Inventory the hosted project
Record redacted schema areas, extensions, Auth providers, Storage buckets, Edge Functions, PostgREST paths, client environment names, and current rollback assumptions.
A practical, source-backed sequence for moving a Supabase Cloud project to self-hosted Supabase without treating database restore as the whole launch. Use it before DNS cutover, frontend target switching, backup/PITR replacement, or asking for a second pass on one redacted packet.
A Supabase Cloud to self-hosted migration is ready for traffic only when database restore, Storage objects, auth/session behavior, runtime keys, backup/PITR replacement, Data API grants, and rollback are all evidenced without secrets.
Use redacted notes only. Keep database URLs, passwords, JWT signing material, service-role keys, customer rows, private screenshots, payment data, full names, and private handles out of public tools, public comments, and review packets.
Record redacted schema areas, extensions, Auth providers, Storage buckets, Edge Functions, PostgREST paths, client environment names, and current rollback assumptions.
Use the Docker setup path, regenerate secrets and API keys, configure public/API/site URLs, SMTP, reverse proxy, TLS, and any self-hosted services before moving production traffic.
Use the Supabase CLI dump flow for `roles.sql`, `schema.sql`, and `data.sql`, then restore into the disposable stack and compare table presence, row counts, extensions, triggers, functions, and RLS policies.
Do not count Supabase Cloud backups as the long-term recovery plan after writes move. Choose scheduled logical dumps, physical/base backups, WAL archiving/PITR, provider snapshots, or a managed Postgres backup tool, then record retention, restore drill result, recovery owner, and alert path.
Do not treat Storage metadata as object transfer. Create or restore matching buckets, copy objects through the S3-compatible path, then test list, download, upload, overwrite, delete, and old URL rewrite behavior.
Expect old platform-issued sessions to fail if signing material changes. Test password login, magic link or OTP, OAuth callback URLs, first login after migration, logout, refresh, and user-profile trigger behavior.
Test no-session, anon, authenticated owner, wrong owner, wrong tenant, and service-side paths. Separate missing Data API grants from RLS policy failures before blaming the frontend.
Freeze or queue writes, take a final backup or recovery point, switch frontend targets and DNS, monitor Auth/REST/Storage/Realtime/Functions, and keep the Cloud project fallback until the post-cutover smoke tests pass.
If you want the existing checker or a fixed-scope second pass to be useful, collect evidence like this without private values.
Buy only when there is one concrete migration packet and the risk is specific enough to review in 24 hours.