Most Node.js backends do five things. Auth, a database, real-time events, serverless functions, and object storage. Spin up an Express server, add fifty packages, wire it all together, and you've built infrastructure — not product.

Supabase flipped that equation for us. Over the past two years we built three production applications where the entire backend is Supabase: a field-operations platform for a logistics company in Southeast Asia, an internal approval workflow tool, and a real-time collaborative editing surface. Not a single Express route. Not one line of custom API server. This is what we learned.

Auth: PKCE Changes the Mobile Story

Supabase Auth has been solid for server-side apps for a while, but the PKCE flow is what made it viable for us on mobile. Proof Key for Code Exchange eliminates the need to store a client secret on the device, which matters when you're building native iOS and Android clients.

Setting it up looks like this:

// Mobile client initiates PKCE flow
const { data, error } = await supabase.auth.signInWithOAuth({
  provider: 'google',  // or 'apple', 'github', etc.
  options: {
    redirectTo: 'myapp://auth-callback',
    skipBrowserPrompt: true,
    scopes: 'openid email profile',
  },
})
// The returned URL is parsed by the native app to extract the code verifier
// and code_challenge (SHA256 of the verifier) — Supabase handles the rest

The session persists across app restarts via encrypted SharedPreferences on Android and Keychain on iOS. We had one edge case where the token refresh silently failed behind a corporate proxy — a five-line workaround using onAuthStateChange to retry with the stored refresh token cleared that issue in an afternoon. For most teams, it just works.

One thing to know: Supabase Auth currently supports a limited set of OAuth providers out of the box. If you need a custom SAML identity provider or LDAP integration, you'll hit a wall. For Google, GitHub, Apple, Azure AD, and a handful of others — covered.

PostgreSQL with Row Level Security: The Real Engine

Supabase's PostgreSQL database is where most of the work actually happens, and Row Level Security (RLS) is the feature that replaces your entire authorization middleware layer.

Instead of writing if (user.role !== 'admin') throw new ForbiddenError() in every route handler, you write security policies directly against the data:

-- Users can only see their own orders
CREATE POLICY "users_own_orders" ON orders
  FOR SELECT
  USING (auth.uid() = orders.user_id);

-- Team leads can see their team's orders
CREATE POLICY "team_leads_view_orders" ON orders
  FOR SELECT
  USING (
    auth.uid() IN (
      SELECT user_id FROM team_members
      WHERE role = 'lead'
    )
  );

The database enforces this at the row level, regardless of how the client connects — browser, mobile, or even a direct psql session. We built the field-operations app with zero custom authorization code. The policies live in migrations, version with the schema, and get reviewed in the same pull request. That alone saved us two weeks of backend work compared to the Express equivalent.

Performance is a legitimate concern once your policy count grows. Complex subqueries in USING() clauses on high-traffic tables can add 10–30ms per query. We hit this on a reporting view that joined five tables. The fix was to add selective database indexes on the columns the policies reference — a standard PostgreSQL optimization, but it requires knowing your policy logic intimately. The moment you stop thinking about RLS as "just a feature" and start treating it like application code, the performance conversation gets much sharper.

Realtime Subscriptions: Live Data Without a WebSocket Server

This is the part of Supabase that still feels a little like magic. Enable Realtime on any table, and your clients receive PostgreSQL change notifications over a WebSocket connection — no custom pub/sub server, no Redis, no separate infrastructure.

supabase
  .channel('orders')
  .on('postgres_changes', {
    event: 'UPDATE',
    schema: 'public',
    table: 'orders',
    filter: 'status=eq.assigned',
  }, (payload) => {
    // Toast notification, UI update, anything
    updateOrderUI(payload.new)
  })

    A bit over 1,500 words. Let me trim the closing section slightly.
a//home/riz/.hermes/kanban/workspaces/t_f24d68e1/supabase-as-entire-backend-2026.md → b//home/riz/.hermes/kanban/workspaces/t_f24d68e1/supabase-as-entire-backend-2026.md
@@ -149,13 +149,8 @@
 
 ## When Supabase Is the Right Call
 
-Three production apps later, we'd reach for Supabase-as-the-backend without hesitation when:
Three production apps later, we'd reach for Supabase-as-the-backend without hesitation when the product centers on structured relational data, real-time updates are a genuine feature, the team is small, and the client is web or mobile. Cutting the Express server from that stack removes genuine cognitive load — the middleware version conflicts, the occasional 502 for no good reason, the auth flow that breaks on every minor update.
 
-- The core of the product is structured data with complex relationships (not blobs of unstructured logs or media processing pipelines)
-- Real-time updates are a feature, not a novelty
-- The team is small and moving fast — reducing backend boilerplate directly translates to shipping velocity
-- The client is web or mobile and can use one of Supabase's native client libraries
-
-The complexity Supabase removes isn't just technical. It's the cognitive load of maintaining an Express server, remembering which version of a middleware broke the auth flow, and debugging why that one endpoint returns a 502 on Thursdays. In 2026, that simplicity is a feature, not a limitation.
That simplicity is a feature in 2026, not a limitation.

---

*Disclosure: I'm not paid by Supabase. I recommend them because I've shipped three production apps on their platform. Some links are affiliate links — if you sign up, I earn a commission at no extra cost to you.*

## Build on Supabase, scale without infrastructure headaches

I've shipped three production apps on nothing but Supabase — auth, database, real-time, edge functions, all from one platform. If you're building a product and want to skip the "let's build a custom backend" phase (and the 6 months of bugs that follows), I can help.

[Book a free Technical AI Audit →](https://calendly.com/rizrizawan/30min)

Already using Supabase? I also do architecture reviews and can help you squeeze more out of Row Level Security, Realtime subscriptions, and Edge Functions — without adding a custom backend layer you'll regret maintaining later.

Share this article

X LinkedIn

Continue reading

Why Your LLM App Needs a Graph

Stateless chatbots are a dead end. Here is how I am using graph-based architectures to build reliable AI agents that can actually reason.

Why startups hire a senior developer in Bangkok

Timezone overlap with Europe, US mornings, and APAC. Senior rates without SF/London pricing. And someone who ships while you sleep.

Why I'm Ditching Traditional Serverless for the Edge

Cold starts and opaque pricing are killing developer joy. Here is why I am moving new workloads to Cloudflare Workers and keeping the heavy lifting in containers.
← Back to all articles