Supabase db pull REVOKE Replay Check

Paste a redacted migration from supabase db pull and check whether generated REVOKE blocks, missing re-grants, or supabase db reset replay behavior can explain 42501 permission-denied failures.

Review migration Build grant patch

Pull driftsupabase db pull can write migration SQL that looks like schema sync but changes role reachability.

Reset replaysupabase db reset reapplies local migrations, so a generated revoke can repeat every local rebuild.

42501 triageThe fix is not always deleting revokes or broad-granting everything; record intended roles and re-grant narrowly.

Project label

Context

Redacted migration or error notes Intended browser-facing access

Optional format: project_notes select authenticated owner reads notes, public_profiles select anon public profile read, or plain redacted notes.

This page runs locally in the browser. Paste only redacted migration snippets or error notes. Do not paste database URLs, service-role keys, JWTs, customer rows, private screenshots, payment data, full names, private handles, or private account records.

Ready.

Want a 24h second pass on this packet?

If this generated high-priority findings, the fixed-scope Supabase report reviews one redacted pull migration, access matrix, reset notes, and grant patch direction.

Check paid report scope Read sample report

Replay review packet

What to do with a risky pull migration

Keep intentional hardening revokes, but pair them with reviewed narrow grants for the roles the app actually uses.
Run supabase db reset in a disposable local project and capture no-session, anon, authenticated owner, and wrong-owner results.
Do not use a broad grant as the first fix; broad grants can make the app work while hiding RLS, RPC, or storage exposure issues.
Move the reviewed grant patch into migration history so the same result survives a fresh local replay.

Run grants checker See report scope

Need a second pass?

The fixed-scope report reviews one redacted Supabase packet: generated pull migration, intended access matrix, 42501 notes, role tests, and the safest next SQL to review. Checkout stays on the scoped checkout page.

Check paid report scope Read sample report

Source-backed problem set

Supabase CLI docs db pull writes migration files and db reset reapplies local migrations. Securing the Data API Official docs separate role grants from RLS and document 42501 grant hints. Supabase grants rollout Historical migrations need explicit grants so local reset can replay them. Database API 42501 docs Supabase documents missing table privileges, grant checks, and RLS as separate causes of 42501.