Skip to content
stack
Get started
Provider · Database

Supabase — Ashlr Stack Provider

Supabase: Postgres + Auth + Storage. Full upstream provisioning via the Management API. Wire it into your project with one command via Ashlr Stack.

Database · OAuth (PKCE)
Supabase — Postgres + Auth + Storage. Full upstream provisioning via the Management API.
Dashboard ↗

One command

Add Supabase to any Ashlr Stack project with a single command. Stack runs the auth flow, provisions the upstream resource via the Supabase Management API, and writes every secret slot into Phantom. 

stack add supabase

Or describe what you're building and let Claude pick it up via stack recommend: 

stack recommend "serverless postgres for a B2B SaaS"

Auth flow

Stack runs the provider's OAuth (PKCE) flow in your browser. You click Authorise, and Stack captures the token via a one-shot localhost callback server.

How-to: Browser OAuth (PKCE) via the Ashlr Stack app.

Secret slots

stack add supabase writes these 3 secret slots into your Phantom vault:

  • SUPABASE_URL
  • SUPABASE_ANON_KEY
  • SUPABASE_SERVICE_ROLE_KEY

The values never leave Phantom in plaintext. Your .env file references slot names, and stack exec -- <cmd> swaps them in at process-spawn time via Phantom's local proxy.

MCP wiring

Supabase ships an MCP server. stack add supabase auto-wires it into .mcp.json so your Claude Code / Cursor / Windsurf session can use it immediately.

@supabase/mcp-server-supabase scoped to the new project ref, with SUPABASE_ACCESS_TOKEN piped from Phantom.

Starter templates that include Supabase

Apply a pre-wired stack with one command:

  • stack init --template nextjs-supabase-posthog
  • stack init --template supabase-posthog-sentry-resend
  • Neon — Serverless Postgres. Creates a project and pools the connection string.
  • Turso — Edge SQLite (libSQL). Creates a database in your default org.
  • Convex — Reactive backend-as-a-service. Deploy key stored in Phantom.
  • Upstash — Serverless Redis + Kafka. Management token stored in Phantom.
  • Firebase — Realtime DB + Auth. Service-account JSON stored verbatim in Phantom.

v1 notes

v1 provisions a project and fetches service keys. Database password is auto-generated and stored in Phantom.

FAQ

Do I need a Supabase account to use it with Stack?

Yes — Stack provisions Supabase on your behalf, but it authenticates as you. Stack runs the provider's OAuth (PKCE) flow in your browser. You click Authorise, and Stack captures the token via a one-shot localhost callback server. If you don't have an account yet, Stack can create one during the OAuth flow.

Where does Stack store my Supabase credentials?

In Phantom Secrets, an E2E-encrypted local vault. Stack writes the secret slot names (SUPABASE_URL, SUPABASE_ANON_KEY, SUPABASE_SERVICE_ROLE_KEY) into .stack.toml — the actual values live only in Phantom and never touch disk in plaintext.

Can I rotate or revoke this integration later?

Yes. Run `stack remove supabase` to pull the Supabase service back out (Phantom secrets deleted, MCP entry removed, .stack.toml cleaned up). Rotate the underlying Supabase credentials in their dashboard — https://supabase.com/dashboard — and Stack's next `doctor --fix` will pick up the new values.

Outbound