Back to blog
Supabase, Next.js, Node.js, Postgres
Adding auth and a database with Supabase
How I add user accounts, a Postgres database and secure data access to a project with Supabase — without standing up a whole backend from scratch.
The moment a project needs user accounts or stored data — a client dashboard, a booking history, a saved cart — a static site isn’t enough. When that happens, my go-to is Supabase: a hosted Postgres database with authentication, storage and auto-generated APIs on top.
Why Supabase
- Real Postgres, not a proprietary black box — I can write normal SQL and take the data anywhere later.
- Auth out of the box — email/password, magic links, Google login — without me hand-rolling session security.
- Row Level Security (RLS) — access rules live in the database, so a user can only ever read their own rows even if the frontend has a bug.
How it fits together
- Frontend (Next.js + React) calls Supabase directly for most reads/writes, using the public anon key — safe, because RLS enforces who can see what.
- Sensitive logic (payments, admin actions) runs server-side — a Node.js API route or a Supabase Edge Function with the service key, never exposed to the browser.
- Postgres holds the data, with RLS policies as the real source of truth for permissions.
What I’d flag to a client
- Design the RLS policies first. They’re the security model — get them right before building screens on top.
- Keep the service key server-side only. The anon key is fine in the browser; the service key never is.
- Use database constraints, not just frontend checks — the database is the last line of defence.
Supabase is how I add a secure backend to a project quickly without reinventing auth and a database every time — and it pairs cleanly with the React/Next.js work.