Sources

{ts:112} they're moving in the right direction but initially it was sort of pitched as you have this client side SDK and you {ts:119} can communicate with your database directly on the front end and then the way that's secured is with row level {ts:124} security which is basically just a bunch of policies that define whether or not a user can successfully make a SQL query … {ts:150} going through and saying okay you can only read your own stuff we secure that one table that way and then we can go {ts:156} ahead and just read it from our front end we don't have to worry about spinning up a server on the back end it {ts:161} just works and the problem with this is that real applications and real databases are never that simple the {ts:167} project that I tried to use this architecture on was block and right now I think we have something like 20 tables {ts:174} and that's tame compared to most real applications all of those tables have tons of stuff on them they are a lot of {ts:180} very complicated relationships in there because we need to get all of the events working we need to link those to people … {ts:205} when you want to deal with stuff like relations and owners and all these different things it just gets so {ts:210} unwieldy and it's so easy to just let one little thing slip through and then your entire app falls apart it just {ts:216} isn't feasible and if you want even more proof that these direct access databases of service things are not a good idea go

Supabase just dropped their **Security Retro for 2025**, and it's packed with changes that affect how you build and secure your apps. Most improvements focus on safer defaults, better tooling, and making Row Level Security (RLS) less painful for developers new to the pattern. This article covers what shipped in 2025 and what's planned for 2026. ... ## 1. Data API Controls You can now **disable the Data API entirely** when creating a new project. This means no auto-generated REST or GraphQL endpoints — your database behaves like standard Postgres (similar to RDS). For existing projects, the same option is available in project settings. Once disabled, you can still connect directly through the connection pooler or standard Postgres connections.

In this candid review, we explore some of the challenges developers may encounter while using Supabase — issues like cumbersome migration processes, limits on email authentication that could leave users stuck, and performance bottlenecks due to edge functions. While the platform excels in many ways, these lesser-known pitfalls could complicate your project and lead to unexpected hurdles.

Even though it looks like a great product initially, it has a lot or errors and bugs when you are trying to actually build something more robust than a toy app. Local development is a massive pain with random bugs. The response time of the database also varies all over the place. But the most important problem that we faced, was having so much of application logic in the database. … Expressivity was challenging, but was compounded by security being implicit. I couldn't look at any given spot in my code and confirm what data it's allowed to access - that depends on the privileges of the current DB connection. Once you mix in connections with cross-user privileges, that's a risky situation to try to secure. Imagine a 1-million-row table and a query with `WHERE x=y` that should result in about 100 rows. Postres will do RLS checks on the full 1 million rows before the WHERE clause is involved at all. … searchableguy on May 19, 2023 You should make the default editor read only and allow switching to write mode with a big warning. This would discourage people from writing SQL or using UI to modify in production. The dashboard has always screamed "use me to edit" and I have used supabase in the beginning and very recently too. Nothing has changed to discourage it so far. Maybe something like mode button which is present at top and you can click to switch between development and production mode? This would also change a couple more things which you do not want to touch in production by accident. If anything, I think the admin dashboard encouraging directly doing operations on the database is the biggest weakness of Supabase. I would much prefer being able to lock it down to purely CI-driven migrations. … I also had a tough time working w/ an app someone else built on Supabase. We kept bumping up against what felt like "I know feature X exists in postgres, but it's 'coming soon' in Supabase." IIRC the blocker was specific to the trigger/edge function behavior. However after reflecting more, I don't remember enough to make a detailed case. Perhaps the issue was with our use of the product.

### No Instant Channels Supabase offers no live chat at any tier, even Enterprise. Phone support is completely unavailable. Developers who need immediate help for urgent production issues often find this gap noticeable compared with competitors. [1] ### Complex Issues Redirected Advanced Postgres tuning questions sometimes receive the response "this is a database question, not a Supabase question." This leaves users to solve hard problems through community resources or external knowledge. Documentation remains excellent but cannot replace fast expert help for edge cases. [1] ## Missing Built-in Capabilities ### No Native Analytics Dashboard Supabase does not include a built-in analytics dashboard. You must connect external tools to track usage and behavior. This extra step adds complexity to projects that need quick insights. [1] ### Lack of Native Queue System No built-in queuing mechanism exists. Developers implement queues manually with pg_cron or external services. Background job workflows therefore require additional architecture. [1] ### Advanced Caching Requires Manual Setup Caching beyond basic levels demands external Redis or similar services. Supabase does not provide managed caching out of the box. High-traffic applications must plan for this extra layer. [1] ### Limited Backup Retention on Team Plan Team plan backups are retained for only 14 days. Longer retention requires external solutions. Projects with strict recovery needs must handle this limitation. [1] ## Performance and Latency Drawbacks ### Edge Functions Cold Starts Edge Functions using Deno experience 200-400 ms cold start times. Latency-sensitive endpoints need warming strategies to stay responsive. This behavior contrasts with fully warm serverless platforms. [1] ### Realtime Security in Early Versions Earlier Realtime implementation allowed users to listen to changes across rows without proper key restrictions. Secure client-side realtime required waiting for later improvements. This limitation affected trust in client-exposed subscriptions. [4] ## Cost and Scaling Surprises ### Separate Projects for Environments Each staging or development environment counts as a separate project. Running production plus staging doubles your base costs. Teams that need isolated environments face multiplied bills. [1] ### Compute Overages During Spikes Traffic spikes can push you past included compute and trigger pay-as-you-go charges. One test saw an extra $47 in a single month from a spike. Costs remain predictable for steady workloads but less so during bursts. [1] … ## Developer Experience Friction ### Advanced Postgres Requires Raw SQL Triggers, custom aggregations, and some extensions demand raw SQL knowledge. Junior developers may struggle without prior database experience. The platform leans heavily on SQL strengths and weaknesses. [1] ### RLS Debugging Can Be Tricky Complex Row Level Security policies take time to debug correctly. Initial setup feels complicated until templates and examples click. Authorization mistakes can expose data if policies are misconfigured. [1] ### Glitchy Dashboard in Earlier Tests The management UI has been called glitchy and raw. Users encountered multiple bugs during short sessions. Workarounds sometimes required connecting via local psql client. [4] ## Integration and Ecosystem Gaps ### No Native Stripe Integration Stripe payments require manual webhook setup. No pre-built connector exists for this common use case. Custom integration work becomes necessary for e-commerce flows. [1] ### Limited No-Code and Marketing Connectors HubSpot, Mailchimp, and similar marketing tools need custom work. The ecosystem offers fewer pre-built no-code solutions than some competitors. API-first design helps but still demands extra effort. [1] ## Frequently Asked Questions ## What are the main disadvantages of Supabase? Supabase lacks live chat and phone support at every tier, forcing reliance on email, Discord, or GitHub with slower response times. [1] Edge Functions suffer noticeable cold starts of 200-400 ms that need manual warming. [1] Built-in analytics, queues, and advanced caching are absent, requiring external services. The dashboard has shown glitches and the need for raw SQL knowledge can slow down teams without strong Postgres experience. [1] [4] ## Is Supabase really that good? Many developers praise Supabase for its clean dashboard, excellent documentation, generous free tier, and relational power that beats NoSQL limitations. [1] Real-world users describe it as one of the best developer experiences they have had, with fast setup and strong real-time performance. [2] Still, gaps in instant support, missing convenience features, and occasional cold-start latency prevent it from being perfect for every team.

## Query limitations You cannot execute raw SQL queries from the Supabase client. I’m sure there are reasons for this. But I often find myself wanting to write queries that the Supabase client does not support. Or that would at least be far more efficient when using proper SQL. The solution for this is to create a named Postgres stored procedure which you can then call from the client. … I don’t like this because the code for it is stowed away in the database. This means that every time I want to read or change it I need to leave my editor and go to the Supabase GUI. And it also means I now have logic inside my DB and thus outside of my codebase. Another option would be using a Postgres view. But that comes with similar drawbacks. … Now assume you use the Supabase client and go directly from DB to frontend. In that case, you’d have to fetch huge amounts of data to the browser and run the calculations there just to display one calculated number. That’s not practical. So instead I have a proper backend that can run the calculations with ease. … ## Pick the good parts of Supabase while ignoring the rest I’m not a fan of using the Supabase client for fetching data. Yes, it may be great for beginners who just want some data in their frontend. Without running their own backend. Solutions that are so simple and try to abstract the backend rarely scale well to real-world use cases. You spend far more time creating workarounds than what the “easy” solution saves you. Another example of this is Hasura. It may look great for simple CRUD demos. But as soon as you try to solve actual problems you start having to fight its limitations.

Only friction points: advanced Postgres features like triggers and custom aggregations require raw SQL knowledge. The Realtime setup needs manual channel subscriptions which isn’t immediately obvious. And the Storage API permissions model took us 2 attempts to get right for public/private file handling. But honestly, **these are minor compared to the overall smoothness**. … What’s missing: no built-in analytics dashboard (you need external tools), no native queue system (requires custom implementation with pg_cron or external service), and advanced caching requires manual Redis setup. The backup system on Team plan retains only 14 days – we’d prefer configurable retention. And while the platform handles millions of requests, true high-scale scenarios (10M+ users) require architecture planning. … What’s missing: no live chat even on Enterprise plans, which feels outdated in 2026. No phone support at any tier. Complex Postgres issues sometimes get bounced to “this is a database question, not a Supabase question”, which technically makes sense but can leave you stuck. The knowledge base could use more troubleshooting guides for edge cases. … ### ➕ Pros / ➖ Cons ✅ **Exceptional documentation** with multi-framework examples and videos ✅ **Active Discord community** with team members responding regularly ✅ **GitHub issues triaged fast** with transparent feature roadmap ✅ **Weekly platform updates** show strong commitment to stability ❌ **No live chat** even on Enterprise plans feels outdated ❌ **Email response times** (24-48h) slower than competitors

### Firebase’s problems at scale 1. **Lock-in is real** - Firebase isn’t just a tool. It’s an ecosystem. - Your backend logic lives in Cloud Functions, your data in Firestore or Realtime DB, your auth rules in a custom DSL. - Migrating *anything* becomes painful. **2. Querying Firestore gets weird fast** - No joins. Limited where clauses. You start doing gymnastics with data duplication and client-side merging. - Performance suffers — and so does your sanity. **3. Debugging is painful** - Ever tried debugging a Firebase rule mismatch at 2 a.m.? Good luck. - Logs are spread across tools. Testing access control becomes trial-and-error. ### Supabase’s problems at scale 1. **You own the ops (even if they hide it)** - Sure, Supabase is “hosted,” but you’re closer to the DB. - Bad queries = bad performance. - You’ll need to think like a backend dev eventually (indexes, auth layers, rate limits). **2. DevEx gaps still exist** - The dashboard UI and auth workflows aren’t as frictionless as Firebase. - Docs are good, but edge cases can take digging. - Community is smaller (but growing fast).

Picture this: you're three weeks into building your startup's MVP when you realize Firebase's pricing could bankrupt you if your app actually takes off. The vendor lock-in starts feeling like a noose, and you're desperately searching for an alternative that won't force you to rewrite everything from scratch. ... … ### The Honest Limitations **Ecosystem Immaturity Hurts** Finding solutions to edge cases often means digging through GitHub issues instead of Stack Overflow answers. Third-party integrations are limited, and community resources pale compared to Firebase's extensive documentation and tutorials. **Offline Support is Practically Non-Existent** If your app needs robust offline functionality, Supabase will disappoint. There's no native offline sync, no conflict resolution, and no local caching mechanisms. You'll need to build this yourself or look elsewhere. **Platform Stability Concerns** I've experienced unexpected downtime and breaking changes in minor updates. The platform feels less battle-tested than mature alternatives, which can be nerve-wracking for production applications. **Limited Serverless Functions** Edge Functions work but lack the sophistication and ecosystem of AWS Lambda or Vercel Functions. Complex backend logic often requires external services. ### Who Should (and Shouldn't) Use Supabase **Perfect for:** Small to medium teams building web-first applications who value SQL databases and open-source flexibility. ... **Avoid if:** You need robust offline support, have complex serverless requirements, or require enterprise-grade stability guarantees. Large teams might struggle with the limited ecosystem. **Deal-breakers:** Mobile-first apps requiring offline sync, applications with complex business logic requiring extensive serverless functions, or projects demanding 99.99% uptime SLAs. **Team size considerations:** Solo developers and small teams (2-5 people) benefit most from Supabase's simplicity. Larger teams might find the ecosystem limitations frustrating and prefer more mature platforms despite higher costs. … ### Hidden Costs and Limitations Watch out for bandwidth overages beyond included limits—additional bandwidth costs $0.09/GB. The free tier's 7-day project pause can disrupt development workflows. Database compute scaling isn't automatic; you'll need manual intervention for traffic spikes.

# What I don't like about Supabase ... There's so much to love about Supabase - it's very easy to get started, and it has most of the things you need from auth to storing vectors. We hear about all these great things all the time. But just like any other platform it has its own gotchas and nuances that could be annoying to some. We barely hear about these and I thought let me be that bad guy! ## Migrations Migrations in Supabase are great until they are not. It works well for adding new tables, columns, or modifications. But, when you start adding DB functions, it becomes a pain. Unlike table changes, functions are something you will iterate over many times. For each iteration, you will end up creating a new migration file and you will end up piling up a ton of them! You could squash your migrations later, but creating a new migration file for every little change is a bad developer experience. When I discussed this with my colleague Pruthvi, the hack he suggested was to use the Supabase interface to iterate over your function and create migration when ready! Another nuance I encountered was, that my DB migration files were part of the frontend repo. Traditionally, you want to run db migrations along with backend deployment. This design choice is probably because most Supabase projects use only Supabase as their backend, thanks to their edge functions. Hence it probably makes sense in most cases to run DB migrations when you are running a frontend deployment pipeline, as frontend code is the only direct dependency for migrations. But if your application is complex and needs more compute power than what edge functions can offer, you end up having a backend hosted on AWS or something similar. In my case, I had my backend powered by AWS Lambda functions. In this case, you will end up with a dilemma of where to run migrations! ## Unknown Limits After a few weeks of development of my app, my auth randomly stopped working! After digging, I found out I had hit a limit on the number of emails that could be sent per hour, which was 3! Because of this Auth email confirmations were not going through. I was completely unaware of this limit until it stopped working. It was buried under some setting which I hadn't gone to at all until this point. It would have been better to have this as a "note" or something in the Auth documentation. It broke the flow of my app development, instead of testing my features, I was now thrown into figuring out how to setup custom SMTP unexpectedly. … ## Compute Having only edge functions as compute is very limiting. Most apps need compute more powerful than this. I often find myself pairing Supabase with AWS Serverless stack to compensate for the lack of compute on Supabase. If I had an option to run full-runtime functions (like AWS Lambda) on Supabase, most of my use cases could be contained within Supabase. ## Hidden Costs Point in Time Recovery (PITR) is a very important feature for me in a production database. I have overcome two catastrophic incidents during early years of being CTO thanks to this feature. It allows you to recover database to a “point in time”, meaning if something bad happend at 5:15PM you can restore the database to the point as is at 5:14. This feature in Supabase costs whopping $100 a month, irrespective of size of your database! I’m ok to pay for this but single price irrespective of size seems unfair! Would have liked it if it was tiered or was based on how far can you go back! For example, NeonDB has PITR in their free plan but allows you to go back only 24hours, which I can live with!

Discover the challenges of using Superbase for web development, from writing complex Postgres SQL to the struggle of managing TypeScript and Postgres syntax. Explore alternative solutions to improve team workflow and code readability. ... One of the primary challenges with Supabase arises when integrating it deeply into TypeScript projects. My initial attraction to Supabase was its seamless client-library integration for straightforward operations. For example, inserting a record using the Supabase client in TypeScript is quite intuitive: ``` const { data, error } = await supabase .from('table') .insert([{ column: 'value' }]); ``` This snippet demonstrates a simple insert operation, which most developers can easily follow. However, complications arise when the requirements go beyond basic CRUD operations. ### The Complexity of Advanced Operations When more complex database interactions are required, such as inserting records into multiple tables within a single function, the limitations become evident. Executing multiple insert operations sequentially can lead to performance bottlenecks due to the necessity of making multiple round trips to the server. To circumvent this, developers often resort to creating RPC (Remote Procedure Call) functions. This necessitates writing Postgres functions, which introduces a new layer of complexity. ### Transitioning Between TypeScript and SQL The need to write SQL within Supabase's environment, often switching from a TypeScript editor to Supabase Studio, disrupts the development workflow. The following example illustrates how an RPC function must be created in SQL, not TypeScript: ``` CREATE OR REPLACE FUNCTION insert_into_multiple_tables() RETURNS void LANGUAGE plpgsql AS $$ BEGIN INSERT INTO table1 (column) VALUES ('value1'); INSERT INTO table2 (column) VALUES ('value2'); END; $$; ``` This function resides outside the main codebase, making it harder to trace the full application logic, especially when working within a team. The transition between TypeScript and SQL creates a fragmented development process, complicating debugging and maintenance. ### Team Workflow and Readability Issues Working within a team exacerbates these issues. Team members are not only required to be proficient in TypeScript but also in SQL, particularly the specialized SQL dialect used by Postgres. This dual knowledge requirement can be a significant obstacle for teams whose primary expertise lies in TypeScript. The implementation details of database interactions become obscured, residing in the depths of SQL functions rather than in the more familiar TypeScript codebase. This lack of transparency can lead to confusion and inefficiencies. ### Effective Use of Policies Another pain point is managing row-level security policies. Understanding whether an insert operation complies with these policies often requires diving into the Supabase dashboard, which can distance developers from the core TypeScript code. Managing these policies via the dashboard is not as intuitive as having them within the main codebase, thus complicating access control management. ### The Search for Alternatives Given these challenges, some developers resort to using two client libraries, one for basic operations and another for more complex transaction management. Libraries like Drizzle or Kysely offer alternatives, albeit at the cost of increasing the project’s complexity by including multiple libraries. ### Reflections on Supabase Despite these challenges, I initially enjoyed the learning curve associated with writing raw SQL queries and delving into Postgres’ capabilities. This experience has been enriching; however, it is not sustainable for a team environment. The tool's steep learning curve for new team members and the fragmented workflow have overshadowed the benefits. … ### Conclusion While Supabase offers a robust platform with significant capabilities, its current implementation poses challenges that cannot be overlooked, particularly in team settings. The necessity to jump between TypeScript and SQL environments, along with the additional management of security policies and RPC functions, can disrupt the development workflow and obscure the codebase's transparency. These issues have led me to reconsider my use of Supabase, seeking alternative solutions that better align with my development philosophy and team dynamics.

I actually migrated an existing Firebase project to Supabase mid-development. I've dealt with their support team at 2 AM when things broke. I've hit their rate limits, wrestled with their CLI, and spent hours debugging RLS policies that seemed straightforward in theory. This isn't a surface-level exploration based on documentation—it's a battle-tested assessment from someone who's actually shipped production code using this platform. … ### The Honest Limitations **Ecosystem Immaturity Hurts** Finding solutions to edge cases often means digging through GitHub issues instead of Stack Overflow answers. Third-party integrations are limited, and community resources pale compared to Firebase's extensive documentation and tutorials. **Offline Support is Practically Non-Existent** If your app needs robust offline functionality, Supabase will disappoint. There's no native offline sync, no conflict resolution, and no local caching mechanisms. You'll need to build this yourself or look elsewhere. **Platform Stability Concerns** I've experienced unexpected downtime and breaking changes in minor updates. The platform feels less battle-tested than mature alternatives, which can be nerve-wracking for production applications. **Limited Serverless Functions** Edge Functions work but lack the sophistication and ecosystem of AWS Lambda or Vercel Functions. Complex backend logic often requires external services. ### Who Should (and Shouldn't) Use Supabase **Perfect for:** Small to medium teams building web-first applications who value SQL databases and open-source flexibility. Ideal for MVPs, internal tools, and projects where real-time features are crucial. **Avoid if:** You need robust offline support, have complex serverless requirements, or require enterprise-grade stability guarantees. Large teams might struggle with the limited ecosystem. **Deal-breakers:** Mobile-first apps requiring offline sync, applications with complex business logic requiring extensive serverless functions, or projects demanding 99.99% uptime SLAs. **Team size considerations:** Solo developers and small teams (2-5 people) benefit most from Supabase's simplicity. Larger teams might find the ecosystem limitations frustrating and prefer more mature platforms despite higher costs.