Public Anon Key

Public API key used by frontend clients.

• tied to public role in DB.

Not secret. You're expected to ship it in your frontend code.

Even with the anon key, users can only access the data you explicitly allow based on RLS.

You MUST enable RLS.

• IF you don't, anon key alone will allow anyone to read or write everything.

RLS

RLS stands for row-level security.

• enforces access control on every row of the table.

CREATE POLICY "Users can only access their own todos"
  ON todos FOR SELECT
  USING (auth.uid() = user_id);

How Auth works with RLS in Supabase

Setup

Menu > Authentication > Create

Optionally add Providers after the creation step.

Providers are auth services like Phone (Twillio), Google, Apple, etc.

In Database where you want to make a column user_id which would be a foreign key to auth.uid().

Then, you can enable RLS policy.

• Click Get started quickly.

Policy

In the policy creation page, define which CRUD operation each role group would be allowed to perform.

Using Expression is for queries with WHERE.

• This type of policy defines what data can be accessed (e.g., selecting rows).
• It restricts which rows are visible to the user (read).

With Check Expression is for Mutation.

• For insert (creation) and update (update)
• It restricts what can be written to the table.