IntegrationsSupabase

Supabase Integration Setup Guide

Connect your Supabase projects to OpsCompanion using OAuth

Supabase Integration Setup Guide

This guide walks you through connecting your Supabase projects to OpsCompanion using OAuth 2.0 with PKCE.

Overview

The Supabase integration uses OAuth to grant OpsCompanion read-only access to your Supabase projects via the Management API. This allows OpsCompanion to:

  • Monitor projects across your Supabase organization
  • Query databases with read-only SQL (SELECT/EXPLAIN only)
  • View auth users and authentication configuration
  • Browse storage buckets and objects
  • List edge functions and their deployment status

Important: OpsCompanion only performs read-only operations and cannot modify your Supabase infrastructure.

What Gets Configured

Connecting Supabase to OpsCompanion will:

  1. OAuth Authorization - You authorize OpsCompanion to access your Supabase organization
  2. Access Token - A scoped token is stored securely for API access
  3. Refresh Token - Used to maintain access without re-authorization
  4. PKCE Flow - Proof Key for Code Exchange ensures secure token exchange

Prerequisites

Before connecting Supabase, ensure you have:

1. A Supabase Account

You need an active Supabase account with at least one project.

2. Organization Access

You must be an Owner or Admin of the Supabase organization you want to connect. Members with limited roles may not be able to authorize OAuth access.

3. An OpsCompanion Account

Sign up at opscompanion.ai if you haven't already.

Installation Steps

Step 1: Navigate to Manage Tools

  1. Log in to your OpsCompanion dashboard
  2. Go to Manage Tools in the sidebar
  3. Find Supabase in the list of available integrations

Step 2: Click Connect

Click the Connect button next to Supabase. This will redirect you to Supabase's authorization page.

Step 3: Authorize OpsCompanion

On the Supabase authorization page:

  1. Select the organization you want to connect
  2. Review the permissions being requested
  3. Click Authorize to grant access

Step 4: Confirmation

After authorization, you'll be redirected back to OpsCompanion. A success message will confirm the integration is active.

Step 5: Verify the Connection

Ask the OpsCompanion agent to list your Supabase projects:

Show me my Supabase projects

The agent should return a list of your projects with their names, regions, and statuses.

What You Can Do After Setup

Once connected, you can ask the OpsCompanion agent to:

Project Management

List my Supabase projects
Check the health of my project "my-app"
Show me the API keys for project "abc123"

Database Operations

List all tables in my Supabase project
Show me the schema for the "users" table
Run this query: SELECT COUNT(*) FROM public.orders WHERE created_at > '2025-01-01'
What Postgres extensions are installed?

Auth Management

How many users do I have?
Show me users who signed up this week
What auth providers are enabled?
Show me auth statistics

Storage

List my storage buckets
Show me files in the "avatars" bucket
What's the storage usage per bucket?

Edge Functions

List my edge functions
Show me details for the "send-email" function

Verification

1. Check Integration Status

In the OpsCompanion dashboard, navigate to Manage Tools. The Supabase integration should show as Connected.

2. Test Project Access

Ask the agent:

List my Supabase projects

You should see your projects listed with their details.

3. Test Database Access

Ask the agent:

List all tables in my Supabase project [your-project-name]

You should see your database tables listed.

Log Drains (Optional)

You can send your Supabase project logs to OpsCompanion for centralized observability. Supabase supports log drains that forward Postgres, Auth, Storage, Realtime, and Edge Function logs to external destinations.

To set this up, follow Supabase's official guide: Log Drains

When configuring the drain, use OpsCompanion's OTLP endpoint as the destination. You can find your ingest URL in your OpsCompanion workspace settings.

Troubleshooting

Error: "Supabase integration not found"

Cause: The OAuth connection was not completed or has expired.

Solution:

  1. Navigate to Manage Tools in OpsCompanion
  2. Disconnect and reconnect the Supabase integration
  3. Re-authorize on the Supabase consent screen

Error: "Failed to list projects"

Cause: Access token may have expired or been revoked.

Solution:

  1. Check if you've revoked access in your Supabase organization settings
  2. Reconnect the integration in OpsCompanion
  3. Ensure your Supabase account still has the necessary permissions

Error: "Query failed"

Cause: The SQL query may contain write operations or syntax errors.

Solution:

  1. Only SELECT and EXPLAIN queries are allowed
  2. Check the SQL syntax for errors
  3. Ensure the table/schema exists in your project

Error: "Organization not found"

Cause: Your OpsCompanion organization may not be properly configured.

Solution:

  1. Verify you're logged into the correct OpsCompanion organization
  2. Check your organization settings
  3. Contact support if the issue persists

Revoking Access

To disconnect OpsCompanion from your Supabase account:

From OpsCompanion

  1. Navigate to Manage Tools
  2. Find the Supabase integration
  3. Click Disconnect

From Supabase

  1. Go to your Supabase organization settings
  2. Navigate to OAuth Apps
  3. Find OpsCompanion and click Revoke

Both methods immediately revoke OpsCompanion's access to your Supabase projects.

Security Considerations

Read-Only Access

OpsCompanion has read-only access and cannot:

  • Create, modify, or delete database records
  • Change authentication settings
  • Upload or delete storage objects
  • Deploy or modify edge functions
  • Access database passwords

OAuth 2.0 with PKCE

The integration uses OAuth 2.0 with Proof Key for Code Exchange (PKCE), which:

  • Prevents authorization code interception attacks
  • Does not require storing client secrets on the client side
  • Uses SHA-256 code challenge for secure token exchange

Token Security

  • Access tokens are stored encrypted in OpsCompanion's database
  • Refresh tokens are used to maintain access without re-authorization
  • Tokens can be revoked instantly from either OpsCompanion or Supabase
  • No database passwords are stored or transmitted

Audit Trail

All operations performed by OpsCompanion are:

  • Logged via Supabase's audit system
  • Traceable to the OpsCompanion OAuth app
  • Visible in your Supabase organization's activity log

Support

Getting Help

Frequently Asked Questions

Q: Can OpsCompanion modify my database?

A: No. All database operations are read-only. Only SELECT and EXPLAIN queries are permitted. Write operations (INSERT, UPDATE, DELETE, DROP, ALTER, CREATE, TRUNCATE) are blocked at the tool level.

Q: How do I monitor multiple Supabase organizations?

A: Currently, the integration connects to one Supabase organization at a time. Contact support for multi-organization setups.

Q: Can I revoke access later?

A: Yes. You can disconnect from OpsCompanion's Manage Tools page or revoke the OAuth app from your Supabase organization settings. Access is immediately revoked.

Q: What data does OpsCompanion collect?

A: OpsCompanion accesses:

  • Project metadata (names, regions, status)
  • Database schemas and read-only query results
  • Auth user listings (email, signup date, last login)
  • Storage bucket and object metadata
  • Edge function details

Not collected:

  • Database passwords or connection strings
  • API key values (only names)
  • Storage file contents
  • Application data beyond what queries return

Q: Does this work with Supabase's free tier?

A: Yes. The integration works with all Supabase plans including the free tier.

Q: How often are tokens refreshed?

A: Access tokens are refreshed automatically before they expire. You don't need to re-authorize unless you've explicitly revoked access.

Last updated: March 2026 Integration version: 1.0

Supabase

Connect OpsCompanion to your Supabase projects for database, auth, storage, and edge function monitoring.

Vercel

Connect your Vercel projects to discover deployments and domains.

On this page

Supabase Integration Setup GuideOverviewWhat Gets ConfiguredPrerequisites1. A Supabase Account2. Organization Access3. An OpsCompanion AccountInstallation StepsStep 1: Navigate to Manage ToolsStep 2: Click ConnectStep 3: Authorize OpsCompanionStep 4: ConfirmationStep 5: Verify the ConnectionWhat You Can Do After SetupProject ManagementDatabase OperationsAuth ManagementStorageEdge FunctionsVerification1. Check Integration Status2. Test Project Access3. Test Database AccessLog Drains (Optional)TroubleshootingError: "Supabase integration not found"Error: "Failed to list projects"Error: "Query failed"Error: "Organization not found"Revoking AccessFrom OpsCompanionFrom SupabaseSecurity ConsiderationsRead-Only AccessOAuth 2.0 with PKCEToken SecurityAudit TrailSupportGetting HelpFrequently Asked QuestionsQ: Can OpsCompanion modify my database?Q: How do I monitor multiple Supabase organizations?Q: Can I revoke access later?Q: What data does OpsCompanion collect?Q: Does this work with Supabase's free tier?Q: How often are tokens refreshed?