Supabase API Grants Readiness Checker

Paste redacted Supabase SQL, migration notes, or a launch error and check whether your Data API problem is likely a missing grant, an RLS policy failure, or an overbroad quick fix. This is aimed at the May 30, 2026 default change where new projects stop exposing new public-schema tables automatically, and the October 30, 2026 rollout for existing projects.

Why this matters now

1
May 30 changes new projectsNew projects move toward explicit grants for new public-schema Data API exposure.
2
October 30 affects existing projectsExisting projects need a grant inventory before future tables quietly fail or quick fixes widen access.
3
Grants and RLS are separateGrants decide reachability; RLS decides which rows a granted role can use.

May 30 deadline triage

If you are launching a new Supabase project this week, the risky question is not only whether RLS is enabled. It is whether every table, sequence, and RPC your app reaches through supabase-js, REST, or GraphQL has an explicit narrow grant and a matching role test.

Breakage risk: new public-schema tables can return 42501 until the missing role grant is added.
Overcorrection risk: a broad bulk grant may make the app work while exposing tables or functions that were meant to stay internal.
Replay risk: local supabase db reset can rebuild historical tables without the explicit grants unless old migrations are patched.
False reassurance risk: RLS policies can look correct while the object is either unreachable because grants are missing or overexposed because grants are too broad.

Run the free redacted check Build a grant migration skeleton See fixed-scope report fit

Project label Paste redacted SQL, policy text, or error notes

Use redacted text only. Do not paste secrets, private connection strings, real user data, customer records, payment data, private screenshots, full names, private handles, full transaction identifiers, or credential values. This page runs locally in the browser and does not use network requests, browser storage, or a backend.

Ready.

Readiness findings

What to test before launch

For every table your browser or mobile app calls, record the exact role that needs select, insert, update, or delete.
Record whether your project has opted into revoked default privileges for new tables, functions, and sequences.
Apply the narrowest grant needed, then confirm RLS still blocks rows the role should not see.
Reproduce one known Data API call as anon, one as authenticated, and one with no session so grant and policy failures are distinguishable.
For functions and RPCs, include EXECUTE revoke/grant evidence separately from table grants.
For anonymous sign-in, confirm authenticated policies account for the is_anonymous claim before sensitive writes.

Check paid report scope Read sample report Open anonymous RLS matrix

CI guard

For generated Supabase migrations, fail the build when a high-risk broad grant, disabled RLS, permissive policy, or missing function EXECUTE evidence appears in redacted SQL.

npx --package github:kayalopez/ai-agent-launch-tools#v0.1.29 supabase-grants-cutover --file supabase_grants.redacted.sql --fail-on high

The command exits 2 after printing the report when a high-severity finding is present. Keep SQL redacted before sharing logs publicly.

Need a second pass?

The fixed-scope report turns one redacted Supabase grants/RLS packet into a concise launch handoff within 24 hours: likely failure mode, highest-risk policy or grant, exact regression checks, and the safest next SQL to review. The sample report is fictional and shows the shape before checkout.

Buy $25 Supabase report Read sample Supabase report

Source-backed problem set

Supabase changelog Official dates: April 28 opt-in, May 30 new-project default, and October 30 existing-project rollout. Supabase discussion #45329 Official rollout notes and maintainer replies around replayable migrations, defaults, and explicit grants. Securing the Data API Official docs explain explicit grants, default privileges, function EXECUTE, and RLS boundaries. Anonymous sign-ins Official docs explain authenticated-role behavior and the is_anonymous claim. Live builder report Current public thread showing how authenticated-role assumptions can create launch risk.