Skip to content
suparbase
live · encrypted at rest · audited

Admin for any Supabase project.

Sign in, save your Supabase project, and run a real admin dashboard. Your API key is encrypted at rest and proxied: it never reaches the browser.

Sign in Need a project? supabase.com →
Sarah Chenactive
sarah@acme.io
admin
How we ship: a postmortem
/how-we-ship· by m. lee
published
user.signed_in{ ip: "203.0.113.7", ua: "Safari/17" }
by sarah· 12s ago
new · v3Agent Sentry

Catch the next Moltbook before the headline. Undo the next PocketOS before lunch.

Continuous anon-key probe + per-AI-agent session attribution + one-click undo. Nothing else on the market combines all three.

1.5M API keys leaked · Jan 2026170 apps · Lovable CVE9s to delete prod · Apr 2026
See how it works
How it works

Three steps,
no ceremony.

  1. Sign in once

    Email + password, or GitHub OAuth when the operator has enabled it. Your account holds every project you save.

  2. Save your project

    Paste a Supabase URL + API key. We encrypt it with AES-256-GCM before the row is committed: the plaintext key never lives on disk.

  3. Use a working admin

    Row cards, type-aware forms, FK lookups, bulk operations, CSV/JSON in + out, undoable deletes: all proxied server-side. Your key never reaches the browser.

What you get

A working admin, not a wrapper.

Every feature below ships today. None of them are coming soon.

  • Prod → staging sync

    Pick a base and target; full-replace per table with FK-safe user handling, schema sync, and AI-suggested exclusions. The base is read, never written.

  • AI chat with tool-use

    Ask a question; the agent lists tables, inspects schemas, runs filtered reads, and drafts writes you confirm in a diff card.

  • SQL playground

    Raw SQL with read-only by default. Statement timeout, EXPLAIN, and a Recent dropdown backed by localStorage.

  • RLS debugger

    Browse pg_policies, then simulate SELECT/INSERT/UPDATE/DELETE as any role with custom JWT claims. All rolled back.

  • Inline cell editing

    Click any value on a row detail page to edit it in place. Enter to commit, Escape to cancel.

  • Per-row history

    Every write captures a before/after snapshot. The detail page shows a chronological column-level diff timeline.

  • Global Cmd-K search

    Type an email or UUID; the palette scans every table in parallel and links straight to the row.

See all features
Why server-side

The key never reaches the browser.

Suparbase exists because "store the API key in localStorage" was always a foot-gun. Every promise below is checked by the pre-merge gates in our open spec-kit.

  • API keys are AES-256-GCM encrypted at rest. The plaintext never persists to disk.
  • Every PostgREST call is proxied through an authenticated route. The browser holds only a session cookie.
  • Every write hits an audit log keyed to your account, connection, table, primary key, and verb.
  • JWT-shaped substrings and provider keys are defensively redacted before any log line is written.
  • Free hosted tier for solo projects. No credit card, no time limit.
Read the security model v3.14.1

Drop in your key — and refresh staging from prod.

A full Supabase admin with one-click prod→staging sync. Five minutes to set up. Free tier for solo projects, no credit card.

Get startedSee features