Switchy
Sign up
developer-toolsapi_key

Supabase

Postgres, auth, storage, realtime.

Verdict

Supabase via MCP is the database-as-tool integration that turns "I have a question about my data" into a chat sentence. Postgres, auth, storage, realtime — all reachable by the model with the right credentials. What we notice: this is one of the highest-leverage MCPs for technical teams. The model can write and execute SQL against your Supabase Postgres, retrieve schemas, summarise table contents, and reason about data quality. With Sonnet 4.7 or GPT-5, the SQL it produces is correct often enough to skip the IDE roundtrip for ad-hoc analytics. The auth and storage interfaces are useful but second-tier — most teams use the MCP primarily for Postgres queries. Best for: ad-hoc analytics ("how many users signed up last week, by source"); schema exploration when you're picking up a new project; data quality investigations ("are there orphaned records in this table"); prototyping queries before promoting them to a dashboard or product feature. Avoid for: production data writes from chat (the cost of a bad UPDATE is real); compliance-strict deployments where AI access to user data needs DLP review; large-scale data work that should run through a real BI tool. Practical frame: free tier covers small databases; paid for production. The MCP integration uses Supabase service-role or anon keys — choose based on the trust boundary. SQL queries cost very little in tokens; the bottleneck is the model's reasoning quality, not the data volume.

Common use cases

  • Create isolated database branches for feature work
  • Lock production access to office IP ranges
  • Activate custom domains and verify DNS
  • Generate OAuth URLs for user sign-in flows
  • Remove read replicas when scaling down

Integration

Vendor
Supabase
Category
developer-tools
Auth
API_KEY
Tools
50
Composio slug
supabase

Tools

  • Activate vanity subdomain for project

    Activates a vanity subdomain for the specified supabase project, requiring subsequent dns configuration for the subdomain to become operational.

  • Authorize user through OAuth

    Generates a supabase oauth 2.0 authorization url for user redirection, requiring a pre-registered `client id` and a `redirect uri` that matches one of its pre-registered uris.

  • Beta activate custom hostname for project

    Activates a previously configured custom hostname for a supabase project, assuming dns settings are verified externally.

  • Beta get project's custom hostname config

    Retrieves a supabase project's custom hostname configuration, including its status, ssl certificate, and ownership verification, noting that availability may depend on the project's plan.

  • Beta remove a read replica
    destructive

    Irreversibly initiates the removal of a specified read replica from an existing supabase project, confirming only the start of the process, not its completion.

  • Beta update project network restrictions

    Updates and applies network access restrictions (ipv4/ipv6 cidr lists) for a supabase project, which may terminate existing connections not matching the new rules.

  • Check vanity subdomain availability

    Checks if a specific vanity subdomain is available for a supabase project; this action does not reserve or assign the subdomain.

  • Create a database branch

    Creates a new, isolated database branch from an existing supabase project (identified by `ref`), useful for setting up separate environments like development or testing, which can optionally be linked to a git branch.

  • Create a function

    Creates a new serverless edge function for a supabase project (identified by `ref`), requiring valid javascript/typescript in `body` and a project-unique `slug 1` identifier.

  • Create a new third-party auth integration

    Call this to add a new third-party authentication method (oidc or jwks) to a supabase project for integrating external identity providers (e.g., for sso); the api may also support `custom jwks` if sent directly.

  • Create an organization

    Creates a new supabase organization, which serves as a top-level container for projects, billing, and team access.

  • Create new project

    Creates a new supabase project, requiring a unique name (no dots) within the organization; project creation is asynchronous.

  • Create project api key

    Creates a 'publishable' or 'secret' api key for an existing supabase project, optionally with a description; 'secret' keys can have customized jwt templates.

  • Create SSO provider configuration

    Creates a new saml 2.0 single sign-on (sso) provider for a supabase project, requiring either `metadata xml` or `metadata url` for saml idp configuration.

  • Delete an API key from the project
    destructive

    Permanently deletes a specific api key (identified by `id`) from a supabase project (identified by `ref`), revoking its access.

  • Delete an edge function by slug
    destructive

    Permanently deletes a specific edge function (by `function slug`) from a supabase project (by `ref`); this action is irreversible and requires prior existence of both project and function.

  • Delete branch by id
    destructive

    Permanently and irreversibly deletes a specific, non-default database branch by its `branch id`, without affecting other branches.

  • Delete custom hostname config
    destructive

    Deletes an active custom hostname configuration for the project identified by `ref`, reverting to the default supabase-provided hostname; this action immediately makes the project inaccessible via the custom domain and requires subsequent u

  • Delete project by ref
    destructive

    Permanently and irreversibly deletes a supabase project, identified by its unique `ref` id, resulting in complete data loss.

  • Delete third party auth config
    destructive

    Removes a third-party authentication provider (e.g., google, github) from a supabase project's configuration; this immediately prevents users from logging in via that method.

  • Delete vanity subdomain for project
    destructive

    Permanently and irreversibly deletes an active vanity subdomain configuration for the specified supabase project, reverting it to its default supabase url.

  • Deploy function

    Deploys edge functions to a supabase project using multipart upload.

  • Disable preview branching

    Disables the preview branching feature for an existing supabase project, identified by its unique reference id (`ref`).

  • Disable project readonly mode

    Temporarily disables a supabase project's read-only mode for 15 minutes to allow write operations (e.g., for maintenance or critical updates), after which it automatically reverts to read-only.

  • Enable project database webhooks

    Enables database webhooks for the supabase project `ref`, triggering real-time notifications for insert, update, or delete events.

  • Exchange auth code for access and refresh token

    (beta) implements the oauth 2.0 token endpoint to exchange an authorization code or refresh token for access/refresh tokens, based on `grant type`.

  • Execute project database query

    Executes a given sql query against the project's database; use for advanced data operations or when standard api endpoints are insufficient, ensuring queries are valid postgresql and sanitized. use the get table schemas or generate type scr

  • Generate TypeScript types

    Generates and retrieves typescript types from a supabase project's database; any schemas specified in `included schemas` must exist in the project.

  • Get a specific SQL snippet

    Retrieves a specific sql snippet by its unique identifier.

  • Get a SSO provider by its UUID

    Retrieves the configuration details for a specific single sign-on (sso) provider (e.g., saml, google, github, azure ad), identified by its uuid, within a supabase project.

  • Get a third-party integration

    Retrieves the detailed configuration for a specific third-party authentication (tpa) provider, identified by `tpa id`, within an existing supabase project specified by `ref`.

  • Get current vanity subdomain config

    Fetches the current vanity subdomain configuration, including its status and custom domain name, for a supabase project identified by its reference id.

  • Get database branch config

    Retrieves the read-only configuration and status for a supabase database branch, typically for monitoring or verifying its settings.

  • Get information about an organization

    Fetches comprehensive details for a specific supabase organization using its unique slug.

  • Get project API keys

    Retrieves all api keys for an existing supabase project, specified by its unique reference id (`ref`); this is a read-only operation.

  • Get project PgBouncer config

    Retrieves the active pgbouncer configuration (postgresql connection pooler) for a supabase project, used for performance tuning, auditing, or getting the connection string.

  • Get project pgsodium config

    Retrieves the pgsodium configuration, including the root encryption key, for an existing supabase project identified by its `ref`.

  • Get project's auth config

    Retrieves the project's complete read-only authentication configuration, detailing all settings (e.g., providers, mfa, email/sms, jwt, security policies) but excluding sensitive secrets.

  • Get project SSL enforcement configuration

    Retrieves the ssl enforcement configuration for a specified supabase project, indicating if ssl connections are mandated for its database.

  • Get Project Upgrade Eligibility

    Checks a supabase project's eligibility for an upgrade, verifying compatibility and identifying potential issues; this action does not perform the actual upgrade.

  • Get project upgrade status

    Retrieves the latest status of a supabase project's database upgrade for monitoring purposes; does not initiate or modify upgrades.

  • List third-party auth integrations for project

    Lists all configured third-party authentication provider integrations for an existing supabase project (using its `ref`), suitable for read-only auditing or verifying current authentication settings.

  • Remove project network bans
    destructive

    Removes specified ipv4 addresses from a supabase project's network ban list, granting immediate access; ips not currently banned are ignored.

  • Retrieve network bans for project

    Retrieves the list of banned ipv4 addresses for a supabase project using its unique project reference string; this is a read-only operation.

  • Retrieve project network restrictions

    Retrieves the current network restriction settings (e.g., ip whitelists) for a supabase project using its reference id; this is a read-only operation for auditing or verifying network security.

  • Reverify custom hostname

    Re-verifies dns and ssl configurations for an existing custom hostname associated with a supabase project.

  • Setup read replica for project

    Provisions a read-only replica for a supabase project in a specified, supabase-supported aws region to enhance read performance and reduce latency.

  • Update an API key for the project

    Updates an existing supabase project api key's `description` and/or `secret jwt template` (which defines its `role`); does not regenerate the key string.

  • Update pgsodium root key

    Critically updates or initializes a supabase project's pgsodium root encryption key for security setup or key rotation, requiring secure backup of the new key to prevent irreversible data loss.

  • Upgrade the project's PostgreSQL version

    Initiates an asynchronous upgrade of a supabase project's postgresql database to a specified `target version` from a selected `release channel`, returning a `tracking id` to monitor status; the `target version` must be available in the chos

Setup

Setup guide

  1. 1Open your Switchy workspace and navigate to Settings → Integrations → Developer Tools.
  2. 2Click 'Connect' next to Supabase.
  3. 3Log into your Supabase dashboard, go to Project Settings → API, and copy your service role key (keep this secret — it grants full project access).
  4. 4Paste the key into Switchy's auth dialog and click 'Authorize'.
  5. 5Switchy confirms the connection and lists your projects.
  6. 6Open any Space, type '@Supabase check vanity subdomain availability' followed by a subdomain name, and send.
  7. 7If Supabase replies with availability status, the integration is live.
  8. 8To invoke other tools, @mention Supabase in a message and describe what you need — Switchy routes the request to the appropriate tool based on your intent.

What teammates see: by default, memories from Supabase are scoped to the Space (PROJECT visibility) - you can mark any memory PRIVATE or share it ORG-wide.

Works well with

Top models

Compatibility data appears once enough Spaces have used this MCP together with a given model.

How Switchy teams use it

Not enough Spaces yet to publish anonymised usage stats (we require ≥ 50 Spaces per week).

Starter prompts

Branch for Testing

@Supabase create a database branch called 'test-migration' from my main project ref. I need to validate a new schema before deploying.
Open in a Space →

Restrict Network Access

@Supabase update network restrictions for my production project to allow only 203.0.113.0/24 and 2001:db8::/32. Block everything else.
Open in a Space →

Check Domain Availability

@Supabase check if the vanity subdomain 'acme-prod' is available for my project. Let me know if it's taken.
Open in a Space →

Activate Custom Hostname

@Supabase activate the custom hostname 'db.acme.com' for my project. DNS is already configured and verified.
Open in a Space →

Generate OAuth URL

@Supabase generate an OAuth authorization URL for client ID 'abc123' with redirect URI 'https://acme.com/callback'. I need the link for our login page.
Open in a Space →

Example outputs

Illustrative - representative of the model's voice and quality, not literal recordings.

Prompt

@supabase list all active projects in my organization and show me which ones have network restrictions enabled

Output

Found 4 active Supabase projects in your organization: 1. **prod-api** (ref: xyzabc123) – Network restrictions: Enabled (3 CIDR blocks) 2. **staging-app** (ref: def456ghi) – Network restrictions: None 3. **dev-sandbox** (ref: jkl789mno) – Network restrictions: None 4. **analytics-db** (ref: pqr012stu) – Network restrictions: Enabled (1 CIDR block) This is an illustrative example showing how the MCP surfaces project metadata. Actual output depends on your organization's current project roster and configuration state.

Notes

This read-heavy example demonstrates the MCP's ability to query organizational resources and synthesize configuration details. Requires OAuth2 scope granting read access to projects. Useful for auditing security posture across environments before applying stricter network policies.

Prompt

@supabase create a new database branch called 'feature-auth-v2' from our prod-api project for isolated testing

Output

Database branch **feature-auth-v2** created successfully from project **prod-api** (ref: xyzabc123). - Branch ID: `branch_8x7k2m9n` - Status: Provisioning (typically completes in 2-3 minutes) - Isolated schema: Full copy of prod-api's current state - Connection string: Available once provisioning completes This branch is now independent—schema changes here won't affect your production database. Remember to delete the branch when testing concludes to avoid unnecessary billing.

Notes

This write example shows the MCP's workflow for creating isolated database environments. Side-effect: Provisions a new Supabase instance that incurs usage charges. The branch creation is asynchronous; connection details become available only after provisioning completes. Requires project write permissions.

Prompt

@supabase review all projects with custom hostnames and tell me which ones have unverified DNS or expired SSL certificates

Output

Analyzed 2 projects with custom hostname configurations: **prod-api** (api.acme.com): - DNS verification: ✓ Verified - SSL certificate: ✓ Valid until 2025-09-14 - Status: Active **staging-app** (staging.acme.com): - DNS verification: ✗ Pending (CNAME record not detected) - SSL certificate: N/A (cannot issue until DNS verified) - Status: Inactive Recommendation: Update the CNAME record for staging.acme.com to point to the Supabase-provided target, then re-verify. This is an illustrative synthesis—actual DNS/SSL states vary by your infrastructure.

Notes

This synthesis example pairs the MCP's custom hostname retrieval with AI reasoning to surface operational risks. Particularly valuable for teams managing multiple environments where DNS misconfigurations can cause production outages. Note: Custom hostname features may require Pro or Enterprise plans; availability varies by project tier.

Use-case deep-dives

Multi-environment database provisioning

When Supabase MCP beats manual branch creation for dev teams

A 6-person engineering team ships features weekly and needs isolated staging databases for each pull request. The Supabase MCP's branch creation tool spins up a copy of production schema in under 30 seconds, then the team's AI workspace can wire up environment variables and run seed scripts without context-switching to the Supabase dashboard. This works cleanly for teams under 10 engineers with fewer than 20 active branches at once. Beyond that threshold, branch sprawl becomes a cleanup problem and you'll want a dedicated CI pipeline instead of ad-hoc AI commands. If your team already automates branch lifecycle in GitHub Actions, skip the MCP and keep that logic in code. If you're still SSHing into staging to run migrations, the MCP cuts that ritual down to a single conversational prompt.

Customer support SSL troubleshooting

Why support engineers use this MCP for custom domain tickets

A 3-person support team at a B2B SaaS handles 40 custom-domain tickets per month, mostly SSL verification failures and DNS misconfigurations. The Supabase MCP's hostname config retrieval tool pulls certificate status, ownership verification state, and CNAME records in one call, so the support engineer can diagnose the issue without asking the customer for screenshots or digging through Supabase logs. The OAuth2 setup takes 10 minutes once, then every support rep can query any project the customer has authorized. This pays off when your product lets customers bring their own domains and you field more than 5 support tickets per week about SSL or DNS. Below that volume, the setup overhead isn't worth it—just walk the customer through the Supabase dashboard. Above 100 tickets per month, you'll want a dedicated status dashboard instead of querying the MCP interactively.

Security audit network lockdown

When the network restrictions tool closes an audit finding fast

A startup's security lead gets a pentest report flagging that their production Supabase project accepts connections from any IP. The team needs to restrict access to their VPC and office network before the next board meeting in 48 hours. The Supabase MCP's network restrictions update tool applies CIDR allowlists in one command, and the AI workspace can cross-reference the company's AWS VPC ranges without the security lead hunting through Terraform state files. This scenario works when you have fewer than 10 Supabase projects and a clear list of allowed IP ranges. If you manage dozens of projects or your network topology changes weekly, bake the restrictions into Terraform or Pulumi instead—the MCP is for one-time fixes, not ongoing policy enforcement. The tool will terminate existing connections that don't match the new rules, so coordinate with your on-call engineer before running it in production.

Frequently asked

What does the Supabase MCP let me do in Switchy?

It gives your AI agents direct control over your Supabase projects — creating database branches, managing network restrictions, configuring custom domains, and handling OAuth flows. You can automate environment setup, enforce security policies, or spin up isolated test databases without leaving the chat. It's infrastructure-as-conversation for teams already running on Supabase.

Do I need admin access to connect Supabase via OAuth?

Yes. The OAuth flow requires organization-level permissions to manage projects, branches, and network configs. If you're not an admin on your Supabase org, the connection will fail or you'll see a subset of tools that can't actually execute. Have your org owner connect it, or request the necessary role before setup.

Can the Supabase MCP run SQL queries or read table data?

No. This MCP manages Supabase infrastructure — projects, branches, DNS, replicas — not the databases themselves. If you need to query tables or run migrations, use Supabase's PostgREST API or connect directly via a Postgres client. The MCP is for ops work, not data work.

Why use this instead of the Supabase dashboard or CLI?

The MCP lets your team automate multi-step workflows in natural language — "spin up a staging branch, apply network restrictions, and activate the custom domain" — without context-switching. The dashboard is faster for one-off tasks; the MCP shines when you're orchestrating infrastructure changes alongside other tools in a Switchy workflow.

Who on the team should connect the Supabase MCP?

Whoever owns your Supabase organization and trusts the team to manage infrastructure via AI. Once connected, any Switchy workspace member can invoke the tools, so treat this like handing out admin CLI access. If you want tighter control, connect it in a dedicated ops workspace and invite only your platform team.

Data last verified 7 hours ago.Sources aggregated hourly to weekly. See docs/architecture/model-directory.md.