Use when doing ANY task involving Supabase. Triggers: Supabase products (Database, Auth, Edge Functions, Realtime, Storage, Vectors, Cron, Queues); client libraries and SSR integrations (supabase-js, @supabase/ssr) in Next.js, React, SvelteKit, Astro, Remix; auth issues (login, logout, sessions, JWT, cookies, getSession, getUser, getClaims, RLS); Supabase CLI or MCP server; schema changes, migrations, security audits, Postgres extensions (pg_graphql, pg_cron, pg_vector).
breaking-change tags relevant to your task, and follow the linked page for any that apply. Then look up the relevant topic using the documentation access methods below.anon and authenticated roles will need to be explicitly granted access.Note that this is separate from RLS, which controls which rows are visible once a table is accessible, not whether the table is accessible at all.
GRANT SQL. When granting public (anon/authenticated) access, always enable RLS too. See Exposing a Table to the Data API for the full setup workflow.public by default. This is critical in Supabase because tables in exposed schemas can be reachable through the Data API when the anon/authenticated roles have access (see Exposing a Table to the Data API). For private schemas, prefer RLS as defense in depth. After enabling RLS, create policies that match the actual access model rather than defaulting every table to the same auth.uid() pattern.user_metadata claims in JWT-based authorization decisions. In Supabase, raw_user_meta_data is user-editable and can appear in auth.jwt(), so it is unsafe for RLS policies or any other authorization logic. Store authorization data in raw_app_meta_data / app_metadata instead.session_id against auth.sessions on sensitive operations.app_metadata or auth.jwt() for authorization, remember JWT claims are not always fresh until the user's token is refreshed.service_role or secret key in public clients. Prefer publishable keys for frontend code. Legacy anon keys are only for compatibility. In Next.js, any NEXT_PUBLIC_ env var is sent to the browser.CREATE VIEW ... WITH (security_invoker = true). In older versions of Postgres, protect your views by revoking access from the anon and authenticated roles, or by putting them in an unexposed schema.auth.role() is deprecated — use the TO clause instead. Supabase has deprecated auth.role() in favour of specifying the target role directly on the policy with TO authenticated or TO anon. Beyond deprecation, auth.role() = 'authenticated' breaks silently when anonymous sign-ins are enabled, because anonymous users carry the authenticated Postgres role and pass the check regardless of whether the user is genuinely signed in.
-- Deprecated (do not use)
create policy "example" on table_name for select
using ( auth.role() = 'authenticated' );
TO authenticated alone is authentication without authorization (BOLA / IDOR). Using TO authenticated only checks the role — it does not restrict which rows a user can access. The correct pattern combines TO authenticated with an ownership predicate in USING:
create policy "example" on table_name for select
to authenticated
using ( (select auth.uid()) = user_id );
USING and WITH CHECK. Without WITH CHECK, a user can reassign a row's user_id to another user:
create policy "example" on table_name for update
to authenticated
using ( (select auth.uid()) = user_id )
with check ( (select auth.uid()) = user_id );
SECURITY DEFINER functions bypass RLS. A SECURITY DEFINER function runs with its creator's privileges — typically a role with bypassrls (e.g., postgres). Never add SECURITY DEFINER to resolve a permission error; it silently removes access control without fixing the underlying cause. Prefer SECURITY INVOKER.SECURITY DEFINER functions in public are callable by all roles. Postgres grants EXECUTE to PUBLIC by default for every new function, so any SECURITY DEFINER function in public is a public API endpoint callable by anon and authenticated (which inherit from PUBLIC) without any additional grant. When SECURITY DEFINER is genuinely needed (e.g., bypassing RLS on an internal lookup table), keep the function in a non-exposed schema, always include an auth.uid() check in the function body, and run supabase db advisors after making changes.supabase-js, @supabase/ssr, supabase-py, etc.). See the npm security guide for the full checklist.--help — never guess. The CLI structure changes between versions.supabase --help # All top-level commands
supabase <group> --help # Subcommands (e.g., supabase db --help)
supabase <group> <command> --help # Flags for a specific command
supabase db query requires CLI v2.79.0+ → use MCP execute_sql or psql as fallbacksupabase db advisors requires CLI v2.81.3+ → use MCP get_advisors as fallbacksupabase migration new <name> first. Never invent a migration filename or rely on memory for the expected format.supabase --version to check. For CLI changelogs and version-specific features, consult the CLI documentation or GitHub releases.curl -so /dev/null -w "%{http_code}" https://mcp.supabase.com/mcp
A 401 is expected (no token) and means the server is up. Timeout or "connection refused" means it may be down..mcp.json configuration:
Verify the project root has a valid .mcp.json with the correct server URL. If missing, create one pointing to https://mcp.supabase.com/mcp..mcp.json is correct but tools aren't visible, the user needs to authenticate. The Supabase MCP server uses OAuth 2.1 — tell the user to trigger the auth flow in their agent, complete it in the browser, and reload the session.search_docs tool (preferred — returns relevant snippets directly).md to the URL path.execute_sql (MCP) or supabase db query (CLI). These run SQL directly on the database without creating migration history entries, so you can iterate freely and generate a clean migration when ready.apply_migration to change a local database schema — it writes a migration history entry on every call, which means you can't iterate, and supabase db diff / supabase db pull will produce empty or conflicting diffs. If you use it, you'll be stuck with whatever SQL you passed on the first try.supabase db advisors (CLI v2.81.3+) or MCP get_advisors. Fix any issues.supabase db pull <descriptive-name> --local --yessupabase migration list --local