Adding auth and a database with Supabase

The moment a project needs user accounts or stored data — a client dashboard, a booking history, a saved cart — a static site isn’t enough. When that happens, my go-to is Supabase: a hosted Postgres database with authentication, storage and auto-generated APIs on top.

Why Supabase

• Real Postgres, not a proprietary black box — I can write normal SQL and take the data anywhere later.
• Auth out of the box — email/password, magic links, Google login — without me hand-rolling session security.
• Row Level Security (RLS) — access rules live in the database, so a user can only ever read their own rows even if the frontend has a bug.

How it fits together

1. Frontend (Next.js + React) calls Supabase directly for most reads/writes, using the public anon key — safe, because RLS enforces who can see what.
2. Sensitive logic (payments, admin actions) runs server-side — a Node.js API route or a Supabase Edge Function with the service key, never exposed to the browser.
3. Postgres holds the data, with RLS policies as the real source of truth for permissions.

What I’d flag to a client

• Design the RLS policies first. They’re the security model — get them right before building screens on top.
• Keep the service key server-side only. The anon key is fine in the browser; the service key never is.
• Use database constraints, not just frontend checks — the database is the last line of defence.

Supabase is how I add a secure backend to a project quickly without reinventing auth and a database every time — and it pairs cleanly with the React/Next.js work.