LoginSign Up
← Back to all sparks
Supabase logo

Supabase

INFRA · APISDEVOPS
Velocity6.3

Open-source Firebase alternative with PostgreSQL

supabase.com

Supabase is reversing its biggest security default - public-schema tables no longer auto-exposed via PostgREST.

security-defaultsrls-testingbreaking-changesoauth-compliancepostgrestdata-api
Current state
The headline shipping move is a deliberate change to Supabase's security posture: new projects can opt out of automatic Data API and GraphQL exposure for public-schema tables, with broader defaults flipping in May. Around it: an OAuth 2.1 compliance fix, an RLS Tester preview to make policy verification possible from the UI, and a steady drumbeat of platform improvements summarized in the monthly developer update.
Where it's heading
Supabase is rebuilding the security defaults that made it fast to start with but easy to misconfigure. Combine the no-auto-expose change with the RLS Tester preview and the direction is clear: the platform is moving from convention-based exposure to explicit, testable access control. The OAuth compliance fix and developer updates suggest steady investment in standards conformance rather than new product surface this window.
Prediction
Expect the no-auto-expose default to apply to existing projects (with a long opt-out runway), and the RLS Tester to graduate from preview into the dashboard as a first-class panel. Continued breaking-change drumbeat tied to OAuth/OIDC compliance is likely.

Recent moves

  1. 13d ago

    Developer Update - May 2026

    Monthly developer roundup highlighting custom OAuth/OIDC providers in Auth, the no-auto-expose change to public-schema tables, and required explicit Postgres grants for PostgREST reachability. Mostly a packaging of changes shipped over the prior weeks.

    View source ↗
  2. 13d ago

    Deprecation Notice: Dropping Support for Node.js 20

    View source ↗
  3. 20d ago

    Breaking Change: OAuth token endpoint will return HTTP 200 instead of 201

    OAuth /v1/oauth/token will return HTTP 200 instead of 201 on May 26 to align with OAuth 2.1 section 3.2.3. Affects integrations that explicitly check for 201; small breaking change driven by spec compliance and stricter OAuth clients.

    View source ↗
  4. 23d ago

    Breaking Change: Tables not exposed to Data and GraphQL API automatically

    ⚡ SPARK

    Tables in the public schema are no longer auto-exposed to the Data API and GraphQL on new projects, with broader defaults shifting in May. Marks Supabase moving from convention-based exposure to explicit grants - the most significant security default change in the platform's history.

    View source ↗
  5. 23d ago

    Fragment of no-auto-expose announcement

    Fragment of the same no-auto-expose announcement captured by the changelog feed (anchor link section). Same content, no new substance.

    View source ↗
  6. 27d ago

    Feature Preview: RLS Tester

    RLS Tester ships as a feature preview, letting devs run SQL as a specific role from the dashboard to verify policy behavior. Closes a long-known gap that GitHub discussions kept surfacing, and sits alongside the no-auto-expose change as the verification half of explicit-access defaults.

    View source ↗