apps/docs/content/guides/integrations/supabase-for-platforms.mdx
Supabase is a Platform as a Service (PaaS) that can be managed programmatically. You can use it to offer the key primitives to your own users, such as Database, Auth, Edge Functions, Storage, and Realtime. Supabase is commonly used as a platform by AI Builders and frameworks needing a backend.
This document will guide you on best practices when using Supabase for your own platform and assumes that Supabase projects are in a Supabase organization that you own. If you want to instead interact with projects that your users own, navigate to OAuth integration for more details.
All features of Supabase can be managed through the Management API or the remote MCP Server.
Management API endpoints:
POST /v1/projectsGET /v1/projects/available-regionsGET /v1/projects/{ref}/healthWe recommend:
americas, emea, and apac and you can make a request to GET /v1/projects/available-regions for region details.pico instances, make sure to not pass in a desired_instance_size when creating a project. >= Micro instances are not able to scale to zero.ACTIVE_HEALTHY after project creation. After creating project, confirm the service that you want to make a request to has a status of ACTIVE_HEALTHY by polling GET /v1/projects/{ref}/health. For example, before making a request to set an Auth configuration confirm that the Auth service has a status of ACTIVE_HEALTHY.curl https://api.supabase.com/v1/projects \
--request POST \
--header "Content-Type: application/json" \
--header "Authorization: Bearer YOUR_SECRET_TOKEN" \
--data '{
"name": "Todo App",
"organization_slug": "aaaabbbbccccddddeeee",
"db_pass": "SUPER_SECURE_PASSWORD",
"region_selection": {
"type": "smartGroup",
"code": "americas"
},
"desired_instance_size": "micro"
}'
Only select customers have access to Pico instances. Submit this form to get access.
</Admonition>Pico instance is our newest compute instance and the only one that scales to zero when not used.
Management API endpoints:
GET /v1/projects/{ref}/api-keysPOST /v1/projects/{ref}/api-keysWe are in the process of migrating away from our legacy API keys anon and service_role and towards API keys publishable and secret.
You can learn more by navigating to Upcoming changes to Supabase API Keys #29260.
</Admonition>Get the API keys by making a GET /v1/projects/{ref}/api-keys request.
curl 'https://api.supabase.com/v1/projects/{ref}/api-keys?reveal=true' \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN'
If the response includes "publishable" and "secret" keys then you're all set and you should only use those from now on.
Otherwise, enable the API keys by making two POST /v1/projects/{ref}/api-keys requests, one for publishable and another for secret.
curl 'https://api.supabase.com/v1/projects/{ref}/api-keys' \
--request POST \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--data '{
"type": "publishable",
"name": "default"
}'
curl 'https://api.supabase.com/v1/projects/{ref}/api-keys?reveal=true' \
--request POST \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--data '{
"type": "secret",
"name": "default",
"secret_jwt_template": {
"role": "service_role"
}
}'
Management API endpoint: PATCH /v1/projects/{ref}/billing/addons
Once you have access to Pico instances, you will no longer be able to upgrade or downgrade to Nano instances.
</Admonition>You can upgrade and downgrade compute sizes by making requests to PATCH /v1/projects/{ref}/billing/addons.
curl 'https://api.supabase.com/v1/projects/{ref}/billing/addons' \
--request PATCH \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--data '{
"addon_type": "compute_instance",
"addon_variant": "ci_small"
}'
Management API endpoints:
PATCH /v1/projects/{ref}/config/authPATCH /v1/projects/{ref}/postgrestPATCH /v1/projects/{ref}/config/storagePATCH /v1/projects/{ref}/config/realtimeYou can manage the configuration of all services using the Management API.
Supabase is a stateful service: we store data. If anything breaks in production, you can't "roll back" to a point in time because doing so might cause your users to lose any data that their production environment received since the last checkpoint.
Because of this, it's important that you adopt a development workflow on behalf of your users:
DEV branchManagement API endpoint: POST /v1/projects/{ref}/branches
After launching a project, it's important that all changes happen on a development branch. Branches can be treated like ephemeral servers: if anything goes wrong you can either revert the changes or destroy the branch and create a new one based off of production.
curl 'https://api.supabase.com/v1/projects/{ref}/branches' \
--request POST \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--data '{
"branch_name": "DEV",
"secrets": {
"STRIPE_SECRET_KEY":"sk_test_123..."
"STRIPE_PUBLISHABLE_KEY":"pk_test_123..."
}
}'
Management API endpoint: POST /v1/projects/{ref}/database/migrations
Only select customers have access to database migrations endpoint. Submit this form to get access.
</Admonition>For this example we will create a todos table using the POST /v1/projects/{ref}/database/migrations endpoint.
create table public.todos (
id serial primary key,
task text not null
);
alter table public.todos
enable row level security;
This endpoint will automatically create a migration inside the supabase_migrations schema and run the migration. If the schema migration fails, the changes will be rolled back.
curl https://api.supabase.com/v1/projects/{ref}/database/migrations \
--request POST \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"query": "create table public.todos (id serial primary key, task text not null); alter table public.todos enable row level security;",
"name": "Create a todos table"
}'
Only select customers have access to restore points. Submit this form to get access.
</Admonition>After every change you make to the database, it's a good idea to create a restore point. This will allow you to roll back the database if you decide to go in a different direction.
Beware that only database changes are captured when creating a restore point.
curl https://api.supabase.com/v1/projects/{ref}/database/backups/restore-point \
--request POST \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"name": "abcdefg"
}'
Only select customers have access to restore points. Submit this form to get access.
</Admonition>After creating restore points, you are able to revert back to any restore point that you want.
curl https://api.supabase.com/v1/projects/{ref}/database/backups/undo \
--request POST \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"name": "abcdefg"
}'
When you revert changes, you are undo-ing all database changes since the specified restore point, including:
It will not affect:
It's important that the data in development branches is NOT production data, especially for non-developers who don't understand the implications of working with data. Security and side-effects (e.g. emailing all production users) are two reasons why this is important.
</Admonition>It's common in DEV branches to "seed" data. This is basically test data for users. Let's insert the following seed to our new todos table:
insert into todos (task)
values
('Task 1'),
('Task 2'),
('Task 3');
You can use the POST /database/query endpoint to add data:
curl https://api.supabase.com/v1/projects/{branch_ref}/database/query \
--request POST \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--header 'Content-Type: application/json' \
--data-binary @- <<EOF
{
"query": "insert into todos (task) values ('Task 1'), ('Task 2'), ('Task 3');"
}
EOF
You can create and deploy Edge Functions on a branch and then merge them into Production.
curl https://api.supabase.com/v1/projects/functions/deploy \
--request POST \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--header 'Content-Type: multipart/form-data' \
--form 'file=@path/to/function.zip' \
--form 'metadata={
"name": "my-function",
"entrypoint_path": "index.ts",
"import_map_path": "import_map.json",
"static_patterns": ["assets/*", "public/*"],
"verify_jwt": true
}'
Management API endpoint: POST /v1/branches/{branch_id_or_ref}/merge
Once the changes have been made, you can merge the changes into the production project:
curl https://api.supabase.com/v1/branches/{ref}/merge \
--request POST \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--header 'Content-Type: application/json' \
--data '{}'
Merging changes will automatically merge only the following:
Management API endpoint: GET /v1/projects/{ref}/advisors/security
Prior to deploying to production we strongly recommend running the security advisor on the project to make sure the latest changes are secure.
curl https://api.supabase.com/v1/projects/{ref}/advisors/security \
--request GET \
--header 'Authorization: Bearer {PAT_OR_USER_TOKEN}' \
--header 'Content-Type: application/json'
Management API endpoint: POST /v1/projects/{ref}/database/backups/restore-pitr
PROD when absolutely necessary.curl https://api.supabase.com/v1/projects/database/backups/restore-pitr \
--request POST \
--header 'Authorization: Bearer {PAT_OR_USER_TOKEN}' \
--header 'Content-Type: application/json' \
--data '{
"recovery_time_target_unix": 1
}'
Management API endpoint: GET /v1/oauth/authorize/project-claim
Only select customers have access to claim flow. Submit this form to get access.
</Admonition>Your users may want to claim the project that currently lives in your org so that they can have more control over it.
We've enabled transferring the project from your org to your user's org while you continue to retain access to interact with the project through an OAuth integration.
curl -L "https://api.supabase.com/v1/oauth/authorize/project-claim?project_ref={ref}&client_id={oauth_client_id}&response_type=code&redirect_uri={redirect_uri}" \
--request GET \
--header 'Authorization: Bearer {PERSONAL_ACCESS_TOKEN}'
The user is redirected to a Supabase UI:
Before transferring the project to your user's org, make sure to remove any custom configuration that you do not want your user's project to retain.
</Admonition>Docs: https://supabase.com/ui/docs/platform/platform-kit
<div className="video-container mb-8"> <iframe className="w-full" src="https://xguihxuzqibwxjnimxev.supabase.co/storage/v1/object/public/videos/marketing/blog/platform-kit/platform-kit.mp4" title="Supabase UI: Platform Kit" allow="accelerometer; autoplay; clipboard-write; encrypted-media; fullscreen; gyroscope; picture-in-picture; web-share" allowfullscreen autoplay muted loop playsInline /> </div>We've created Platform Kit, a collection of UI components that interact with Management API, as a lightweight version of Supabase Dashboard that you can embed directly in your app so your users never have to leave in order to interact with the project.
Management API endpoint: GET /v1/projects/{ref}/analytics/endpoints/logs.all
When you need to debug a project, you can query the project's logs to see if there are any errors and address them accordingly.
curl 'https://api.supabase.com/v1/projects/{ref}/analytics/endpoints/logs.all' \
--get \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--data-urlencode 'sql=SELECT datetime(timestamp), status_code, path, event_message
FROM edge_logs
CROSS JOIN UNNEST(metadata) AS metadata
CROSS JOIN UNNEST(response) AS response
WHERE status_code >= 400
ORDER BY timestamp DESC
LIMIT 100' \
--data-urlencode 'iso_timestamp_start=2025-03-23T00:00:00Z' \
--data-urlencode 'iso_timestamp_end=2025-03-23T01:00:00Z'