Supabase

Supabase provides a complete backend development platform powered by PostgreSQL, giving developers a dedicated database alongside auto-generated REST and GraphQL APIs, JWT-based authentication, real-time WebSocket subscriptions, serverless edge functions, and file storage — all as open-source tools unified under a single dashboard.

Unlike Firebase’s proprietary NoSQL approach, Supabase is built entirely on PostgreSQL, preserving full SQL expressiveness, ACID guarantees, and portability. Row Level Security (RLS) policies declared at the database level are automatically enforced across every API surface, eliminating the need to duplicate access control logic in application code. The platform composes best-in-class open source components — PostgREST for REST APIs, GoTrue for auth, Realtime (Elixir) for WebSocket broadcasts, and pgvector for AI embeddings — behind a unified developer experience.

Supabase supports both a fully managed cloud offering and complete self-hosting via Docker Compose, making it suitable for teams who want instant productivity as well as enterprises requiring data sovereignty. The Studio dashboard provides visual tools for table editing, SQL querying, RLS policy management, log drains, and an AI assistant powered by PGLite that evaluates SQL locally in the browser before execution. With official client libraries for JavaScript, Flutter, Swift, Python, and Kotlin, and MCP server support for AI coding tools, Supabase positions itself as the default backend for modern full-stack and AI-powered applications.

What You Get

• Hosted PostgreSQL Database - Every project gets a dedicated PostgreSQL instance with full SQL access, materialized views, partitioned tables, foreign tables, and Postgres extensions like PostGIS and pgvector — with no vendor lock-in on your schema or data.
• Auto-generated REST and GraphQL APIs - PostgREST introspects your PostgreSQL schema at runtime and exposes every table and view as a fully documented REST endpoint with filtering, sorting, pagination, and joins — no code required. pg_graphql adds GraphQL on top of the same schema.
• Realtime Subscriptions via WebSocket - The Realtime Elixir server listens to PostgreSQL logical replication and broadcasts row-level inserts, updates, and deletes to authorized clients over WebSockets, enabling live collaborative features without a custom message broker.
• JWT Authentication with Row Level Security - GoTrue provides complete user management with email/password, magic links, OAuth providers, and MFA. RLS policies defined directly in PostgreSQL enforce fine-grained data access at the database level, propagating automatically to all API surfaces.
• Serverless Edge Functions - TypeScript and JavaScript functions deployed to Deno’s edge runtime execute close to users, handling custom business logic, webhook processing, AI workflows, and third-party integrations without managing servers or cold start penalties.
• S3-Compatible File Storage - A RESTful storage API manages uploads, downloads, image transformations (via imgproxy), and access control for files of any type, with PostgreSQL RLS policies controlling who can read or write each bucket.
• AI and Vector Embeddings Toolkit - Native pgvector support enables storing, indexing (HNSW and IVFFlat), and querying high-dimensional embeddings from OpenAI, Hugging Face, and other ML providers directly in Postgres, powering semantic search and retrieval-augmented generation without an external vector database.
• Studio Dashboard with AI Assistant - A full-featured web interface provides a spreadsheet-style table editor, SQL editor with explain/analyze diagrams, RLS policy builder, log drain configuration, and an AI assistant that uses PGLite (WASM Postgres) to validate SQL locally before execution.

Common Use Cases

• Launching a startup MVP without a backend engineer - A founder uses Supabase’s auto-generated REST API, Auth, and Storage to ship a production-ready full-stack application with zero backend code, going from idea to live product in days rather than months.
• Adding live collaboration to a React or Next.js app - A developer subscribes to database changes via Supabase Realtime to sync shared document state, presence indicators, or live feeds across all connected clients without building a custom WebSocket server or message queue.
• Building AI-powered semantic search - A data engineer stores OpenAI embeddings in pgvector columns and uses similarity queries to power semantic search or RAG pipelines over user-generated content, keeping all vector operations inside the same Postgres database that holds the rest of the application data.
• Replacing Firebase in a Flutter or Swift mobile app - A mobile team migrates from Firebase to Supabase using official Flutter and Swift SDKs to gain structured SQL queries, TypeScript-generated types, and RLS-enforced data isolation per user without changing their client-side architecture significantly.
• Self-hosting a compliant backend for enterprise data - An engineering team deploys Supabase via Docker Compose on their own infrastructure to meet GDPR, HIPAA, or SOC 2 data residency requirements while retaining the full feature set including realtime, auth, storage, and edge functions.
• Building MCP-enabled AI agents that manage databases - An AI engineer connects Supabase’s MCP server to Claude Code, Cursor, or VS Code Copilot to let AI agents read schema, run migrations, create RLS policies, and deploy edge functions through natural language commands.

Under The Hood

Architecture Supabase is organized as a large monorepo orchestrated by Turbo and pnpm workspaces, with clearly delineated application layers and shared packages enforcing modularity across the entire codebase. The platform itself is a composition of independent microservices — PostgREST handles REST API generation, GoTrue manages authentication, the Realtime Elixir server broadcasts database changes, Storage manages file operations, and Edge Runtime executes serverless functions — each running as a separate Docker container behind a Kong API gateway that centralizes routing and authentication. The Studio dashboard follows a domain-driven data layer where each feature area (auth, storage, functions, database, etc.) has its own isolated query module using TanStack Query v5, decoupling server state completely from UI components. This architecture means individual services can be upgraded, replaced, or disabled without cascading changes through the monolith.

Tech Stack The Studio dashboard is built on Next.js 16.x with React 18, TypeScript strict mode throughout, and TanStack Query v5 for server-state management, deployed to Vercel with Sentry for observability. The monorepo is managed by pnpm and Turbo with intelligent build caching across all packages. Backend services are heterogeneous by design: PostgreSQL as the core relational engine, PostgREST (Haskell) for auto-generated APIs, GoTrue (Go) for authentication, Realtime (Elixir/Phoenix) for WebSocket subscriptions via logical replication, and Deno-based Edge Runtime for serverless functions. The AI integration layer uses the Vercel AI SDK, PGLite (a WASM build of Postgres), and the Model Context Protocol for AI tool integrations. Tailwind CSS and a centralized design system provide visual consistency across all surfaces.

Code Quality The repository demonstrates strong testing discipline with over 440 test files combining unit tests in the Studio (Vitest, 353 unit test files) with comprehensive E2E coverage through Playwright across 25 feature spec files covering the full Studio feature set. TypeScript strict mode and Zod runtime validation enforce correctness at both compile time and API boundaries. A dedicated error-patterns module provides typed error handling across the data layer. Linting and formatting run via ESLint and Prettier enforced by Turbo across all sub-packages, with GitHub Actions CI gates preventing regressions. Naming conventions are consistent, test titles are descriptive, and the domain-organized data directory structure makes the codebase navigable by feature rather than by technical layer.

What Makes It Unique Supabase’s core technical innovation is composing proven open source primitives — PostgREST, GoTrue, Realtime, pgvector — into a platform where Row Level Security, declared once in PostgreSQL, automatically enforces access control across REST, GraphQL, realtime subscriptions, and storage without any application-layer duplication. The Studio AI assistant runs PGLite, a full WASM build of Postgres, in the browser to validate SQL queries locally before they execute against the live database, enabling safe AI-generated SQL without server round-trips. The Supabase MCP server lets AI coding assistants manage databases, run migrations, and deploy edge functions through natural language in Claude Code, Cursor, and VS Code. The Multigres Postgres parser — built in 8 weeks using AI-assisted development — is 2.5x faster than the established cgo alternative, demonstrating novel engineering velocity. Together these innovations position Supabase as infrastructure designed from the ground up for the AI-native development era.

Self-Hosting

Supabase is licensed under the Apache License 2.0, one of the most permissive open source licenses available. This means you can use it commercially, modify the source code, distribute it, and include it in proprietary products without any obligation to open source your own code. There are no copyleft requirements, no restrictions on commercial use, and no per-seat licensing fees for the self-hosted version. The full source code — including Studio, docker-compose configurations, all service integrations, and tooling — is available under this license.

Running Supabase yourself is well-documented and achievable using the official Docker Compose setup in the repository, which orchestrates the full stack: PostgreSQL, PostgREST, GoTrue (auth), Realtime (Elixir), Storage API, Edge Runtime, Kong gateway, imgproxy, postgres-meta, Logflare, and Supavisor (connection pooler). The operational reality is that you are taking on responsibility for all of these services simultaneously — database backups, WAL-based replication configuration, SSL termination, secret rotation, upgrades to each component version, and monitoring. The docker/versions.md and CHANGELOG.md track service versions and help coordinate upgrades, but coordinating across a dozen containers requires genuine DevOps capability. Minimum viable infrastructure is a single server with at least 4GB RAM; production deployments with realtime, storage, and edge functions will require significantly more resources and ideally separate persistence volumes.

Compared to Supabase’s managed cloud, self-hosting gives up automatic backups with point-in-time recovery, managed read replicas, PrivateLink (AWS VPC), Log Drains to external observability platforms, and SOC 2 compliance certifications that the cloud offering carries. The cloud tier also provides automatic service upgrades, SLA-backed uptime, and a billing portal — none of which exist in self-hosted form. Supabase does offer enterprise contracts with dedicated support, SSO/SAML, and custom SLAs for teams on the managed cloud, but there is no paid enterprise tier specifically for self-hosted deployments. Teams with strict data residency requirements will find the Apache 2.0 license and comprehensive Docker setup sufficient; teams that want operational peace of mind will find the managed cloud worth the cost.