Supabase API: Complete Developer Guide (2026)

Supabase API: Complete Developer Guide for 2026

Supabase is an open-source Firebase alternative built on PostgreSQL. It provides a full backend-as-a-service stack including a database, authentication, real-time subscriptions, file storage, edge functions, and auto-generated REST and GraphQL APIs. Every Supabase project instantly gets a RESTful API powered by PostgREST that mirrors your database schema.

This guide covers the complete Supabase API surface -- from basic CRUD operations to real-time subscriptions, authentication, and edge functions.

Getting Started

Create a Supabase Project

1. Sign up at supabase.com.
2. Click "New Project" and select your organization.
3. Choose a name, database password, and region.
4. Wait for the project to provision (about 60 seconds).

Get Your API Credentials

Navigate to Settings > API in your project dashboard:

Credential	Where to Find	Purpose
Project URL	Settings > API	Base URL for all API calls
anon (public) key	Settings > API	Client-side requests (respects RLS)
service_role key	Settings > API	Server-side requests (bypasses RLS)

Important: The anon key is safe to use in client-side code because Row Level Security (RLS) restricts what it can access. The service_role key bypasses RLS entirely and should only be used on the server.

Install the Client Library

# JavaScript / TypeScript
npm install @supabase/supabase-js

# Python
pip install supabase

# Dart / Flutter
flutter pub add supabase_flutter

Initialize the Client

// JavaScript / TypeScript
import { createClient } from '@supabase/supabase-js';

const supabase = createClient(
  'https://your-project-id.supabase.co',
  'your-anon-key'
);

# Python
from supabase import create_client

supabase = create_client(
    "https://your-project-id.supabase.co",
    "your-anon-key"
)

Database API (CRUD Operations)

Supabase auto-generates a REST API from your PostgreSQL schema. Every table, view, and function is accessible through a clean query builder.

Create (INSERT)

// Insert a single row
const { data, error } = await supabase
  .from('products')
  .insert({
    name: 'Wireless Headphones',
    price: 79.99,
    category: 'Electronics',
    in_stock: true
  })
  .select();  // Return the inserted row

// Insert multiple rows
const { data, error } = await supabase
  .from('products')
  .insert([
    { name: 'USB-C Cable', price: 12.99, category: 'Accessories' },
    { name: 'Phone Stand', price: 24.99, category: 'Accessories' },
    { name: 'Webcam HD', price: 49.99, category: 'Electronics' },
  ])
  .select();

Read (SELECT)

// Get all rows
const { data, error } = await supabase
  .from('products')
  .select('*');

// Select specific columns
const { data, error } = await supabase
  .from('products')
  .select('name, price, category');

// Filter results
const { data, error } = await supabase
  .from('products')
  .select('*')
  .eq('category', 'Electronics')
  .gte('price', 50)
  .order('price', { ascending: true })
  .limit(10);

// Join related tables
const { data, error } = await supabase
  .from('orders')
  .select(`
    id,
    created_at,
    total,
    users ( name, email ),
    order_items ( quantity, products ( name, price ) )
  `)
  .eq('status', 'completed');

// Pagination
const { data, error } = await supabase
  .from('products')
  .select('*', { count: 'exact' })
  .range(0, 9);  // First 10 results (0-indexed)

Update

// Update a single row
const { data, error } = await supabase
  .from('products')
  .update({ price: 69.99, in_stock: false })
  .eq('id', 42)
  .select();

// Update multiple rows
const { data, error } = await supabase
  .from('products')
  .update({ in_stock: false })
  .lt('stock_count', 1)
  .select();

Delete

// Delete a row
const { data, error } = await supabase
  .from('products')
  .delete()
  .eq('id', 42);

// Delete with a filter
const { data, error } = await supabase
  .from('sessions')
  .delete()
  .lt('expires_at', new Date().toISOString());

Filter Reference

Method	SQL Equivalent	Example
.eq()	= value	.eq('status', 'active')
.neq()	!= value	.neq('role', 'admin')
.gt()	> value	.gt('price', 100)
.gte()	>= value	.gte('age', 18)
.lt()	< value	.lt('stock', 10)
.lte()	<= value	.lte('rating', 3)
.like()	LIKE pattern	.like('name', '%phone%')
.ilike()	ILIKE pattern	.ilike('name', '%Phone%')
.is()	IS value	.is('deleted_at', null)
.in()	IN (values)	.in('status', ['active', 'pending'])
.contains()	@> value	.contains('tags', ['sale'])
.textSearch()	Full text search	.textSearch('description', 'wireless')

Authentication API

Supabase Auth supports email/password, magic links, OAuth providers, and phone authentication.

Sign Up

// Email and password
const { data, error } = await supabase.auth.signUp({
  email: 'user@example.com',
  password: 'securepassword123',
  options: {
    data: {
      full_name: 'Jane Smith',
      avatar_url: 'https://example.com/avatar.jpg'
    }
  }
});

Sign In

// Email and password
const { data, error } = await supabase.auth.signInWithPassword({
  email: 'user@example.com',
  password: 'securepassword123'
});

// OAuth (Google, GitHub, Discord, etc.)
const { data, error } = await supabase.auth.signInWithOAuth({
  provider: 'google',
  options: {
    redirectTo: 'https://yourapp.com/auth/callback'
  }
});

// Magic link (passwordless)
const { data, error } = await supabase.auth.signInWithOtp({
  email: 'user@example.com'
});

Get Current User

const { data: { user } } = await supabase.auth.getUser();
console.log(user.id, user.email);

Sign Out

const { error } = await supabase.auth.signOut();

Realtime API

Subscribe to database changes in real-time using WebSockets:

// Listen for all changes on a table
const channel = supabase
  .channel('orders-changes')
  .on(
    'postgres_changes',
    { event: '*', schema: 'public', table: 'orders' },
    (payload) => {
      console.log('Change received:', payload);
      console.log('Event type:', payload.eventType);  // INSERT, UPDATE, DELETE
      console.log('New data:', payload.new);
      console.log('Old data:', payload.old);
    }
  )
  .subscribe();

// Listen for inserts only, filtered by a column
const channel = supabase
  .channel('new-orders')
  .on(
    'postgres_changes',
    {
      event: 'INSERT',
      schema: 'public',
      table: 'orders',
      filter: 'status=eq.pending'
    },
    (payload) => {
      console.log('New pending order:', payload.new);
    }
  )
  .subscribe();

// Unsubscribe when done
supabase.removeChannel(channel);

Enable Realtime for your table:

-- Run in the Supabase SQL Editor
ALTER PUBLICATION supabase_realtime ADD TABLE orders;

Storage API

Upload, download, and manage files with the Storage API:

// Upload a file
const { data, error } = await supabase.storage
  .from('avatars')
  .upload('user-123/profile.jpg', file, {
    contentType: 'image/jpeg',
    upsert: true
  });

// Get a public URL
const { data } = supabase.storage
  .from('avatars')
  .getPublicUrl('user-123/profile.jpg');

console.log(data.publicUrl);

// Download a file
const { data, error } = await supabase.storage
  .from('documents')
  .download('reports/q1-2026.pdf');

// List files in a folder
const { data, error } = await supabase.storage
  .from('avatars')
  .list('user-123', {
    limit: 100,
    offset: 0,
    sortBy: { column: 'created_at', order: 'desc' }
  });

// Delete a file
const { data, error } = await supabase.storage
  .from('avatars')
  .remove(['user-123/old-profile.jpg']);

Edge Functions

Supabase Edge Functions are serverless TypeScript functions that run on Deno:

Create a function:

supabase functions new hello-world

Write the function:

// supabase/functions/hello-world/index.ts
import { serve } from "https://deno.land/std@0.177.0/http/server.ts";
import { createClient } from "https://esm.sh/@supabase/supabase-js@2";

serve(async (req) => {
  const supabase = createClient(
    Deno.env.get("SUPABASE_URL")!,
    Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!
  );

  const { data, error } = await supabase
    .from("products")
    .select("*")
    .limit(5);

  return new Response(
    JSON.stringify({ products: data }),
    { headers: { "Content-Type": "application/json" } }
  );
});

Deploy and invoke:

# Deploy
supabase functions deploy hello-world

# Invoke from your app
const { data, error } = await supabase.functions.invoke('hello-world', {
  body: { name: 'World' }
});

Row Level Security (RLS)

RLS is critical for securing your API. Without it, anyone with your anon key can read and write all data.

-- Enable RLS on a table
ALTER TABLE products ENABLE ROW LEVEL SECURITY;

-- Allow anyone to read products
CREATE POLICY "Public products are viewable by everyone"
ON products FOR SELECT
USING (true);

-- Allow authenticated users to insert their own data
CREATE POLICY "Users can insert their own products"
ON products FOR INSERT
WITH CHECK (auth.uid() = user_id);

-- Allow users to update only their own data
CREATE POLICY "Users can update their own products"
ON products FOR UPDATE
USING (auth.uid() = user_id)
WITH CHECK (auth.uid() = user_id);

-- Allow users to delete only their own data
CREATE POLICY "Users can delete their own products"
ON products FOR DELETE
USING (auth.uid() = user_id);

REST API Without the Client Library

You can call the Supabase REST API directly with cURL or any HTTP client:

# Get all products
curl 'https://your-project-id.supabase.co/rest/v1/products?select=*' \
  -H "apikey: your-anon-key" \
  -H "Authorization: Bearer your-anon-key"

# Insert a product
curl 'https://your-project-id.supabase.co/rest/v1/products' \
  -X POST \
  -H "apikey: your-anon-key" \
  -H "Authorization: Bearer your-anon-key" \
  -H "Content-Type: application/json" \
  -H "Prefer: return=representation" \
  -d '{"name": "New Product", "price": 29.99}'

# Filter and sort
curl 'https://your-project-id.supabase.co/rest/v1/products?category=eq.Electronics&order=price.asc&limit=10' \
  -H "apikey: your-anon-key" \
  -H "Authorization: Bearer your-anon-key"

Conclusion

The Supabase API provides a complete backend stack through a clean, auto-generated interface. The combination of a PostgreSQL database, real-time subscriptions, authentication, storage, and edge functions covers the vast majority of application backend requirements. And because it is built on open-source tools, you avoid vendor lock-in while getting a managed experience.

For applications that need AI-powered media features on top of their Supabase backend -- such as generating product images, creating AI avatars, producing video content, or adding voice synthesis -- Hypereal AI offers pay-as-you-go APIs that integrate seamlessly into any Supabase-powered application.