1. What Is Supabase & How It Works
Supabase: The Open-Source Firebase Alternative
Supabase is an open-source Backend-as-a-Service (BaaS) built on top of PostgreSQL. Unlike Firebase — which is a proprietary NoSQL platform owned by Google — Supabase gives you a fully relational, SQL-powered backend with auto-generated APIs, real-time subscriptions, authentication, file storage, and serverless edge functions, all in one platform.
The key architectural insight is that Supabase does not reinvent the database. It builds a production-quality developer experience around Postgres. This means every skill you learn in SQL, indexing, and query optimization directly transfers.
When you create a Supabase project, you get a dedicated PostgreSQL database instance. This is not a shared cluster — you have your own isolated environment. The auto-generated REST API is powered by PostgREST, which introspects your schema and creates endpoints for every table and view in the public schema. The Realtime server listens to PostgreSQL's Write-Ahead Log (WAL) and broadcasts changes via WebSockets. Authentication is handled by GoTrue, a lightweight Go-based JWT server. Storage provides S3-compatible object storage with RLS-powered access control. Edge Functions run on Deno at the edge, giving you serverless compute close to your users. Understanding this architecture is the first step to mastering Supabase.
🏗️ The Supabase Architecture Stack
Let's break down each component so you understand what happens when you deploy a Supabase project. The PostgreSQL Core is your database — every table, view, function, and trigger you create lives here. PostgREST is a Haskell binary that automatically generates REST APIs from your schema. The Realtime Server is built with Elixir and Phoenix, chosen for its ability to handle millions of WebSocket connections. GoTrue handles user authentication with JWTs and OAuth providers. Storage is S3-compatible with Postgres-backed metadata. Edge Functions use Deno's secure runtime. Together, these components form a complete backend platform that you can run locally or in production. All of these components are open source and can be self-hosted if needed. This architecture gives you the flexibility to start with the managed service and later move to self-hosting if your requirements change. Understanding each component helps you debug issues and optimize performance when building your applications.
Every Supabase project is a dedicated Postgres instance. Your tables, views, functions, and triggers live here. You have full superuser access via the SQL editor or psql.
A compiled Haskell binary that introspects your Postgres schema and auto-generates a fully RESTful HTTP API for every table and view. No code required.
An Elixir/Phoenix application that listens to Postgres WAL (Write-Ahead Log) changes and broadcasts them via WebSocket to subscribed clients.
A Go-based JWT authentication server that handles user sign-up, login, OAuth providers, and session management. Integrates directly with Postgres Row-Level Security.
An S3-compatible object storage service backed by a metadata table in Postgres. Files are stored in a CDN; metadata and access control live in the database.
Deno-based serverless functions deployed globally on the Supabase edge network. They can connect to your database using a connection pool.
Why Postgres Is the Right Foundation
PostgreSQL is the world's most advanced open-source relational database with 35+ years of engineering. By building on Postgres instead of a proprietary store, Supabase inherits ACID transactions, JSONB, Full-Text Search, PostGIS, pgvector, and the entire PostgreSQL extension ecosystem — features no BaaS competitor can match.
When you use Supabase, you're not locked into a proprietary data format. Your database is standard PostgreSQL, which means you can always export your data, run migrations, and even switch to self-hosting if needed. This is one of the biggest advantages over Firebase's Firestore, which uses a custom NoSQL format. With Supabase, you can connect with any PostgreSQL tool — from pgAdmin to DBeaver to psql in your terminal. You can also use Prisma, Drizzle, or any other ORM that supports Postgres. This flexibility gives you the best of both worlds: the convenience of a managed BaaS and the power of a battle-tested relational database. The PostgreSQL ecosystem includes thousands of extensions that you can enable in your Supabase project, from PostGIS for geospatial data to pgvector for AI embeddings. This extensibility means your Supabase project can grow with your needs.
🚀 Project Structure & Regions
When you create a Supabase project, you select an AWS or Fly.io region. Each project gets dedicated infrastructure with isolated resources. Your project includes a Postgres instance with automatic backups, a connection pooler (PgBouncer) for handling thousands of concurrent connections, an auto-generated API URL, JWT keys for client and server access, and a full-featured dashboard. The dashboard provides table editing, a SQL editor, auth management, storage management, and logs. Understanding the project structure helps you organize your work and manage permissions effectively. The API URL is your application's entry point for all REST calls. The anon key is for client-side use and relies on RLS policies. The service_role key is for server-side use and bypasses RLS entirely. You should never expose the service_role key in client-side code. The dashboard is your control center for monitoring, debugging, and managing your project. You can also use the Supabase CLI for local development, which provides a complete local stack that mirrors production.
- Dedicated Postgres Instance — Your own isolated database, not a shared cluster.
- Connection Pooler (PgBouncer) — Manages thousands of concurrent connections efficiently.
- Auto-generated API URL —
https://[PROJECT_REF].supabase.co - anon key & service_role key — JWT keys for client-side and server-side access respectively.
- Dashboard — A full-featured web UI for table editing, SQL editor, Auth management, Storage, and logs.
anon key is safe to expose in browser code — it relies on Row-Level Security for access control. service_role key bypasses ALL RLS and must never be exposed client-side. Use it only in secure server environments.📦 The Supabase Client SDK
The @supabase/supabase-js library is the primary way to interact with your backend from JavaScript/TypeScript. It wraps PostgREST, GoTrue, Realtime, and Storage into a single unified client. The client handles authentication, session management, and request signing automatically. You create a client instance with your project URL and anon key. The client uses the anon key for all requests, and RLS policies determine what data the user can access. For server-side code, you can use the service_role key to bypass RLS. The client provides a fluent API for building queries with type safety when combined with generated TypeScript types. Understanding the client API is essential for building efficient applications.
Knowledge Check
Ready to test your understanding of 1. What Is Supabase & How It Works?