Supabase Setup

Auth plus Postgres live in Supabase; this page is the checklist for project creation, keys, and running migrations locally or in CI.

1. Create a project

Go to supabase.com and create a new project. Note your:

  • Project URL (e.g., https://xxxxx.supabase.co)
  • anon key (public, safe to expose in the browser)
  • service_role key (secret -- keep this server-side only)

2. Run the migrations

In the Supabase dashboard, open SQL Editor and run each migration file in order:

Migration 1: Core schema

Run supabase/001_schema.sql

Creates the core tables:

  • workspaces -- workspace records
  • memberships -- user-to-workspace relationships with roles
  • invitations -- pending email invitations
  • products -- example workspace-scoped data
  • subscriptions -- Stripe subscription state
  • audit_logs -- append-only event log

Migration 2: Row-Level Security

Run supabase/002_rls.sql

Enables RLS on every table and creates:

  • Helper functions: is_workspace_member(), workspace_role()
  • Policies ensuring users can only access data in workspaces they're members of

Migration 3: Soft delete and dashboard

Run supabase/003_soft_delete_and_dashboard.sql

Adds:

  • deleted_at column to products (soft delete)
  • Partial indexes for active and trashed product queries
  • daily_audit_counts() function for the dashboard activity chart

Migration 4: Onboarding

Run supabase/004_onboarding.sql

Adds:

  • setup_complete flag on workspaces for the onboarding wizard

Migration 5: Tags, comments, and 2FA

Run supabase/005_tags_comments_2fa.sql

Creates:

  • tags and record_tags tables (colored labels for any record)
  • comments table (threaded comments with @mentions)
  • require_2fa flag on workspaces
  • RLS policies for all new tables

Migration 6: Remaining features

Run supabase/006_remaining_features.sql

Creates:

  • bookmarks -- user-scoped bookmarks
  • saved_views -- saved data table configurations
  • api_keys -- workspace API key management
  • webhooks and webhook_deliveries -- outgoing webhook system
  • login_history -- sign-in attempt tracking
  • attachments -- file attachment records
  • scheduled_actions -- scheduled task management
  • workspace_ip_allowlist -- IP restriction (Enterprise)
  • custom_field_definitions -- dynamic field schemas
  • webhook_events -- incoming webhook event log
  • notification_preferences -- per-user notification settings

3. Create the profiles table

The profiles table stores public user info. Add this table and trigger after running the migrations:

CREATE TABLE IF NOT EXISTS public.profiles (
  id UUID PRIMARY KEY REFERENCES auth.users(id) ON DELETE CASCADE,
  email TEXT,
  full_name TEXT,
  avatar_url TEXT,
  updated_at TIMESTAMPTZ DEFAULT now()
);

CREATE OR REPLACE FUNCTION public.handle_new_user()
RETURNS TRIGGER LANGUAGE plpgsql SECURITY DEFINER AS $$
BEGIN
  INSERT INTO public.profiles (id, email, full_name, avatar_url)
  VALUES (
    NEW.id,
    NEW.email,
    NEW.raw_user_meta_data->>'full_name',
    NEW.raw_user_meta_data->>'avatar_url'
  )
  ON CONFLICT (id) DO UPDATE SET
    email = EXCLUDED.email,
    full_name = COALESCE(EXCLUDED.full_name, profiles.full_name),
    avatar_url = COALESCE(EXCLUDED.avatar_url, profiles.avatar_url);
  RETURN NEW;
END;
$$;

CREATE TRIGGER on_auth_user_created
  AFTER INSERT ON auth.users
  FOR EACH ROW EXECUTE FUNCTION public.handle_new_user();

4. Configure Auth providers

In Authentication > Providers:

Email

  • Enable "Confirm email" for production
  • Tip: Disable email confirmation in development for faster iteration

Google

  1. Create OAuth credentials in the Google Cloud Console
  2. Add the Client ID and Client Secret in Supabase
  3. Set the authorized redirect URI to your Supabase project's callback URL

GitHub

  1. Create an OAuth App in GitHub Settings > Developer settings
  2. Add the Client ID and Client Secret in Supabase
  3. Set the callback URL to your Supabase project's callback URL

URL configuration

In Authentication > URL Configuration:

  • Site URL: Your app URL (e.g., http://localhost:3000 for local dev)
  • Redirect URLs: Add http://localhost:3000/auth/callback and your production URL's callback

5. Environment variables

NEXT_PUBLIC_SUPABASE_URL=https://xxxxx.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...
SUPABASE_SERVICE_ROLE_KEY=eyJ...   # Server-side only, never expose publicly

Troubleshooting

IssueFix
Auth redirect loopsCheck Site URL and Redirect URLs in Supabase Auth settings
RLS blocking queriesVerify 002_rls.sql was run and the user is a workspace member
Profile not created on sign-upEnsure the handle_new_user trigger exists
OAuth callback failingCheck the redirect URL matches exactly (including trailing slash)