An admin tool built like an
actual product.
Suparbase started as a wrapper around PostgREST and grew into a complete Supabase workspace: row editing, RLS debugging, storage, auth users, AI, raw SQL, audit history. Everything below ships today.
The six you'll use every day
These are the day-one wins. They take five minutes to learn and the rest of the product builds on them.
Agent Sentry · security watchdog
Continuous probe of your project with the actual anon key plus pg_policies inspection. Catches RLS drift, anon-readable PII, and overly-permissive policies. One-click quarantine applies a temporary deny-all policy.
Agent sessions · one-click undo
Every write through the proxy gets fingerprinted to the AI tool that made it (Cursor, Claude Code, Replit Agent, Lovable, v0). Undo a whole session, every INSERT / UPDATE / DELETE reversed atomically.
AI chat with tool-use
A data-aware assistant that lists your tables, inspects schemas, runs filtered queries, and drafts writes you confirm in a diff card. Streams progress live.
SQL playground
Run raw SQL against your project. Read-only by default (Postgres SET TRANSACTION READ ONLY plus a rollback). Statement timeout, EXPLAIN, recent history.
RLS policy debugger
Browse pg_policies on every table and simulate SELECT/INSERT/UPDATE/DELETE as anon / authenticated / service_role with custom JWT claims, all rolled back.
Inline cell editing
Click any editable value on a row detail page to edit it in place. Enter to commit, Escape to cancel, optimistic UI with toast feedback.
Per-row history with diffs
Every write captures a before/after snapshot. Each detail page shows a chronological timeline with column-level from→to diffs.
Global Cmd-K row search
Type an email, UUID, or order number and the palette scans every public-schema table in parallel, returning hits that jump straight to the row.
Day-two features
The bits you reach for when something specific happens: a CSV import, a deleted user, a debugging session. They're all there.
Seven archetype admins
Users, Content, Logs, Commerce, Tasks, Messages, plus a Generic fallback. Each ships purpose-built list + detail views matched automatically from AI analysis.
Storage browser
Bucket list, prefix navigation, drag-drop upload, multi-select delete, 1-hour signed URLs, public URL copy. Same encrypted key as PostgREST.
Auth users admin
Wraps /auth/v1/admin/*. Invite, generate recovery links, ban/unban, delete. Gracefully degrades when the connection's stored key isn't service_role.
Bulk ops + CSV in/out
Bulk delete, bulk update, CSV/JSON export with filter awareness, chunked CSV/JSON import with abort-or-skip on row errors.
Encrypted credentials
AES-256-GCM at rest. The plaintext API key never persists to disk, and never touches a browser. Same vault holds the optional direct-Postgres URL.
Server-side PostgREST proxy
Every read and write routes through an authenticated Next.js route handler. The browser holds only a session cookie. Rate-limit buckets per verb class.
Audit log + recent activity
Every write hits an audit table keyed to user, connection, table, primary key, and verb. The dashboard surfaces the last 10 entries with click-to-row.
Saved views + filter chips
Pin search + filter combinations to any table. Filter by column with operators (eq, neq, lt, gt, ilike, in, is null). Sharable URL state.
Three flows you'll recognise
These are the moments where Suparbase replaces five other tools.
AI write flow
You: "set status to cancelled on all orders older than 30 days". The agent calls get_table_schema, then count_rows, then propose_update with a preview of 5 affected rows. A yellow diff card appears. You hit Apply. The server re-validates and runs the PATCH; a row appears in the recent-activity feed.
Connection setup flow
Sign up, paste your project URL + API key. The key is AES-256-GCM encrypted before the row commits. The first dashboard load runs an AI schema analysis (optional, falls back to heuristics) so tables get the right archetype + display name automatically.
Debug an RLS policy
Open the RLS page, paste your direct Postgres URL once (encrypted in the same vault). Browse policies grouped by table, then simulate a request: pick a role, paste request.jwt.claims, click Run. SELECT/INSERT/UPDATE/DELETE allow-or-deny shows for each verb, all inside a transaction that always rolls back.
Drop in your Supabase key and ship.
Five minutes to set up. Free to self-host. No credit card on the hosted plan.