Supabase project = one backend

Each project has:

• A database
• Auth users
• Storage buckets
• API keys

Backend-as-a-Service (BaaS):

• PostgreSQL database

  • ACID transactions
  • Strong relational model
  • JSONB support
  • Indexes, joins, views, triggers

• Authentication

  • Email & password
  • Magic link
  • OAuth (Need to get key at oauth platform, and set supbase url as callback url at oauth platform)
  • Phone (OTP)

• Realtime subscriptions

  • Listen to DB changes
  • Uses WebSockets

  supabase
  .channel('posts')
  .on('postgres_changes', { event: '*', schema: 'public', table: 'posts' }, handler)
  .subscribe()
  

• Storage (files)

  • Buckets (public / private)
  • Signed URLs
  • CDN-backed

  supabase.storage
    .from('avatars')
    .upload('user.png', file)
  

• Edge Functions

  • Serverless functions
  • Run globally (close to users)
  • Written in TypeScript

Supabase Authentication:

• Auto handle password hashing, token issue, session management, oauth flow

• Built on GoTrue (battle-tested)

  1. A user signs up or logs in.
  2. Supabase verifies credentials (email/password, OAuth, magic link)
  3. Password is hashed + salted.
  4. It issues a JWT (sign with secret key)
  5. That token is sent with every request your app makes
  6. Postgres checks the token automatically

• When someone signs up:

  // built in sign up function
  supabase.auth.signUp({
    email,
    password
  })
  

  • A row appears in auth.users
  • You typically create a matching profile row
  • Auth data lives in auth.users, app data lives in your own tables