Supabase dashboard integration
Connect Supabase from the CipherStash dashboard, verify EQL readiness, configure OIDC, and install from the Supabase Marketplace.
The CipherStash dashboard can connect to your Supabase account with OAuth, guide Stack onboarding for a specific project, and register Supabase as an OIDC provider for identity-aware encryption.
Use this when you want a guided setup path instead of configuring everything from the CLI alone.
Where to find it
In the CipherStash Dashboard:
- Open a workspace
- Go to Settings → Integrations
- Click Connect Supabase (or Open setup if already connected)
Connected workspaces also have a dedicated setup page at:
/workspaces/{workspaceId}/settings/integrations/supabaseConnect Supabase (OAuth)
The dashboard uses Supabase OAuth with PKCE. Tokens are encrypted at rest in the CipherStash database and scoped to the workspace you connect from.
Start OAuth
On Settings → Integrations, click Connect Supabase. You are redirected to Supabase to authorize the CipherStash OAuth app.
Complete authorization
After you approve access, the dashboard stores encrypted access and refresh tokens for that workspace and redirects you to the Supabase setup hub.
Disconnect (optional)
From the setup hub, click Disconnect to remove the integration from the workspace. The dashboard marks the integration disconnected immediately and revokes the refresh token in the background.
OAuth scopes
The integration requests these Supabase OAuth scopes:
| Scope | Purpose |
|---|---|
projects:read | List projects and read project metadata via the Management API |
database:read | Run read-only SQL checks (EQL version, encrypted columns) |
Configure these scopes on your Supabase OAuth app. The dashboard does not request secrets:read.
Setup hub
After connecting, the setup hub helps you onboard a specific Supabase project with Stack.
Project selection
The hub lists Supabase projects available to the connected account. Select the project you want to encrypt. Readiness checks and onboarding commands update when you change projects.
If you arrived from the Supabase Marketplace with a pre-selected project, that project is chosen automatically via a ?project= query parameter.
Readiness checks
For the selected project, the dashboard verifies:
| Check | What it means |
|---|---|
| Project services healthy | Supabase project health from the Management API |
| EQL installed | SELECT eql_v2.version() AS version; succeeds |
| Encrypted columns detected | Columns using eql_v2_encrypted in information_schema |
| Supabase OIDC provider configured | A Supabase issuer is registered on the CipherStash workspace |
When project health, EQL, and OIDC are all satisfied, the hub shows a Stack-ready badge.
EQL detection uses eql_v2.version(), not a pg_extension lookup. If EQL is missing, run npx stash db install --supabase --migration in your application repo.
Configure OIDC from the dashboard
If Supabase OIDC is not registered yet, click Configure OIDC for this project on the readiness panel.
The dashboard registers a Supabase OIDC provider on your CipherStash workspace with issuer:
https://{projectRef}.supabase.co/auth/v1This enables identity-aware encryption with Supabase Auth JWTs via LockContext.
See OIDC Providers for manual registration and usage from code.
Stack onboarding commands
The hub copies the official Supabase + Stack workflow:
npm install @cipherstash/stack
npm install -D stash
npx stash auth login
npx stash init --supabase
npx stash db install --supabase --migrationIt also generates a .env.local snippet for the selected project, including:
DATABASE_URL(Postgres hostdb.{projectRef}.supabase.co)SUPABASE_URLandSUPABASE_ANON_KEY(when available from the Management API)- Comments for local dev (
~/.cipherstash/) vs production (CS_*access keys)
For the full CLI and SDK path, see Supabase.
Encrypted schema
When the selected project already has eql_v2_encrypted columns, the hub lists them by schema, table, and column name.
Install from the Supabase Marketplace
CipherStash supports the Supabase partner integration guide for the Install Integration button in the Supabase Marketplace.
There are two redirect methods. Both create a one-time install record and send the user to a handler page where they pick a CipherStash workspace and complete OAuth.
Method 1 — Simple redirect
Supabase redirects the user to:
GET {APP_URL}/api/integrations/supabase/install?project_id={ref}&organization_slug={slug}The API creates an install record and redirects to:
{APP_URL}/integrations/supabase/install/{integrationId}Method 2 — Signed redirect
Supabase POSTs a signed JWT to the same install endpoint:
POST {APP_URL}/api/integrations/supabase/install
Content-Type: application/json
{ "token": "<signed-jwt>" }On success, the API returns:
{
"integrationId": "...",
"redirectUrl": "{APP_URL}/integrations/supabase/install/{integrationId}",
"expiresAt": "..."
}Supabase redirects the user to redirectUrl.
Install handler flow
- User lands on
/integrations/supabase/install/{integrationId} - If not signed in to CipherStash, they authenticate first
- User selects the workspace where Supabase should be connected
- OAuth completes and binds the install record to that workspace (bind-once)
- User lands on the setup hub, optionally with the Supabase project pre-selected
Install links expire. If a link is invalid or expired, return to Supabase and click Install Integration again.
The normal in-dashboard Connect Supabase button does not use partner install records. Partner logic runs only when an installId is present in the OAuth flow.
Production configuration (CipherStash operators)
These environment variables configure the dashboard deployment (for example on Vercel):
NEXT_PUBLIC_APP_URL="https://dashboard.cipherstash.com"
# Supabase OAuth (Connect button)
SUPABASE_OAUTH_CLIENT_ID="..."
SUPABASE_OAUTH_CLIENT_SECRET="..."
# Optional — defaults to {NEXT_PUBLIC_APP_URL}/api/integrations/supabase/callback
# SUPABASE_OAUTH_REDIRECT_URI="..."
# Supabase Marketplace signed redirect (Method 2)
SUPABASE_PARTNER_JWT_AUDIENCE="https://dashboard.cipherstash.com"
SUPABASE_PARTNER_JWT_PUBLIC_KEYS='{"pik_xxx":"-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"}'Register the OAuth callback URL on your Supabase OAuth app:
{NEXT_PUBLIC_APP_URL}/api/integrations/supabase/callbackValues to provide Supabase (Marketplace)
| Item | Example (production) |
|---|---|
| Redirect record endpoint | https://dashboard.cipherstash.com/api/integrations/supabase/install |
| Redirect handler pattern | https://dashboard.cipherstash.com/integrations/supabase/install/{integrationId} |
JWT aud claim | https://dashboard.cipherstash.com |
Verify signed redirect is enabled:
curl -I https://dashboard.cipherstash.com/api/integrations/supabase/installWhen JWT verification is configured, the response includes:
X-Supabase-Partner-Signed-Redirect: enabledDatabase migrations
The dashboard requires these migrations:
supabase_integrations— encrypted OAuth tokens per workspacesupabase_partner_installs— one-time Marketplace install recordssupabase_oauth_sessions— PKCE OAuth state keyed bystate
Apply them before enabling the integration in production.
Security notes
- OAuth tokens are encrypted at rest; integration queries run under organization RLS
- Partner install IDs bind to a single workspace on first use (prevents hijacking)
- OAuth PKCE state is stored in the database keyed by OAuth
state(multi-tab safe) - Sign-in and sign-up redirects are validated as internal paths only
NEXT_PUBLIC_APP_URLis required in production (Host header is not trusted)- Public install endpoints are rate limited
- Partner JWTs are verified with
ES256, a 5-minute max age, and required claims
Next steps
- Supabase — CLI setup, EQL install, and SDK integration paths
- Supabase JS SDK integration —
encryptedSupabaseAPI reference - OIDC Providers — Register and use identity providers
- Identity-aware encryption — Bind encryption to user JWTs
- Going to production —
CS_*credentials for deployed apps
Billing
Understand CipherStash per-workspace billing, compare Free, Pro, Business, and Enterprise plan limits, and learn how upgrades, downgrades, and Stripe work.
Members
Manage CipherStash organization members and workspace memberships in the Dashboard, and onboard developer devices with stash init for local development.