Back to all articles
🔧Technical Deep Dives

Row Level Security in Supabase

12 min readMarch 16, 2026By Spawned Team

How to make sure users can only see their own data. Step by step RLS policies explained.

Why RLS Matters

Without Row Level Security, any user with your Supabase anon key can read every row in your database. That is fine during development. It is a disaster in production.

RLS lets you write rules like "users can only read their own data" directly in the database. Even if someone grabs your API key, they cannot see other people's information.

Turning It On

Go to your Supabase dashboard, open the table you want to protect, and enable RLS. Once enabled, the table blocks all access by default. You then add policies to allow specific operations.

Common Policies

Users Can Only See Their Own Rows

CREATE POLICY "Users read own data"
ON profiles FOR SELECT
USING (auth.uid() = user_id);

This checks that the logged-in user matches the user_id column. If it does not match, the row is invisible to them.

Users Can Insert Their Own Data

CREATE POLICY "Users insert own data"
ON profiles FOR INSERT
WITH CHECK (auth.uid() = user_id);

Users Can Update Their Own Data

CREATE POLICY "Users update own data"
ON profiles FOR UPDATE
USING (auth.uid() = user_id)
WITH CHECK (auth.uid() = user_id);

Public Read, Owner Write

For something like a blog where posts are public but only the author can edit:

CREATE POLICY "Anyone can read posts"
ON posts FOR SELECT USING (true);

CREATE POLICY "Authors edit own posts"
ON posts FOR UPDATE
USING (auth.uid() = author_id);

Testing Your Policies

Use the Supabase SQL editor to test. Switch to a specific user context and try queries. If a query returns no rows when it should, your policy is too restrictive. If it returns other users' data, it is too permissive.

Common Mistakes

Forgetting to enable RLS on new tables. Every new table defaults to open access. Make enabling RLS part of your table creation routine.

Using service_role key in client code. The service_role key bypasses RLS entirely. It should only be used in server-side code, never in the browser.

Overly complex policies. Start simple. "Users see their own data" covers 90% of cases. Add complexity only when you need it.

supabasesecurityrlsdatabase

Related Articles

Add Login and Signup to Your App

Set up user accounts with Supabase auth. Users can create accounts, log in, and stay signed in.

Store Data in Your App

Connect Supabase and save user data. Examples for profiles, posts, and other common patterns.

Using AI Builders at Work

How companies are using AI builders while keeping things secure and compliant.

Ready to try it?

Build your first app in a few minutes.

Start Building