FOR SUPABASE
Quickback for Supabase RLS
Already on Supabase? Keep everything you have — Auth, Storage, Realtime. Quickback compiles your TypeScript security definitions into production-ready Row Level Security policies.
Keep Supabase. Add better security.
RLS policies are powerful — but writing them by hand is error-prone, hard to review, and painful to maintain. Quickback gives you a declarative TypeScript layer that compiles directly into your policies.
Define in TypeScript
Write your firewall rules, access policies, and tenant isolation in TypeScript using Quickback's defineTable() API. Version-controlled, reviewed, and testable.
Compile to RLS
Run quickback compile --target supabase. Quickback outputs production-ready .sql files with your Row Level Security policies.
Apply to Supabase
Apply the generated SQL via the Supabase CLI or dashboard. Your existing Auth, Storage, Realtime, and Edge Functions are untouched.
THE COMPILATION
TypeScript in. RLS Policies out.
Define your access model once in TypeScript. Every policy is generated, consistent, and correct.
Definition
export default defineTable(candidates, {
firewall: {
organization: {}
},
crud: {
list: {
access: {
roles: ["recruiter", "hiring-manager"]
}
},
create: {
access: { roles: ["recruiter"] }
},
delete: {
access: { roles: ["owner"] }
},
},
});Compiled Supabase RLS
-- Generated by Quickback Compiler
-- Target: Supabase RLS
-- Firewall: org isolation
CREATE POLICY "candidates_org_isolation"
ON "candidates"
FOR ALL USING (
organization_id = auth.jwt() ->> 'org_id'
);
-- Access: list (recruiter, hiring-manager)
CREATE POLICY "candidates_select"
ON "candidates"
FOR SELECT USING (
auth.jwt() ->> 'role'
IN ('recruiter', 'hiring-manager')
);
-- Access: delete (owner only)
CREATE POLICY "candidates_delete"
ON "candidates"
FOR DELETE USING (
auth.jwt() ->> 'role' = 'owner'
);Everything Supabase. Better security.
Quickback for Supabase is additive. It generates your RLS layer — nothing else changes.
What Quickback adds
- ✓ Compiled RLS policies
Generated from your TypeScript definitions. Consistent, auditable, version-controlled.
- ✓ Org-level tenant isolation
Firewall policies that scope every table to the requesting organization.
- ✓ Role-based access policies
SELECT, INSERT, UPDATE, DELETE policies per role. Deny by default.
What stays the same
- Supabase Auth — sessions, OAuth, passkeys
- Supabase Storage — buckets, policies, CDN
- Supabase Realtime — channels and presence
- Supabase Edge Functions — your custom logic
- Supabase Dashboard — existing tooling untouched
Why not just write RLS?
Handwritten RLS is fine for simple cases. But as your schema grows, it becomes a maintenance nightmare.
Writing RLS by hand
- ✗ SQL scattered across migrations, hard to review
- ✗ Easy to miss a table or operation
- ✗ No type safety — policy bugs surface at runtime
- ✗ Inconsistent patterns across tables
- ✗ Adding a new role means touching every policy
With Quickback
- ✓ All access rules in one TypeScript file per table
- ✓ Compiler validates completeness at build time
- ✓ Type-safe — catch misconfigurations before deploy
- ✓ Consistent patterns enforced by the compiler
- ✓ Recompile to regenerate all policies after changes
WANT THE FULL API?
Same definitions. Full Hono API.
The same defineTable() definitions that generate your RLS policies can also compile into a full Hono API — complete with REST routes, OpenAPI spec, TypeScript types, and all four security layers enforced in middleware.
No migration pain. Change your compile target, recompile, done.
Explore Quickback API