supabase
Build with Supabase databases and auth
Also available from: Dicklesworthstone,Acurioustractor
Supabase changes frequently and has security traps that silently create vulnerabilities. This skill provides verified best practices for schema design, RLS policies, auth security, CLI usage, and MCP server setup.
Download the skill ZIP
Upload in Claude
Go to Settings → Capabilities → Skills → Upload skill
Toggle on and start using
Test it
Using "supabase". Create a users table with RLS for a multi-tenant SaaS app
Expected outcome:
The skill guides you through creating the table with proper RLS policies, enabling row-level security, setting up org-based access control, and avoiding common pitfalls like using user_metadata for authorization decisions.
Using "supabase". My supabase db diff produces empty output after applying changes
Expected outcome:
The skill explains that apply_migration was likely used instead of execute_sql for iteration, and walks through the correct workflow: use execute_sql for iteration, then supabase db pull to generate the final migration file.
Security Audit
SafeAll 66 static analyzer findings are false positives. The analyzer treated markdown documentation (CLI examples, URLs, and reference links) as executable code. The skill contains only Supabase best-practice documentation, CLI usage guides, and a feedback template. No actual code execution, credential handling, or network operations exist in the skill files. Safe for publication.
Quality Score
What You Can Build
Secure database schema setup
Design PostgreSQL schemas with proper RLS policies, avoiding common Supabase security traps like exposed service_role keys and views that bypass row-level security.
Auth integration debugging
Resolve authentication issues involving JWT claims, session management, cookie handling, and authorization logic using verified Supabase security patterns.
Migration workflow management
Create, iterate, and commit database migrations using the correct Supabase CLI workflow, avoiding common pitfalls with migration history and schema diffs.
Try These Prompts
Create a Supabase table called 'projects' in the public schema with Row Level Security enabled. Include policies for authenticated users to read their own projects and admins to manage all projects.
My Supabase getSession() returns null after page refresh in Next.js. The auth cookie is set but the server-side call fails. Check my middleware and auth configuration.
Set up the Supabase MCP server in my project. Create the .mcp.json configuration file and walk me through the OAuth authentication flow to enable database query tools.
Configure Supabase Storage bucket policies so users can upload and update their own avatar images but cannot access other users' files. Include the required INSERT, SELECT, and UPDATE policies.
Best Practices
- Enable Row Level Security on every table in exposed schemas and create policies that match the actual access model
- Never use user_metadata claims for authorization decisions in RLS policies since they are user-editable
- Always verify Supabase features against current documentation before implementing, as APIs and CLI commands change between versions
Avoid
- Exposing service_role or secret keys in frontend code or NEXT_PUBLIC environment variables
- Using apply_migration for iterative schema changes instead of execute_sql or supabase db query
- Placing security definer functions in exposed schemas instead of private schemas