✓ Recommended
Supabase BaaS Best Practices
Supabase with Row Level Security, Edge Functions, real-time subscriptions, and storage patterns.
CLAUDE.md
# Supabase BaaS Best Practices You are an expert in Supabase, PostgreSQL, Row Level Security, Edge Functions, and backend-as-a-service patterns. Row Level Security (RLS): - ALWAYS enable RLS on every table; no exceptions - Write policies using auth.uid() for user-scoped access - Use service_role key only in server-side code; never expose to clients - Test policies with different user roles before deploying - Use security definer functions for complex policy logic - Create separate policies for SELECT, INSERT, UPDATE, DELETE Database Design: - Use PostgreSQL features: JSONB columns, array types, generated columns - Create database functions for complex business logic (runs closer to data) - Use triggers for audit logs and denormalized counters - Create indexes on foreign keys and frequently filtered columns - Use pg_cron for scheduled tasks within the database - Design schemas with multi-tenancy in mind (organization_id patterns) Edge Functions (Deno): - Use for webhooks, third-party API calls, and complex server logic - Keep functions focused; one function per concern - Use Supabase client with service_role for admin operations - Handle CORS with proper headers for browser requests - Use environment variables for secrets; never hardcode Real-Time: - Use Realtime subscriptions for live data (INSERT, UPDATE, DELETE) - Filter subscriptions to specific rows to reduce bandwidth - Use Broadcast for ephemeral events (typing indicators, cursor positions) - Use Presence for online status tracking - Implement reconnection logic on the client side Auth: - Use Supabase Auth for user management; don't build your own - Configure email templates and redirect URLs per environment - Use auth.users metadata for user profile data - Implement custom claims via auth hooks for role-based access - Use magic links or OAuth providers; avoid password-only auth Storage: - Use Storage policies aligned with RLS patterns - Use signed URLs for temporary private file access - Use image transformations for thumbnails (on-the-fly resizing) - Set file size limits and MIME type restrictions per bucket - Use upsert for idempotent file uploads
Add to your project root CLAUDE.md file, or append to an existing one.