'SERVICE_ROLE' --include="*.tsx" --include="*.jsx" --include="*.ts" src/ app/ components/ pages/
# Find NEXT_PUBLIC_ + SERVICE_ROLE combination
grep -rn 'NEXT_PUBLIC.*SERVICE_ROLE' .env* *.ts *.tsx

Pitfall 2: Tables Without RLS Enabled

-- BAD: table created without enabling RLS
CREATE TABLE public.medical_records (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  patient_id uuid REFERENCES auth.users(id),
  diagnosis text,
  ssn text  -- PII fully exposed to anyone with the anon key!
);
-- With RLS disabled, the anon key can read EVERY row via the PostgREST API

-- CORRECT: always enable RLS immediately after CREATE TABLE
CREATE

                

              

                
                  
                  
                  supabase-load-scale
                  SKILL.md
                  View full skill →
                
                
                  Scale Supabase projects for production load: read replicas, connection pooling tuning via Supavisor, compute size upgrades, CDN caching for Storage, Edge Function regional deployment, and database table partitioning.
                  
                      ReadWriteEditBash(supabase:*)Bash(psql:*)Bash(curl:*)Grep
                    
                
                
                  Supabase Load & Scale
Overview
Supabase scaling operates at six layers: read replicas (offload analytics and reporting queries), connection pooling (Supavisor pgBouncer replacement with transaction/session modes), compute upgrades (vCPU/RAM tiers), CDN for Storage (cache public bucket assets at the edge), Edge Function regions (deploy functions closer to users), and table partitioning (split billion-row tables for query performance). This skill covers each layer with real createClient configuration, SQL, and CLI commands.
Prerequisites

Supabase project on a Pro plan or higher (read replicas require Pro+)
@supabase/supabase-js v2+ installed
supabase CLI installed and linked to your project
Database access via psql or Supabase SQL Editor
TypeScript project with generated database types

Step 1 — Read Replicas and Connection Pooling
Read replicas let you route read-heavy queries (dashboards, reports, search) to replica databases while keeping writes on the primary. Supabase uses Supavisor (their pgBouncer replacement) for connection pooling with two modes: transaction (default, shares connections between requests) and session (holds a connection per client session, needed for prepared statements).
Configure the Read Replica Client

// lib/supabase.ts
import { createClient } from '@supabase/supabase-js'
import type { Database } from './database.types'

// Primary client — handles all writes and real-time subscriptions
export const supabase = createClient<Database>(
  process.env.SUPABASE_URL!,
  process.env.SUPABASE_ANON_KEY!
)

// Read replica client — use for analytics, dashboards, search
// The read replica URL is available in Dashboard > Settings > Database
export const supabaseReadOnly = createClient<Database>(
  process.env.SUPABASE_READ_REPLICA_URL!,  // e.g., https://<project-ref>-ro.supabase.co
  process.env.SUPABASE_ANON_KEY!,          // same anon key works for replicas
  {
    db: { schema: 'public' },
    // Replicas may have slight lag (typically <100ms)
    // Do NOT use for reads-after-writes in the same request
  }
)

// Server-side admin client with connection pooling via Supavisor
// Use the pooled connection string (port 6543) instead of direct (port 5432)
export const supabaseAdmin = createClient<Database>(
  process.env.SUPABASE_URL!,
  process.env.SUPABASE_SERVICE_ROLE_KEY!,
  {
    auth: { autoRefreshToken: false, persistSession: false },
    db: { schema: 'public' },
  }
)

Direct Postgres Connections via Supavisor Pooling

# Transaction mode (default, port 6543) — b

                

              

                
                  
                  
                  supabase-local-dev-loop
                  SKILL.md
                  View full skill →
                
                
                  Configure Supabase local development with the CLI, Docker, and migration workflow.
                  
                      ReadWriteEditBash(npx:*)Bash(supabase:*)Bash(docker:*)Bash(curl:*)Grep
                    
                
                
                  Supabase Local Dev Loop
Overview
Run the full Supabase stack locally — Postgres, Auth, Storage, Realtime, Edge Functions, and Studio — using Docker and the Supabase CLI. Local development mirrors production APIs exactly, enabling offline work, fast iteration, and repeatable migration workflows. Schema changes flow through supabase db diff to generate migrations, and supabase db reset replays them cleanly.
Prerequisites

Docker Desktop installed and running (required for all local services)
Node.js 18+ (for npx supabase commands)
No global install needed — all commands use npx supabase

Instructions
Step 1: Initialize Project and Start Local Stack

# Initialize Supabase in your project root
npx supabase init

This creates a supabase/ directory:

supabase/
├── config.toml          # Local stack configuration (ports, auth settings)
├── migrations/          # SQL migration files (version-controlled)
└── seed.sql             # Seed data (runs after migrations on db reset)

Start the local stack (first run pulls Docker images — takes a few minutes):

npx supabase start

The CLI prints all local endpoints and keys:

API URL:          http://localhost:54321
GraphQL URL:      http://localhost:54321/graphql/v1
S3 Storage URL:   http://localhost:54321/storage/v1/s3
DB URL:           postgresql://postgres:postgres@localhost:54322/postgres
Studio URL:       http://localhost:54323
Inbucket URL:     http://localhost:54324
anon key:         eyJhbGciOiJI...
service_role key: eyJhbGciOiJI...

Create .env.local from these values (git-ignored):

# .env.local
SUPABASE_URL=http://localhost:54321
SUPABASE_ANON_KEY=<anon-key-from-supabase-start>
SUPABASE_SERVICE_ROLE_KEY=<service-role-key-from-supabase-start>
DATABASE_URL=postgresql://postgres:postgres@localhost:54322/postgres

Verify the stack is running:

npx supabase status

Step 2: Create Migrations and Seed Data
Create a migration file with a descriptive name:

npx supabase migration new create_profiles
# Creates: supabase/migrations/<timestamp>_create_profiles.sql

Write the migration SQL:

-- supabase/migrations/<timestamp>_create_profiles.sql
create table public.profiles (
  id uuid references auth.users(id) primary key,
  username text unique not null,
  avatar_url text,
  created_at timestamptz default now(),
  updated_at timestamptz default now()
);

-- Always enable RLS on public tables
alter table public.profiles enable row level security;

create policy "Public profiles are viewable 

                

              

                
                  
                  
                  supabase-migration-deep-dive
                  SKILL.md
                  View full skill →
                
                
                  Database migration patterns with Supabase CLI: npx supabase migration new, zero-downtime migrations, data backfill strategies, schema versioning, rollback strategies, and type generation.
                  
                      ReadWriteEditBash(npx supabase:*)Bash(supabase:*)Bash(psql:*)GrepGlob
                    
                
                
                  Supabase Migration Deep Dive
Overview
Supabase migrations are SQL files managed by the CLI that track schema changes across environments. This skill covers the complete migration lifecycle: creating migrations with npx supabase migration new, writing zero-downtime schema changes that avoid table locks, backfilling data in batches, managing schema versioning across environments, planning rollback strategies, and regenerating TypeScript types after schema changes. Every pattern uses real Supabase CLI commands and createClient from @supabase/supabase-js.
When to use: Creating new database migrations, modifying production schemas without downtime, backfilling existing data after adding columns, managing migration history across dev/staging/production, rolling back failed migrations, or regenerating TypeScript types.
Prerequisites

Supabase CLI installed: npm install -g supabase or npx supabase --version
@supabase/supabase-js v2+ installed in your project
Local Supabase running: npx supabase start
Understanding of PostgreSQL DDL and transaction behavior

Instructions
Step 1: Create and Manage Migrations
Use the Supabase CLI to create, test, and apply migrations. Each migration is a timestamped SQL file that runs in order.
Create a new migration:

# Create a migration file with a descriptive name
npx supabase migration new add_profiles_table
# Creates: supabase/migrations/20260322120000_add_profiles_table.sql

# List all migrations and their status
npx supabase migration list

# Check which migrations have been applied locally
npx supabase db reset --dry-run

Write the migration SQL:

-- supabase/migrations/20260322120000_add_profiles_table.sql

-- Create the profiles table
CREATE TABLE public.profiles (
  id uuid REFERENCES auth.users(id) ON DELETE CASCADE PRIMARY KEY,
  email text UNIQUE NOT NULL,
  full_name text,
  avatar_url text,
  bio text,
  created_at timestamptz DEFAULT now(),
  updated_at timestamptz DEFAULT now()
);

-- Enable RLS
ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY;

-- Create policies
CREATE POLICY "users_read_own_profile" ON public.profiles
  FOR SELECT USING (auth.uid() = id);

CREATE POLICY "users_update_own_profile" ON public.profiles
  FOR UPDATE USING (auth.uid() = id)
  WITH CHECK (auth.uid() = id);

-- Create an index for email lookups
CREATE INDEX idx_profiles_email ON public.profiles(email);

-- Auto-create profile on user signup (trigger)
CREATE OR REPLACE FUNCTION public.handle_new_user()
RETURNS trigger AS $$
BEGIN
  INSERT INTO public.profiles (id, email, full_name, avatar_url)
  VALUES (
    new.id,
    new.email,
    new.raw_user_meta_data ->> 'fu

                

              

                
                  
                  
                  supabase-multi-env-setup
                  SKILL.md
                  View full skill →
                
                
                  Configure Supabase across development, staging, and production with separate projects, environment-specific secrets, and safe migration promotion.
                  
                      ReadWriteEditBash(npx supabase:*)Bash(supabase:*)Bash(vercel:*)GrepGlob
                    
                
                
                  Supabase Multi-Environment Setup
Overview
Production Supabase deployments require separate projects per environment — each with its own URL, API keys, database, and RLS policies. This skill configures a three-tier environment architecture (local dev, staging, production) with safe migration promotion via supabase db push, environment-aware createClient initialization, database branching for preview deployments, and CI/CD pipelines that prevent accidental cross-environment operations.
When to use: Setting up a new project with multiple environments, migrating from a single-project setup to multi-env, adding staging to an existing dev/prod split, or configuring preview environments with database branching.
Prerequisites

Three separate Supabase projects created at supabase.com/dashboard (dev, staging, production)
Supabase CLI installed: npm install -g supabase or npx supabase --version
@supabase/supabase-js v2+ installed in your project
Node.js 18+ with framework that supports .env files (Next.js, Nuxt, SvelteKit, etc.)
A secret management solution for CI (GitHub Actions Secrets, Vercel env vars, etc.)

Instructions
Step 1: Environment Files and Project Layout
Create one Supabase CLI project with shared migrations and per-environment credential files. Each .env.* file points to a different Supabase project.
Project structure:

my-app/
├── supabase/
│   ├── config.toml              # Local CLI config
│   ├── migrations/              # Shared migrations (all envs use the same schema)
│   │   └── 20260101000000_initial.sql
│   ├── seed.sql                 # Dev-only seed data (runs on db reset only)
│   └── functions/               # Edge Functions (deployed per env)
├── .env.local                   # Local dev → supabase start
├── .env.staging                 # Staging project credentials
├── .env.production              # Production project credentials
└── .gitignore                   # Must include .env.staging, .env.production

Environment files:

# .env.local — local development (safe defaults from supabase start)
NEXT_PUBLIC_SUPABASE_URL=http://127.0.0.1:54321
NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0
SUPABASE_SERVICE_ROLE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU
DATABASE_URL=postgresql://postgres:postgres@127.0.0.1:54322/postgres
SUPABASE_ENV=local

# .env.staging — staging project
NEXT_PUBLIC_SUPABASE_URL=https:/

                

              

                
                  
                  
                  supabase-observability
                  SKILL.md
                  View full skill →
                
                
                  Set up monitoring and observability for Supabase projects using Dashboard reports, CLI inspect commands, pg_stat_statements, log drains, and alerting.
                  
                      ReadWriteEditBash(npx supabase:*)Bash(supabase:*)Grep
                    
                
                
                  Supabase Observability
Overview
Monitor Supabase projects end-to-end: Dashboard reports for API/database/auth metrics, supabase inspect db CLI for deep Postgres diagnostics, pgstatstatements for query analytics, log drains for external aggregation, Edge Functions for custom metrics, and alerting on quota thresholds.
Prerequisites

Supabase CLI installed (npx supabase --version)
Supabase project linked (supabase link --project-ref )
Pro plan or higher for log drain support and extended log retention
@supabase/supabase-js v2+ installed for application-level monitoring

Instructions
Step 1: Dashboard Reports and CLI Inspect Commands
Supabase Dashboard provides built-in reports under Dashboard > Reports:

Report
What It Shows


API Requests
Total requests, response times, error rates by endpoint


Database
Active connections, query counts, replication lag


Auth Usage
Signups, logins, provider breakdown, failed attempts


Storage
Bandwidth, object counts, bucket usage


Realtime
Active connections, messages per second, channel counts


For deeper Postgres diagnostics, use the CLI inspect commands:

# Table sizes — find the largest tables
npx supabase inspect db table-sizes --linked

# Index usage — find unused indexes wasting space
npx supabase inspect db index-usage --linked

# Cache hit ratio — should be > 99% (below 95% means upgrade compute)
npx supabase inspect db cache-hit --linked

# Sequential scans — tables needing indexes
npx supabase inspect db seq-scans --linked

# Long-running queries — find stuck queries
npx supabase inspect db long-running-queries --linked

# Table index sizes — compare index vs table size
npx supabase inspect db table-index-sizes --linked

# Bloat — estimate wasted space from dead tuples
npx supabase inspect db bloat --linked

# Blocking queries — find lock contention
npx supabase inspect db blocking --linked

# Replication slots — check replication health
npx supabase inspect db replication-slots --linked

Step 2: Query Analytics with pgstatstatements and Log Drains
Enable pgstatstatements for detailed query-level metrics:

-- Enable the extension (Dashboard > Database > Extensions, or SQL)
create extension if not exists pg_stat_statements;

-- Top 20 slowest queries by average execution time
select
  substring(query, 1, 80) as query_preview,
  calls,
  round(mean_exec_time::numeric, 2) as avg_ms,
  round(max_exec_time::numeric, 2) as max_ms,
  round(total_exec_time::numeric, 2) as total_m

                

              

                
                  
                  
                  supabase-performance-tuning
                  SKILL.md
                  View full skill →
                
                
                  Optimize Supabase query performance with indexes, EXPLAIN ANALYZE, connection pooling, column selection, pagination, RPC functions, materialized views, and diagnostics.
                  
                      ReadWriteEditBash(npx:supabase)Bash(supabase:*)Grep
                    
                
                
                  Supabase Performance Tuning
Overview
Systematically improve Supabase query and database performance across three layers: PostgreSQL engine (indexes, query plans, materialized views), Supabase infrastructure (Supavisor connection pooling, Edge Functions, read replicas), and client SDK patterns (column selection, pagination, RPC functions). Every technique here is measurable — run EXPLAIN ANALYZE before and after to confirm the improvement.
Prerequisites

Supabase project (local or hosted) with @supabase/supabase-js v2+ installed
Supabase CLI installed (npx supabase --version to verify)
Access to the SQL Editor in the Supabase Dashboard or a direct Postgres connection
pgstatstatements extension enabled (Step 1 covers this)

Instructions
Step 1: Diagnose — Find What Is Slow
Start every performance effort with data. Enable pgstatstatements and run the Supabase CLI diagnostics to identify bottlenecks before optimizing.
Enable the stats extension:

CREATE EXTENSION IF NOT EXISTS pg_stat_statements;

Find the slowest queries by average execution time:

SELECT
  query,
  calls,
  mean_exec_time::numeric(10,2) AS avg_ms,
  total_exec_time::numeric(10,2) AS total_ms,
  rows
FROM pg_stat_statements
ORDER BY mean_exec_time DESC
LIMIT 10;

Check index usage and cache hit rates with the Supabase CLI:

# Which indexes are actually being used?
npx supabase inspect db index-usage

# What percentage of queries are served from cache vs disk?
npx supabase inspect db cache-hit

# Tables consuming the most space
npx supabase inspect db table-sizes

Inspect active connections for pooling issues:

SELECT state, count(*), max(age(now(), state_change)) AS max_age
FROM pg_stat_activity
WHERE datname = current_database()
GROUP BY state;

If idle connections exceed your plan's limit or active queries show high max_age, connection pooling (Step 2) and query optimization (Step 3) are the priority.
Step 2: Indexes and Query Plans
Indexes are the single highest-impact optimization. Use EXPLAIN ANALYZE to read query plans, then create targeted indexes.
Read a query plan:

EXPLAIN (ANALYZE, BUFFERS, FORMAT TEXT)
SELECT * FROM users WHERE email = 'alice@example.com';

Look for Seq Scan on large tables — that means no index is being used. After adding an index, the plan should show Index Scan or Index Only Scan.
Create a basic index:

                
              

                
                  
                  
                  supabase-policy-guardrails
                  SKILL.md
                  View full skill →
                
                
                  Enforce organizational governance for Supabase projects: shared RLS policy library with reusable templates, table and column naming conventions, migration review process with CI checks, cost alert thresholds, and security audit scripts scanning for common misconfigurations.
                  
                      ReadWriteEditBash(supabase:*)Bash(psql:*)Bash(npx:*)Grep
                    
                
                
                  Supabase Policy Guardrails
Overview
Organizational governance for Supabase at scale: a shared RLS policy library (reusable templates for common access patterns), naming conventions (tables, columns, functions, policies), migration review process (CI checks ensuring RLS, preventing destructive operations, enforcing naming), cost alert configuration (billing thresholds and usage monitoring), and security audit scripts (scanning for exposed keys, missing RLS, overly permissive policies). All patterns use real createClient from @supabase/supabase-js and Supabase CLI commands.
Prerequisites

Supabase project with supabase CLI installed and linked
@supabase/supabase-js v2+ installed
CI/CD pipeline (GitHub Actions recommended)
Database access via psql or Supabase SQL Editor
Pro plan recommended for cost alerts and usage API

Step 1 — Shared RLS Policy Library and Naming Conventions
RLS Policy Templates
Create reusable RLS policy templates that teams apply to new tables. This prevents each developer from writing ad-hoc policies and ensures consistent access control.

-- supabase/migrations/00000000000000_rls_policy_library.sql
-- Shared RLS policy library — apply these templates to new tables

-- ============================================================
-- Template 1: Owner-only access (user owns the row)
-- Usage: tables with a user_id column (todos, profiles, settings)
-- ============================================================
CREATE OR REPLACE FUNCTION public.rls_owner_only(table_name text, user_column text DEFAULT 'user_id')
RETURNS void AS $$
BEGIN
  EXECUTE format('ALTER TABLE public.%I ENABLE ROW LEVEL SECURITY', table_name);

  EXECUTE format(
    'CREATE POLICY "owner_select" ON public.%I FOR SELECT USING (%I = auth.uid())',
    table_name, user_column
  );
  EXECUTE format(
    'CREATE POLICY "owner_insert" ON public.%I FOR INSERT WITH CHECK (%I = auth.uid())',
    table_name, user_column
  );
  EXECUTE format(
    'CREATE POLICY "owner_update" ON public.%I FOR UPDATE USING (%I = auth.uid())',
    table_name, user_column
  );
  EXECUTE format(
    'CREATE POLICY "owner_delete" ON public.%I FOR DELETE USING (%I = auth.uid())',
    table_name, user_column
  );
END;
$$ LANGUAGE plpgsql;

-- ============================================================
-- Template 2: Organization-scoped access (user is member of org)
-- Usage: tables with org_id referencing org_members
-- ============================================================
CREATE OR REPLACE FUNCTION public.rls_org_scoped(
  table_name text,
  org_column text DEFAULT 'org_id',
  allow_delete boolean DEFAU

                

              

                
                  
                  
                  supabase-prod-checklist
                  SKILL.md
                  View full skill →
                
                
                  Execute Supabase production deployment checklist covering RLS, key hygiene, connection pooling, backups, monitoring, Edge Functions, and Storage policies.
                  
                      ReadWriteEditBash(npx supabase:*)Bash(curl:*)Grep
                    
                
                
                  Supabase Production Deployment Checklist
Overview
Actionable 14-step checklist for taking a Supabase project to production. Covers RLS enforcement, key separation, connection pooling (Supavisor), backups/PITR, network restrictions, custom domains, auth emails, rate limits, monitoring, Edge Functions, Storage policies, indexes, and migrations. Based on Supabase's official production guide.
Prerequisites

Supabase project on Pro plan or higher (required for PITR, network restrictions)
Separate production project (never share dev/prod)
@supabase/supabase-js v2+ installed
Supabase CLI installed (npx supabase --version)
Domain and DNS configured for custom domain
Deployment platform ready (Vercel, Netlify, Cloudflare, etc.)

Instructions
Step 1: Enforce Row Level Security on ALL Tables
RLS is the single most critical production requirement. Without it, any client with your anon key can read/write every row.

-- Audit: find tables WITHOUT RLS enabled
-- This query MUST return zero rows before going live
SELECT schemaname, tablename, rowsecurity
FROM pg_tables
WHERE schemaname = 'public' AND rowsecurity = false;


-- Enable RLS on a table
ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY;

-- Create a basic read policy (authenticated users see own rows)
CREATE POLICY "Users can view own profile"
  ON public.profiles
  FOR SELECT
  USING (auth.uid() = user_id);

-- Create an insert policy
CREATE POLICY "Users can insert own profile"
  ON public.profiles
  FOR INSERT
  WITH CHECK (auth.uid() = user_id);

-- Create an update policy
CREATE POLICY "Users can update own profile"
  ON public.profiles
  FOR UPDATE
  USING (auth.uid() = user_id)
  WITH CHECK (auth.uid() = user_id);


[ ] RLS enabled on every public table (zero rows from audit query above)
[ ] SELECT, INSERT, UPDATE, DELETE policies defined for each table
[ ] Policies tested with both authenticated and anonymous roles
[ ] No tables use USING (true) without intent (public read tables only)

Step 2: Enforce Key Separation — Anon vs Service Role
The anon key is safe for client-side code. The service_role key bypasses RLS entirely and must never leave server-side environments.

// Client-side — ONLY use anon key
import { createClient } from '@supabase/supabase-js';

const supabase = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!  // Safe for browsers
);


// Server-side only — service_role key (API routes, webhooks, cron jobs

                

              

                
                  
                  
                  supabase-rate-limits
                  SKILL.md
                  View full skill →
                
                
                  Manage Supabase rate limits and quotas across all plan tiers.
                  
                      ReadWriteEditBashGrep
                    
                
                
                  Supabase Rate Limits
Overview
Supabase enforces rate limits and quotas across every API surface — PostgREST, Auth, Storage, Realtime, and Edge Functions. Limits scale by plan tier. This skill covers the exact numbers per tier, connection pooling via Supavisor, retry/backoff patterns, pagination to reduce payload, and dashboard monitoring so you can stay within quotas and handle 429 errors gracefully.
Prerequisites

Active Supabase project (any tier)
@supabase/supabase-js v2+ installed
Project URL and anon/service-role key available
Node.js 18+ or equivalent runtime

Instructions
Step 1 — Understand Rate Limits by Tier and Surface
Every Supabase project has per-surface limits that differ by plan. Know these numbers before you architect:
API Request Limits

Metric
Free
Pro
Enterprise


Requests per minute (RPM)
500
5,000
Unlimited (custom)


Requests per day (RPD)
50,000
1,000,000
Unlimited (custom)


Auth Rate Limits

Endpoint
Free
Pro


Signup
30/hour per IP
Higher (configurable)


Sign-in (password)
30/hour per IP
Higher (configurable)


Magic link / OTP
4/hour per user
Configurable


Token refresh
360/hour
360/hour


Auth limits are per-IP and per-user. Configure custom limits in Dashboard > Authentication > Rate Limits.
Storage Bandwidth

Metric
Free
Pro


Storage size
1 GB
100 GB


Bandwidth
2 GB/month
250 GB/month


Max file size
50 MB
5 GB


Upload rate
Shared with API RPM
Shared with API RPM


Realtime Connections

Metric
Free
Pro


Concurrent connections
200
500


Messages per second
100
500


Channel joins
Shared with connection limit
Shared


Edge Functions

Metric
Free
Pro


Invocations/month
500,000
2,000,000


Execution time
150s wall / 50ms CPU
150s wall / 2s CPU


Memory
256 MB
256 MB


Databa

                

              

                
                  
                  
                  supabase-reference-architecture
                  SKILL.md
                  View full skill →
                
                
                  Implement enterprise Supabase reference architectures — monorepo layout, multi-tenant RLS, microservices with cross-project access, framework integration, edge functions, caching, queue patterns, and audit logging.
                  
                      ReadWriteEditBash(npm:*)Bash(npx:*)Bash(supabase:*)GrepGlob
                    
                
                
                  Supabase Reference Architecture
Overview
Production Supabase applications need more than a flat lib/supabase.ts file. This skill covers five enterprise architecture patterns: monorepo with shared types, multi-tenant RLS isolation, microservices with separate Supabase projects, framework integration (Next.js / SvelteKit), and operational patterns (edge functions, caching, queues, audit trails). Each pattern stands alone — pick the ones that match your scale.
For the full monorepo directory layout and microservices cross-project access, see Project Structure. For edge functions, caching, queue, and audit trail patterns, see Operational Patterns.
Prerequisites

@supabase/supabase-js v2+ installed (npm install @supabase/supabase-js)
Supabase CLI installed (npm install -g supabase)
A Supabase project at supabase.com/dashboard
Familiarity with supabase-install-auth (project URL, anon key, service role key)
PostgreSQL basics (RLS policies, triggers, functions)

Instructions
Step 1: Client Singleton — The Foundation
Every app in the monorepo imports from a shared package instead of creating its own client. This guarantees a single source of truth for the URL, keys, and type definitions.

// packages/supabase/src/client.ts
import { createClient, SupabaseClient } from '@supabase/supabase-js'
import type { Database } from './database.types'

let client: SupabaseClient<Database> | null = null

export function getSupabaseClient(): SupabaseClient<Database> {
  if (!client) {
    const url = process.env.NEXT_PUBLIC_SUPABASE_URL ?? process.env.SUPABASE_URL
    const key = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY ?? process.env.SUPABASE_ANON_KEY
    if (!url || !key) {
      throw new Error('Missing SUPABASE_URL or SUPABASE_ANON_KEY environment variables')
    }
    client = createClient<Database>(url, key)
  }
  return client
}

// Reset for testing
export function resetClient(): void {
  client = null
}


// packages/supabase/src/admin.ts — Server-side only, never bundle in client code
import { createClient } from '@supabase/supabase-js'
import type { Database } from './database.types'

export function getSupabaseAdmin() {
  const url = process.env.SUPABASE_URL
  const serviceKey = process.env.SUPABASE_SERVICE_ROLE_KEY
  if (!url || !serviceKey) {
    throw new Error('Missing SUPABASE_URL or SUPABASE_SERVICE_ROLE_KEY — server-only')
  }
  return createClient<Database>(url, serviceKey, {
    auth: { autoRefreshToken: false, persistSession: false }
  })
}

Key detail: The admin clien
                
              

                
                  
                  
                  supabase-reliability-patterns
                  SKILL.md
                  View full skill →
                
                
                  Build resilient Supabase integrations: circuit breakers wrapping createClient calls, offline queue with IndexedDB, graceful degradation with cached fallbacks, health check endpoints, retry with exponential backoff and jitter, and dual-write patterns for critical data.
                  
                      ReadWriteEditBash(supabase:*)Bash(curl:*)Grep
                    
                
                
                  Supabase Reliability Patterns
Overview
Production Supabase apps need six reliability layers: circuit breakers (stop calling Supabase when it's down to prevent cascading failures), offline queue (buffer writes when the network is unavailable and replay when reconnected), graceful degradation (serve cached or fallback data during outages), health checks (detect Supabase availability before routing traffic), retry with exponential backoff (handle transient errors without overwhelming the service), and dual-write (write critical data to both Supabase and a backup store). All patterns use real createClient from @supabase/supabase-js.
Prerequisites

@supabase/supabase-js v2+ installed
TypeScript project with Supabase client configured
For offline queue: browser environment with IndexedDB or server with Redis
For dual-write: secondary data store (Redis, DynamoDB, or local SQLite)

Step 1 — Circuit Breaker and Retry with Exponential Backoff
A circuit breaker tracks failures per Supabase service (database, auth, storage) and stops making calls when a threshold is exceeded. Combined with retry logic, it prevents both cascading failures and unnecessary retries during extended outages.
Circuit Breaker Implementation

// lib/circuit-breaker.ts
import { createClient } from '@supabase/supabase-js'
import type { Database } from './database.types'

type CircuitState = 'CLOSED' | 'OPEN' | 'HALF_OPEN'

interface CircuitBreakerOptions {
  failureThreshold: number    // failures before opening
  resetTimeoutMs: number      // ms before trying again (half-open)
  halfOpenSuccesses: number   // successes in half-open to close
  name: string                // for logging
}

class CircuitBreaker {
  private state: CircuitState = 'CLOSED'
  private failures = 0
  private lastFailureTime = 0
  private halfOpenSuccesses = 0

  constructor(private opts: CircuitBreakerOptions) {}

  async call<T>(fn: () => Promise<T>, fallback?: () => T): Promise<T> {
    // Check if circuit should transition from OPEN to HALF_OPEN
    if (this.state === 'OPEN') {
      if (Date.now() - this.lastFailureTime > this.opts.resetTimeoutMs) {
        this.state = 'HALF_OPEN'
        this.halfOpenSuccesses = 0
        console.log(`[CircuitBreaker:${this.opts.name}] OPEN → HALF_OPEN`)
      } else {
        if (fallback) return fallback()
        throw new Error(`Circuit breaker ${this.opts.name} is OPEN`)
      }
    }

    try {
      const result = await fn()

      // Success in HALF_OPEN: count toward recovery
      if (this.state === 'HALF_OPEN') {
        this.halfOpenSuccesses++
        if (this.halfOpenSuccesses >= th

                

              

                
                  
                  
                  supabase-schema-from-requirements
                  SKILL.md
                  View full skill →
                
                
                  Design Supabase Postgres schema from business requirements with migrations, RLS, and types.
                  
                      ReadWriteEditBash(supabase:*)Bash(npx:*)Grep
                    
                
                
                  Supabase Schema from Requirements
Overview
Translate business requirements into a production-ready Postgres schema inside Supabase. This skill covers the full path from specification document to applied migration: entity extraction, table creation with proper data types and constraints, Row Level Security policies, performance indexes, timestamp triggers, and TypeScript type generation. It is the highest-leverage activity in the early stages of any Supabase project because every downstream feature (auth, storage, realtime, edge functions) depends on well-designed tables.
Prerequisites

Supabase CLI installed (npm install -g supabase) and project linked (supabase link)
@supabase/supabase-js v2+ installed in the project
Business requirements, PRD, or specification document identifying entities and access rules
Local Supabase running (supabase start) or a linked remote project

Instructions
Step 1: Parse Requirements and Create Migration
Read the requirements document and extract entities, attributes, relationships, and access control rules. Map each entity to a Postgres table.
Entity extraction example (project management app):

Entity
Key Columns
Relationships


Organization
name, slug, plan
has many Projects, has many Members


Project
name, description, status
belongs to Organization, has many Tasks


Task
title, priority, status, due_date
belongs to Project, assigned to User


Member
role (owner/admin/member)
junction linking User to Organization


Create the migration file:

npx supabase migration new create_tables
# Creates: supabase/migrations/<timestamp>_create_tables.sql

Write the migration SQL using standard Postgres data types (uuid, text, integer, boolean, timestamptz, jsonb):

-- supabase/migrations/<timestamp>_create_tables.sql

-- Enable required extensions
create extension if not exists "uuid-ossp";
create extension if not exists "moddatetime";

-- Organizations
create table public.organizations (
  id uuid default uuid_generate_v4() primary key,
  name text not null,
  slug text unique not null,
  plan text default 'free' check (plan in ('free', 'pro', 'enterprise')),
  metadata jsonb default '{}'::jsonb,
  created_at timestamptz default now() not null,
  updated_at timestamptz default now() not null
);

-- Organization members (junction table)
create table public.members (
  id uuid default uuid_generate_

                

              

                
                  
                  
                  supabase-sdk-patterns
                  SKILL.md
                  View full skill →
                
                
                  Apply production-ready Supabase SDK patterns for TypeScript and Python projects.
                  
                      ReadWriteEditGrep
                    
                
                
                  Supabase SDK Patterns
Overview
Production patterns for @supabase/supabase-js v2 and supabase-py. Every Supabase query returns { data, error } — never assume success. This skill covers client initialization, CRUD with filters, auth, realtime subscriptions, storage, RPC, and the Python equivalent for each pattern.
Prerequisites

Supabase project with URL and anon key (or service role key for server-side)
@supabase/supabase-js v2 installed (TypeScript) or supabase pip package (Python)
TypeScript projects: generated database types via supabase gen types typescript

Instructions
Step 1: Initialize a Typed Singleton Client
Create one client instance and reuse it. Never call createClient per-request.

// lib/supabase.ts
import { createClient } from '@supabase/supabase-js'
import type { Database } from './database.types'

let supabase: ReturnType<typeof createClient<Database>>

export function getSupabase() {
  if (!supabase) {
    supabase = createClient<Database>(
      process.env.SUPABASE_URL!,
      process.env.SUPABASE_ANON_KEY!,
      {
        auth: { autoRefreshToken: true, persistSession: true },
        db: { schema: 'public' },
        global: { headers: { 'x-app-name': 'my-app' } },
      }
    )
  }
  return supabase
}

Python equivalent:

from supabase import create_client, Client

_client: Client | None = None

def get_supabase() -> Client:
    global _client
    if _client is None:
        _client = create_client(
            os.environ["SUPABASE_URL"],
            os.environ["SUPABASE_ANON_KEY"],
        )
    return _client

Step 2: Query, Filter, and Mutate Data
All queries return { data, error }. Always destructure and check error before using data.
Select with filters and chaining:

const { data, error } = await getSupabase()
  .from('users')
  .select('id, name, email')
  .eq('active', true)       // WHERE active = true
  .gt('age', 18)            // AND age > 18
  .ilike('name', '%john%')  // AND name ILIKE '%john%'
  .in('role', ['admin', 'editor'])  // AND role IN (...)
  .order('name', { ascending: true })
  .limit(10)

if (error) throw error
// data is typed as Pick<User, 'id' | 'name' | 'email'>[]

Insert with select (return the inserted row):

const { data: newUser, error } = await getSupabase()
  .from('users')
  .insert({ name: 'Alice', email:

                

              

                
                  
                  
                  supabase-security-basics
                  SKILL.md
                  View full skill →
                
                
                  Apply Supabase security best practices: anon vs service_role key separation, RLS enforcement, policy patterns, JWT verification, and API hardening.
                  
                      ReadWriteEditGrepBash(supabase:*)Bash(npx supabase *)
                    
                
                
                  Supabase Security Basics
Overview
Supabase exposes a Postgres database directly to the internet via PostgREST. Every table without Row Level Security enabled is fully readable and writable by anyone with your project URL and anon key — both of which are public. This skill covers the three pillars of Supabase security: key separation (anon vs service_role), RLS policy enforcement, and API surface hardening.
Prerequisites

Supabase project created (local or hosted) with Dashboard access
@supabase/supabase-js installed (npm install @supabase/supabase-js)
SUPABASEURL and SUPABASEANON_KEY environment variables configured
Basic understanding of SQL and Postgres

Instructions
Step 1 — Understand the Two API Keys
Supabase issues two keys per project. Confusing them is the most common security mistake:

Key
Environment Variable
Exposed to Client?
RLS Behavior


Anon key
SUPABASEANONKEY
Yes — browser-safe
Respects all RLS policies


Service role key
SUPABASESERVICEROLE_KEY
NEVER expose
Bypasses ALL RLS


The anon key is a JWT that PostgREST uses to determine which RLS policies apply. It is safe to include in client-side bundles — it can only access data that RLS policies explicitly allow. The service role key bypasses every RLS policy and should only ever exist in server-side code (API routes, Edge Functions, cron jobs, migration scripts).

// CORRECT: anon key on the client
import { createClient } from '@supabase/supabase-js'

const supabase = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
)


// CORRECT: service role key ONLY in server-side code
// e.g., app/api/admin/route.ts (Next.js server route)
import { createClient } from '@supabase/supabase-js'

const supabaseAdmin = createClient(
  process.env.SUPABASE_URL!,
  process.env.SUPABASE_SERVICE_ROLE_KEY!,
  { auth: { autoRefreshToken: false, persistSession: false } }
)


// WRONG — service role key in client-side code
// This bypasses ALL RLS and leaks your admin key to every user
const supabase = createClient(url, process.env.NEXT_PUBLIC_SERVICE_ROLE_KEY!)  // NEVER DO THIS

Key rotation: Regenerate keys in Dashboard > Settings > API. After rotation, update every environment variable and redeploy all services. Old keys are invalidated immediately — there is no grace period.
Step 2 — Enforce Row Level Security on Every Table

                
              

                
                  
                  
                  supabase-upgrade-migration
                  SKILL.md
                  View full skill →
                
                
                  Upgrade Supabase SDK and CLI versions with breaking-change detection and automated code migration.
                  
                      ReadWriteEditBash(npm:*)Bash(npx:*)Bash(pip:*)Bash(supabase:*)Bash(git:*)GrepGlob
                    
                
                
                  Supabase Upgrade Migration
Overview
Upgrade @supabase/supabase-js and the Supabase CLI with breaking-change detection, automated code migration, and rollback planning. Covers the v1-to-v2 migration path (auth method renames, data/error destructuring, realtime API overhaul), minor version bumps, @supabase/ssr adoption, and Python SDK upgrades via pip install --upgrade supabase.
Current State
!npm list @supabase/supabase-js 2>/dev/null | grep supabase || echo 'supabase-js not installed'
!supabase --version 2>/dev/null || echo 'CLI not installed'
!pip show supabase 2>/dev/null | grep Version || echo 'Python SDK not installed'
Prerequisites

@supabase/supabase-js or the Python supabase package installed in the project
Git with a clean working tree (no uncommitted changes)
Test suite available for post-upgrade verification
Node.js >= 18 (for supabase-js v2) or Python >= 3.8 (for Python SDK)

Instructions
Step 1: Audit Versions, Scan Usage, and Review Breaking Changes
Check every installed Supabase package and find all import sites in the codebase.

# Check current SDK version
npm list @supabase/supabase-js

# Check CLI version
supabase --version

# Check Python SDK version
pip show supabase | grep Version

# Find all JS/TS Supabase imports
grep -rn "from '@supabase/supabase-js'" --include="*.ts" --include="*.tsx" --include="*.js" src/ lib/ app/ 2>/dev/null
grep -rn "createClient" --include="*.ts" --include="*.tsx" --include="*.js" src/ lib/ app/ 2>/dev/null

# Find all Python Supabase imports
grep -rn "from supabase" --include="*.py" src/ app/ 2>/dev/null

supabase-js v1 → v2 breaking changes:

v1 Pattern
v2 Replacement
Notes


createClient(url, key)
createClient(url, key)
Signature unchanged, but return type differs


supabase.auth.session()
supabase.auth.getSession()
Sync → async, returns { data: { session } }


supabase.auth.user()
supabase.auth.getUser()
Sync → async, returns { data: { user } }


supabase.auth.signIn({ email, password })
supabase.auth.signInWithPassword({ email, password })
Method split by auth type


supabase.auth.signIn({ provider: 'google' })
supabase.auth.signInWithOAuth({ provider: 'google' })
OAuth separ
                
              
                
                  
                  
                  supabase-webhooks-events
                  SKILL.md
                  View full skill →
                
                
                  Implement Supabase database webhooks, pg_net async HTTP, LISTEN/NOTIFY, and Edge Function event handlers with signature verification.
                  
                      ReadWriteEditBash(supabase:*)Bash(curl:*)Bash(psql:*)Grep
                    
                
                
                  Supabase Webhooks & Database Events
Overview
Supabase offers four complementary event mechanisms: Database Webhooks (trigger-based HTTP calls via pgnet), supabasefunctions.httprequest() (call Edge Functions from triggers), Postgres LISTEN/NOTIFY (lightweight pub/sub), and Realtime postgreschanges (client-side event subscriptions). This skill covers all four patterns with production-ready code including signature verification, idempotency, and retry handling.
Prerequisites

Supabase project (local or hosted) with supabase CLI installed
pgnet extension enabled: Dashboard > Database > Extensions > search "pgnet" > Enable
@supabase/supabase-js v2+ installed for client-side patterns
Edge Functions deployed for webhook receiver patterns

Step 1 — Database Webhooks with pg_net and Trigger Functions
Database webhooks fire HTTP requests when rows change. Under the hood, Supabase uses the pg_net extension to make async, non-blocking HTTP calls from within PostgreSQL.
Enable pg_net and Create the Trigger Function

-- Enable the pg_net extension (one-time)
CREATE EXTENSION IF NOT EXISTS pg_net WITH SCHEMA extensions;

-- Trigger function: POST to an Edge Function on every new order
CREATE OR REPLACE FUNCTION public.notify_order_created()
RETURNS trigger AS $$
BEGIN
  PERFORM net.http_post(
    url    := 'https://<project-ref>.supabase.co/functions/v1/on-order-created',
    headers := jsonb_build_object(
      'Content-Type', 'application/json',
      'Authorization', 'Bearer ' || current_setting('app.settings.service_role_key', true)
    ),
    body   := jsonb_build_object(
      'table',  TG_TABLE_NAME,
      'type',   TG_OP,
      'record', row_to_json(NEW)::jsonb,
      'old_record', CASE WHEN TG_OP = 'UPDATE' THEN row_to_json(OLD)::jsonb ELSE NULL END
    )
  );
  RETURN NEW;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;

Attach Triggers for INSERT, UPDATE, DELETE

-- Fire on new rows
CREATE TRIGGER on_order_created
  AFTER INSERT ON public.orders
  FOR EACH ROW EXECUTE FUNCTION public.notify_order_created();

-- Fire on status changes only (conditional trigger)
CREATE OR REPLACE FUNCTION public.notify_order_status_changed()
RETURNS trigger AS $$
BEGIN
  IF OLD.status IS DISTINCT FROM NEW.status THEN
    PERFORM net.http_post(
      url    := 'https://<project-ref>.supabase.co/functions/v1/on-status-change',
      headers := '{"Content-Type": "application/json"}'::jsonb,
      body   := jsonb_build_object(
        'order_id',   NEW.id,
        

                

              

          
        

      
      

      
      

      
      

      
      
  Ready to use supabase-pack?
  
    
    
  




      
      
          Related Plugins
          
            
                data-seeder-generator
                Generate realistic test data and database seed scripts for development and testing environments
              
                data-validation-engine
                Database plugin for data-validation-engine
              
                database-archival-system
                Database plugin for database-archival-system
              
                database-audit-logger
                Database plugin for database-audit-logger
              
                database-backup-automator
                Automate database backups with scheduling, compression, encryption, and restore procedures
              
                database-cache-layer
                Database plugin for database-cache-layer
              
          
        

      
      
          Tags
          
            supabasepostgresdatabaseauthenticationrealtimestorageedge-functionsrlsrow-level-securitybaasbackend-as-a-servicefirebase-alternative
          
        
    
  

  

    

    
    
        
            
                Stay in the Loop
                
                    
                    
                    
                
                No spam. Unsubscribe anytime.
            

            
                
                    Product
                    
                        Explore
                        Skills
                        Cowork
                        Compare
                        Tools
                    
                
                
                    Resources
                    
                        Docs
                        Changelog
                        Collections
                        Playbooks
                        Research
                        Learning
                    
                
                
                    Company
                    
                        Community
                        Spotlight
                        GitHub
                    
                
                
                    Legal
                    
                        Privacy
                        Terms
                        Acceptable Use
                    
                
            

            
                Tons of Skills by Intent Solutions. Marine. Citadel Grad. 20 years ops → self-taught dev → AI architect.
                © 2026 Tons of Skills | Intent Solutions

v1 Pattern	v2 Replacement	Notes
`createClient(url, key)`	`createClient(url, key)`	Signature unchanged, but return type differs
`supabase.auth.session()`	`supabase.auth.getSession()`	Sync → async, returns `{ data: { session } }`
`supabase.auth.user()`	`supabase.auth.getUser()`	Sync → async, returns `{ data: { user } }`
`supabase.auth.signIn({ email, password })`	`supabase.auth.signInWithPassword({ email, password })`	Method split by auth type
`supabase.auth.signIn({ provider: 'google' })`	`supabase.auth.signInWithOAuth({ provider: 'google' })`	OAuth separ supabase-webhooks-events SKILL.md View full skill → Implement Supabase database webhooks, pg_net async HTTP, LISTEN/NOTIFY, and Edge Function event handlers with signature verification. ReadWriteEditBash(supabase:)Bash(curl:)Bash(psql:)Grep Supabase Webhooks & Database Events Overview Supabase offers four complementary event mechanisms: Database Webhooks* (trigger-based HTTP calls via `pgnet`), `supabase``functions.httprequest()` (call Edge Functions from triggers), Postgres LISTEN/NOTIFY (lightweight pub/sub), and Realtime `postgres``changes` (client-side event subscriptions). This skill covers all four patterns with production-ready code including signature verification, idempotency, and retry handling. Prerequisites Supabase project (local or hosted) with `supabase` CLI installed `pgnet` extension enabled: Dashboard > Database > Extensions > search "pgnet" > Enable `@supabase/supabase-js` v2+ installed for client-side patterns Edge Functions deployed for webhook receiver patterns Step 1 — Database Webhooks with `pg_net` and Trigger Functions Database webhooks fire HTTP requests when rows change. Under the hood, Supabase uses the `pg_net` extension to make async, non-blocking HTTP calls from within PostgreSQL. Enable pg_net and Create the Trigger Function -- Enable the pg_net extension (one-time) CREATE EXTENSION IF NOT EXISTS pg_net WITH SCHEMA extensions; -- Trigger function: POST to an Edge Function on every new order CREATE OR REPLACE FUNCTION public.notify_order_created() RETURNS trigger AS $$ BEGIN PERFORM net.http_post( url := 'https://<project-ref>.supabase.co/functions/v1/on-order-created', headers := jsonb_build_object( 'Content-Type', 'application/json', 'Authorization', 'Bearer ' \|\| current_setting('app.settings.service_role_key', true) ), body := jsonb_build_object( 'table', TG_TABLE_NAME, 'type', TG_OP, 'record', row_to_json(NEW)::jsonb, 'old_record', CASE WHEN TG_OP = 'UPDATE' THEN row_to_json(OLD)::jsonb ELSE NULL END ) ); RETURN NEW; END; $$ LANGUAGE plpgsql SECURITY DEFINER; Attach Triggers for INSERT, UPDATE, DELETE -- Fire on new rows CREATE TRIGGER on_order_created AFTER INSERT ON public.orders FOR EACH ROW EXECUTE FUNCTION public.notify_order_created(); -- Fire on status changes only (conditional trigger) CREATE OR REPLACE FUNCTION public.notify_order_status_changed() RETURNS trigger AS $$ BEGIN IF OLD.status IS DISTINCT FROM NEW.status THEN PERFORM net.http_post( url := 'https://<project-ref>.supabase.co/functions/v1/on-status-change', headers := '{"Content-Type": "application/json"}'::jsonb, body := jsonb_build_object( 'order_id', NEW.id, Ready to use supabase-pack? Related Plugins data-seeder-generator Generate realistic test data and database seed scripts for development and testing environments data-validation-engine Database plugin for data-validation-engine database-archival-system Database plugin for database-archival-system database-audit-logger Database plugin for database-audit-logger database-backup-automator Automate database backups with scheduling, compression, encryption, and restore procedures database-cache-layer Database plugin for database-cache-layer Tags supabasepostgresdatabaseauthenticationrealtimestorageedge-functionsrlsrow-level-securitybaasbackend-as-a-servicefirebase-alternative Stay in the Loop No spam. Unsubscribe anytime. Product Explore Skills Cowork Compare Tools Resources Docs Changelog Collections Playbooks Research Learning Company Community Spotlight GitHub Legal Privacy Terms Acceptable Use Tons of Skills by Intent Solutions. Marine. Citadel Grad. 20 years ops → self-taught dev → AI architect. © 2026 Tons of Skills \| Intent Solutions

Resource	Free Tier	Pro ($25/mo)	Team ($599/mo)
Database	500 MB	8 GB included, $0.125/GB extra	8 GB included
Storage	1 GB	100 GB included, $0.021/GB extra	100 GB included
Bandwidth	5 GB	250 GB included, $0.09/GB extra	250 GB included
Edge Functions	500K invocations	2M invocations, $2/million extra	2M invocations
Realtime	200 concurrent	500 concurrent	500 concurrent
Auth MAU	50,000	100,000	100,000

Instance	vCPUs	RAM	Price
Micro	2	1 GB	Included with Pro
Small	2	2 GB	$25/mo
Medium	2	4 GB	$50/mo
Large	4	8 GB	$100/mo
XL	8	16 GB	$200/mo
2XL	16	32 GB	$400/mo

Report	What It Shows
API Requests	Total requests, response times, error rates by endpoint
Database	Active connections, query counts, replication lag
Auth Usage	Signups, logins, provider breakdown, failed attempts
Storage	Bandwidth, object counts, bucket usage
Realtime	Active connections, messages per second, channel counts

Metric	Free	Pro	Enterprise
Requests per minute (RPM)	500	5,000	Unlimited (custom)
Requests per day (RPD)	50,000	1,000,000	Unlimited (custom)

Endpoint	Free	Pro
Signup	30/hour per IP	Higher (configurable)
Sign-in (password)	30/hour per IP	Higher (configurable)
Magic link / OTP	4/hour per user	Configurable
Token refresh	360/hour	360/hour

Metric	Free	Pro
Storage size	1 GB	100 GB
Bandwidth	2 GB/month	250 GB/month
Max file size	50 MB	5 GB
Upload rate	Shared with API RPM	Shared with API RPM

Metric	Free	Pro
Concurrent connections	200	500
Messages per second	100	500
Channel joins	Shared with connection limit	Shared

Metric	Free	Pro
Invocations/month	500,000	2,000,000
Execution time	150s wall / 50ms CPU	150s wall / 2s CPU
Memory	256 MB	256 MB

Entity	Key Columns	Relationships
Organization	name, slug, plan	has many Projects, has many Members
Project	name, description, status	belongs to Organization, has many Tasks
Task	title, priority, status, due_date	belongs to Project, assigned to User
Member	role (owner/admin/member)	junction linking User to Organization

Key	Environment Variable	Exposed to Client?	RLS Behavior
Anon key	`SUPABASEANONKEY`	Yes — browser-safe	Respects all RLS policies
Service role key	`SUPABASESERVICEROLE_KEY`	NEVER expose	Bypasses ALL RLS