IndustriesWorkPlaybookHow it worksAboutBook a systems auditBring us your idea

What is Supabase and why did the AI choose it?

Straight answer

Supabase is a hosted service that gives an app a ready-made database, logins and file storage, so the builder does not have to construct those from scratch. AI tools reach for it because it covers the common backend needs in one place and connects quickly. If your app remembers anything, it may well run on Supabase.

Information current as at 5 July 2026

If you have poked around your AI-built app, you may have run into the name Supabase without ever choosing it. It is one of the most common services these tools rely on, and understanding what it does clears up a lot about where your app's data and logins actually live, and where its safety is decided.

Plain English
Supabase
A hosted service that provides an app with a database, user logins and file storage in one place.
Postgres
The well-established database technology that Supabase is built on top of.
Row Level Security
A Supabase setting that controls which rows of data each user is allowed to read or change.
Anon key
A public key that lets the frontend talk to Supabase, safe only if the rules behind it are set correctly.

What Supabase is

Supabase is a service that hands an app a set of backend building blocks ready to use. The centre of it is a database, built on a long-established and trusted technology called Postgres, where your app stores its information. Around that database it adds the other things most apps need: a system for user accounts and logins, storage for files like images and uploads, and a way for your app to read and write data without you wiring up a server yourself. In short, it packages up the common backend an app needs into one hosted service you sign up for. Instead of separately arranging a database, a login system and file storage, and gluing them together, you get them in one place, already connected. That bundling is exactly why it appeals to fast builders.

Why an AI tool reaches for it

When an AI builder like Lovable, Bolt or Replit generates an app that needs to remember things, it faces a choice about where the data and logins go. Supabase is a natural default for a few reasons. It covers the common needs, database, authentication, storage, in one integration, so the tool does not have to stitch several services together. It connects quickly and has generous starting tiers, which suits rapid building. And it is widely used, so there is a lot of existing knowledge for the AI to draw on when writing the code around it. The result is that a great many AI-built apps quietly stand on Supabase, chosen not by you but by the tool, because it is the path of least resistance to a working backend. That is not a bad choice, but it is one worth knowing you made by proxy.

No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Where the safety is decided

Here is the part that matters most. Supabase can be perfectly secure or dangerously open, and the difference is in how it is configured, not in the service itself. The key concept is Row Level Security: rules that decide which rows of data each user is allowed to see and change, so one customer cannot read another's records. When these rules are set correctly, your data is protected even though the app talks to Supabase from the browser. When they are missing or wrong, which happens surprisingly often in AI-built apps, the door is effectively open, and a curious person can read data they should never see. The app looks identical either way. This is why simply using Supabase tells you nothing about safety; whether its rules were set up properly is the real question, and it is one worth checking before real customers trust you with their information.

What to check on your own Supabase

If your app uses Supabase, a few practical checks are worth doing. Confirm the project sits in an account you control, not only the builder's, because this is your data. Look at whether Row Level Security is turned on for your tables and whether there are actual rules, rather than it being left open. Note the keys your app uses and make sure the public one is only public because the rules behind it are sound, and that no private key is exposed in the frontend. And check the region your data sits in, which can matter for Australian privacy obligations. You do not need to become a Supabase expert to do this, but you do need to know these things exist. If turning them over raises doubts you cannot resolve, that is a sensible moment to get a second opinion before it becomes a real problem.

Common questions

Questions, answered

What does Supabase do for my app?
It gives your app a hosted database to store information, a system for user logins, and storage for files, all in one service. If your app has accounts or remembers what people do, Supabase is very likely the thing quietly handling that behind the scenes.
Did I choose Supabase or did the AI?
Usually the AI builder chose it for you, because it covers the common backend needs in one place and connects quickly. Many people discover their app runs on Supabase only when they go looking. It is worth checking whose account the project sits in.
Is Supabase secure?
It can be, but that depends entirely on how it is configured, not on the service. The crucial setting is Row Level Security, the rules deciding who can read what. Missing or wrong rules leave data open, which happens often in AI-built apps. Using Supabase alone tells you nothing about safety.
What is Row Level Security?
It is the set of rules in Supabase that controls which rows of data each user can read or change, so one customer cannot see another's records. When it is set correctly your data is protected; when it is missing, the door is effectively open. Checking it is one of the most valuable things you can do.
No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Start here

Two doors. Same senior team.

Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.