SB
Supabase
Provider Setup

Connect Supabase

ConfigTrace connects to Supabase using a management API access token. It reviews RLS policy metadata, auth configuration, storage bucket settings, and edge function metadata — without reading any table rows, user records, or stored files.

On this page
  1. Prerequisites
  2. Step 1 — Create an access token
  3. Step 2 — Find your Project Ref
  4. Step 3 — Connect in ConfigTrace
  5. Step 4 — Run your first sync
  6. What ConfigTrace monitors
  7. What ConfigTrace never reads

Prerequisites

  • A Supabase project
  • Owner role on the Supabase organization
  • A ConfigTrace workspace (owner or admin role)

Step 1 — Create an access token

  1. 1
    Open Account settings
    Go to supabase.com/dashboard → your account avatar → Account → Access Tokens.
  2. 2
    Generate a new token
    Click "Generate new token". Name it configtrace and set an appropriate expiry.
  3. 3
    Copy the token
    Copy the token immediately — it won't be shown again.
Supabase access tokens are scoped to your account, not a single project. ConfigTrace uses the token along with your Project Reference to scope its reads to your specific project only.

Step 2 — Find your Project Ref

Your project reference is visible in your Supabase dashboard URL: https://supabase.com/dashboard/project/[your-project-ref]. It's also shown in Project Settings → General.

Step 3 — Connect in ConfigTrace

  1. 1
    Open Integrations
    In the ConfigTrace sidebar, click Integrations, then click Connect on the Supabase card.
  2. 2
    Enter credentials
    Enter your Access Token and Project Reference (not the full URL, just the ref string).
  3. 3
    Save and validate
    Click Save integration. ConfigTrace will validate and connect.

Step 4 — Run your first sync

Click Sync Now. The first sync captures your RLS policy metadata, auth settings, and project configuration as a baseline.

What ConfigTrace monitors

Reads (configuration metadata)
  • Row-level security (RLS) policies — names, tables, commands, and policy expressions
  • Auth configuration: email settings, JWT expiry, OAuth providers enabled, redirect URL allowlist
  • Storage bucket metadata: names, public/private status, file size limits
  • Edge Function metadata: names, deployment status, region (not function code)
  • Project metadata and API settings
  • Database connection settings (not connection strings or passwords)
Never reads
  • Table row data of any kind
  • Storage file contents
  • Auth user records, passwords, or tokens
  • Edge Function source code
  • Service role key values or JWT secrets
  • Any customer application data

What ConfigTrace never reads

ConfigTrace reviews RLS policy posture — it reads the policy expressions that control data access (e.g. using (auth.uid() = user_id)). It does not execute queries against your tables or read any rows.

For a full breakdown across all providers, see the Data Access & Permissions reference.