Platform

Access Control


Supabase provides granular access controls to manage permissions across your organizations and projects.

For each organization and project, a member can have one of the following roles:

  • Owner: full access to everything in organization and project resources.
  • Administrator: full access to everything in organization and project resources except updating organization settings, transferring projects outside of the organization, and adding new owners.
  • Developer: read-only access to organization resources and content access to project resources but cannot change any project settings.
  • Read-Only: read-only access to organization and project resources.

When you first create an account, a default organization is created for you and you'll be assigned as the Owner. Any organizations you create will assign you as Owner as well.

Manage organization members

To invite others to collaborate, visit your organization's team settings to send an invite link to another user's email. The invite is valid for 24 hours. For project scoped roles, you may only assign a role to a single project for the user when sending the invite. You can assign roles to multiple projects after the user accepts the invite.

Transferring ownership of an organization

Each Supabase organization must have at least one owner. If your organization has other owners then you can relinquish ownership and leave the organization by clicking Leave team in your organization's team settings.

Otherwise, you'll need to invite a user as Owner, and they need to accept the invitation, or promote an existing organization member to Owner before you can leave the organization.

Organization Scoped Roles vs Project Scoped Roles

Each member in the organization can be assigned a role scoped to the organization or to specific projects. If the member has a role at the organization level, they will have the equivalent permissions for that role across all current and future projects in the organization.

With project scoped permissions, you can assign members to roles scoped to specific projects.

Organization permissions across roles

The table below shows the actions each role can take on the resources belonging to the organization.

ResourceActionOwnerAdministratorDeveloperRead-Only1
Organization
Organization ManagementUpdate
Delete
Members
Organization MembersList
OwnerAdd
Remove
AdministratorAdd
Remove
DeveloperAdd
Remove
Owner (Project-Scoped)Add
Remove
Administrator (Project-Scoped)Add
Remove
Developer (Project-Scoped)Add
Remove
InviteRevoke
Resend
Accept2
Billing
InvoicesList
Billing EmailView
Update
SubscriptionView
Update
Billing AddressView
Update
Tax CodesView
Update
Payment MethodsView
Update
UsageView
Integrations (Org Settings)
Authorize GitHub-
Add GitHub Repositories-
GitHub ConnectionsCreate
Update
Delete
View
Vercel ConnectionsCreate
Update
Delete
View
OAuth Apps
OAuth AppsCreate
Update
Delete
List
Audit Logs
View Audit logs-
Legal Documents
SOC2 Type 2 ReportDownload
Security QuestionnaireDownload

Project permissions across roles

The table below shows the actions each role can take on the resources belonging to the project.

ResourceActionOwnerAdminDeveloperRead-Only34
Project
Project ManagementTransfer
Create
Delete
Update (Name)
Pause
Restore
Restart
Custom DomainsView
Update
Data (Database)View
Manage
Infrastructure
Read ReplicasList
Create
Delete
AddonsUpdate
Integrations
Authorize GitHub-
Add GitHub Repositories-
GitHub ConnectionsCreate
Update
Delete
View
Vercel ConnectionsCreate
Update
Delete
View
Database Configuration
Reset Password-
Pooling SettingsView
Update
SSL ConfigurationView
Update
Disk Size ConfigurationView
Update
Network RestrictionsView
Create
Delete
Network BansView
Unban
API Configuration
API KeysRead service key
Read anon key
JWT SecretView
Generate new
API settingsView
Update
Auth Configuration
Auth SettingsView
Update
SMTP SettingsView
Update
Advanced SettingsView
Update
Storage Configuration
Upload LimitView
Update
S3 Access KeysView
Create
Delete
Edge Functions Configuration
SecretsView 5
Create
Delete
SQL Editor
QueriesCreate
Update
Delete
View
List
Run 6
Database
Scheduled BackupsView
Download
Restore
Physical backups (PITR)View
Restore
Authentication
UsersCreate
Delete
List
Send OTP
Send password recovery
Send magic link
Remove MFA factors
ProvidersView
Update
Rate LimitsView
Update
Email TemplatesView
Update
URL ConfigurationView
Update
HooksView
Create
Delete
Storage
BucketsCreate
Update
Delete
View
List
FilesCreate (Upload)
Update
Delete
List
Edge Functions
Edge FunctionsUpdate
Delete
View
List
Reports
Custom ReportCreate
Update
Delete
View
List
Logs & Analytics
QueriesCreate
Update
Delete
View
List
Run
Events CollectionsCreate
Update
Delete
View
List
Warehouse Access TokensCreate
Revoke
List
Branching
Enable branching-
Disable branching-
Create
Delete
List

Footnotes

  1. Available on the Team and Enterprise Plans.

  2. Invites sent from a SSO account can only be accepted by another SSO account coming from the same identity provider. This is a security measure that prevents accidental invites to accounts not managed by your company's enterprise systems.

  3. Available on the Enterprise Plan.

  4. Listed permissions are for the API and Dashboard.

  5. Read-Only role is able to access secrets.

  6. Limited to executing SELECT queries. SQL Query Snippets run by the Read-Only role are run against the database using the supabase_read_only_user. This role has the predefined Postgres role pg_read_all_data.