This skill should be used when the user asks to "create a Supabase table", "write RLS policies", "set up Supabase Auth", "create Edge Functions", "configure Storage buckets", "use Supabase with Next.js", "migrate API keys", "implement row-level security", "create database functions", "set up SSR auth", or mentions 'Supabase', 'RLS', 'Edge Function', 'Storage bucket', 'anon key', 'service role', 'publishable key', 'secret key'. Automatically triggers when user mentions 'database', 'table', 'SQL', 'migration', 'policy'.
Provides expert guidance for Supabase projects, including database setup, RLS policies, auth SSR, edge functions, and storage. Automatically triggers on mentions of Supabase, database, table, SQL, RLS, or API keys.
/plugin marketplace add azlekov/dodi-smart-claude-code/plugin install azlekov-dodi-smart@azlekov/dodi-smart-claude-codeThis skill inherits all available tools. When active, it can use any tool Claude has access to.
references/api-keys.mdreferences/auth-ssr-patterns.mdreferences/edge-function-templates.mdreferences/module-creation-template.mdreferences/nextjs-caveats.mdreferences/rls-policy-patterns.mdreferences/sql-templates.mdreferences/storage-patterns.mdscripts/check_index.pyscripts/validate_sql_files.pyComprehensive guidance for working with Supabase including database operations, authentication, storage, edge functions, and Next.js integration. Enforces security patterns, performance optimizations, and modern best practices.
Supabase now offers two key types with improved security:
| Key Type | Prefix | Safety | Use Case |
|---|---|---|---|
| Publishable | sb_publishable_... | Safe for client | Browser, mobile, CLI |
| Secret | sb_secret_... | Backend only | Servers, Edge Functions |
| Legacy anon | JWT-based | Safe for client | Being deprecated |
| Legacy service_role | JWT-based | Backend only | Being deprecated |
Key Rules:
See references/api-keys.md for migration guide and security practices.
NEVER USE (DEPRECATED):
get(), set(), remove()@supabase/auth-helpers-nextjsALWAYS USE:
@supabase/ssrgetAll() and setAll() ONLYgetUser() to refresh sessionsupabaseResponse objectImportant: As of Next.js 16+, use
proxy.tsinstead ofmiddleware.ts. See https://nextjs.org/docs/app/api-reference/file-conventions/proxy
See references/auth-ssr-patterns.md for complete patterns.
(SELECT auth.uid()) not auth.uid()TO authenticated or TO anonFOR ALL - create 4 separate policiesSee references/rls-policy-patterns.md for performance-optimized templates.
SECURITY INVOKER (safer than DEFINER)search_path = '' for securitypublic.table_name)SECURITY DEFINER unless absolutely requiredDeno.serve (not old serve import)npm:/jsr:/node: prefix with version numbers_shared/ folder/tmp directorySee references/edge-function-templates.md for complete templates.
See references/storage-patterns.md for setup and patterns.
User mentions database/Supabase work?
├─> Creating new tables?
│ └─> Use: Table Creation Workflow
├─> Creating RLS policies?
│ └─> Use: RLS Policy Workflow (references/rls-policy-patterns.md)
├─> Creating database function?
│ └─> Use: Database Function Workflow (references/sql-templates.md)
├─> Setting up Auth?
│ └─> Use: Auth SSR Workflow (references/auth-ssr-patterns.md)
├─> Creating Edge Function?
│ └─> Use: Edge Function Workflow (references/edge-function-templates.md)
├─> Setting up Storage?
│ └─> Use: Storage Workflow (references/storage-patterns.md)
├─> Next.js integration?
│ └─> Use: Next.js Patterns (references/nextjs-caveats.md)
└─> API key questions?
└─> Use: API Keys Guide (references/api-keys.md)
When to use: Creating new database tables.
Design table structure:
id (UUID PRIMARY KEY)created_at, updated_at (TIMESTAMPTZ)created_by (UUID reference to auth.users or profiles)Follow template:
CREATE TABLE IF NOT EXISTS public.table_name (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
name TEXT NOT NULL,
status TEXT DEFAULT 'active',
created_by UUID REFERENCES auth.users(id),
created_at TIMESTAMPTZ DEFAULT NOW(),
updated_at TIMESTAMPTZ DEFAULT NOW()
);
COMMENT ON TABLE public.table_name IS 'Description';
ALTER TABLE public.table_name ENABLE ROW LEVEL SECURITY;
CREATE INDEX idx_table_name_status ON public.table_name(status);
Enable RLS and create policies
Create TypeScript types for type safety
See references/sql-templates.md for complete templates.
Browser Client:
import { createBrowserClient } from '@supabase/ssr'
export function createClient() {
return createBrowserClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!
)
}
Server Client:
import { createServerClient } from '@supabase/ssr'
import { cookies } from 'next/headers'
export async function createClient() {
const cookieStore = await cookies()
return createServerClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!,
{
cookies: {
getAll() { return cookieStore.getAll() },
setAll(cookiesToSet) {
try {
cookiesToSet.forEach(({ name, value, options }) =>
cookieStore.set(name, value, options)
)
} catch { /* Ignore in Server Components */ }
},
},
}
)
}
Proxy (Critical) - replaces middleware.ts:
// proxy.ts (at root or src/ directory)
import { createServerClient } from '@supabase/ssr'
import { NextResponse, type NextRequest } from 'next/server'
export async function proxy(request: NextRequest) {
let supabaseResponse = NextResponse.next({ request })
const supabase = createServerClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!,
{
cookies: {
getAll() { return request.cookies.getAll() },
setAll(cookiesToSet) {
cookiesToSet.forEach(({ name, value }) =>
request.cookies.set(name, value)
)
supabaseResponse = NextResponse.next({ request })
cookiesToSet.forEach(({ name, value, options }) =>
supabaseResponse.cookies.set(name, value, options)
)
},
},
}
)
// CRITICAL: Must call getUser() to refresh session
await supabase.auth.getUser()
return supabaseResponse // MUST return supabaseResponse
}
| Operation | USING | WITH CHECK |
|---|---|---|
| SELECT | Required | Ignored |
| INSERT | Ignored | Required |
| UPDATE | Required | Required |
| DELETE | Required | Ignored |
Example Policy:
CREATE POLICY "Users view own records"
ON public.table_name
FOR SELECT
TO authenticated
USING ((SELECT auth.uid()) = user_id);
Create bucket:
INSERT INTO storage.buckets (id, name, public)
VALUES ('avatars', 'avatars', false);
Storage policy:
CREATE POLICY "Users upload own avatar"
ON storage.objects
FOR INSERT
TO authenticated
WITH CHECK (
bucket_id = 'avatars' AND
(SELECT auth.uid())::text = (storage.foldername(name))[1]
);
Image transformation URL:
/storage/v1/object/public/bucket/image.jpg?width=200&height=200&resize=cover
import { createClient } from 'npm:@supabase/supabase-js@2'
Deno.serve(async (req: Request) => {
if (req.method === 'OPTIONS') {
return new Response('ok', {
headers: {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'authorization, content-type',
}
})
}
// User-scoped client (respects RLS)
const supabase = createClient(
Deno.env.get('SUPABASE_URL')!,
Deno.env.get('SUPABASE_PUBLISHABLE_KEY')!,
{ global: { headers: { Authorization: req.headers.get('Authorization')! } } }
)
// Admin client (bypasses RLS) - use SUPABASE_SECRET_KEY for admin operations
// const adminClient = createClient(
// Deno.env.get('SUPABASE_URL')!,
// Deno.env.get('SUPABASE_SECRET_KEY')!
// )
// Your logic here
return new Response(JSON.stringify({ success: true }), {
headers: { 'Content-Type': 'application/json' }
})
})
Before ANY Supabase work:
sb_publishable_...) for client codesb_secret_...) only in secure backendreferences/api-keys.md - New API key system, migration guidereferences/storage-patterns.md - Storage setup, RLS, transformationsreferences/nextjs-caveats.md - Next.js specific patterns and gotchasreferences/sql-templates.md - Complete SQL templatesreferences/rls-policy-patterns.md - Performance-optimized RLS patternsreferences/auth-ssr-patterns.md - Complete Auth SSR implementationreferences/edge-function-templates.md - Edge function templatesSupabase Auth supports 20+ OAuth providers:
See references/auth-ssr-patterns.md for provider setup.
Skill Version: 2.0.0 Last Updated: 2025-01-01 Documentation: https://supabase.com/docs
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.