Backend-as-a-Service (BaaS):

• PostgreSQL database

  • ACID transactions
  • Strong relational model
  • JSONB support
  • Indexes, joins, views, triggers

• Authentication (auto handle password hashing, token issue, session management, oauth flow)

  • Email & password
  • Magic link
  • OAuth (Need to get key at oauth platform, and set supbase url as callback url at oauth platform)
  • Phone (OTP)

• Realtime subscriptions

  • Listen to DB changes
  • Uses WebSockets

  supabase
  .channel('posts')
  .on('postgres_changes', { event: '*', schema: 'public', table: 'posts' }, handler)
  .subscribe()
  

• Storage (files)

  • Buckets (public / private)
  • Signed URLs
  • CDN-backed

  supabase.storage
    .from('avatars')
    .upload('user.png', file)
  

• Edge Functions

  • Serverless functions
  • Run globally (close to users)
  • Written in TypeScript

Row Level Security

• Authorization lives in SQL
• Database decides what rows user can access
• Setup policy

// for client components, uses anon public key, RLS is always enforced

// for server components, can bypass rls, use own auth rule code

create policy "Users can read own profile"
on profiles
for select
using (auth.uid() = id);

Auth flow:

User logs in
   ↓
Supabase Auth
   ↓
JWT issued
   ↓
JWT sent with every request