Securing your API

The data APIs are designed to work with Postgres Row Level Security (RLS). If you use Supabase Auth, you can restrict data based on the logged-in user. To control access to your data, you can use Policies.

Enabling Row Level Security#

If you create a table through the Dashboard, RLS will be enabled by default. This is not the case, however, if you create a table or view using SQL. To enable RLS on any table:

  1. Go to the Authentication page in the Dashboard.
  2. Click on Policies in the sidebar.
  3. Select Enable RLS to enable Row Level Security.

With RLS enabled, you can create Policies that allow or disallow users to access and update data. We provide a detailed guide for creating Row Level Security Policies in our Authorization documentation.

Safeguards towards accidental deletes and updates#

By default, all projects have the safeupdate Postgres extension enabled for API queries. This ensures that delete() and update() requests will fail if there are no filters provided. To confirm that safeupdate is enabled for API queries, run the following query:

from pg_shadow
where usename = 'authenticator';

The expected value for useconfig should be:

['session_preload_libraries=supautils, safeupdate']