Supabase’s multi-tenancy solution, leveraging Postgres schemas, is surprisingly more about isolating data than isolating users.
Let’s see this in action. Imagine we have a Supabase project and want to serve two distinct tenants, "acme" and "globex".
First, we create schemas for each tenant. This is a standard Postgres operation:
CREATE SCHEMA acme;
CREATE SCHEMA globex;
Now, within each schema, we create our tables. For simplicity, let’s create a users table in each:
Schema acme:
CREATE TABLE acme.users (
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
email text UNIQUE NOT NULL,
created_at timestamptz DEFAULT now()
);
Schema globex:
CREATE TABLE globex.users (
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
email text UNIQUE NOT NULL,
created_at timestamptz DEFAULT now()
);
The magic happens when we configure our Row Level Security (RLS) policies. Supabase uses Postgres’s search_path to determine which schema to look into by default. When a user authenticates, we can dynamically set their search_path to their tenant’s schema.
Here’s a simplified RLS policy on the users table within the acme schema:
-- Enable RLS for the acme.users table
ALTER TABLE acme.users ENABLE ROW LEVEL SECURITY;
-- Policy to allow authenticated users to see their own data
CREATE POLICY "Allow authenticated users to see their own data"
ON acme.users FOR SELECT
USING (auth.uid() = id);
-- Policy to allow authenticated users to update their own data
CREATE POLICY "Allow authenticated users to update their own data"
ON acme.users FOR UPDATE
USING (auth.uid() = id);
The same pattern would be applied to globex.users.
When a user logs in via Supabase Auth, their auth.uid() is available. We can then, for example, in a backend function or via a trigger, set the search_path:
-- Example of setting search_path (often done within a connection pooler or custom auth logic)
SET search_path TO acme, public; -- For a user belonging to 'acme'
After this SET search_path, a query like SELECT * FROM users; will transparently query acme.users. This provides strong data isolation. If a user from acme tries to query globex.users without explicitly specifying the schema, they won’t see anything unless they have permissions on public or globex schemas and the query is written as SELECT * FROM globex.users;.
The core problem this solves is data segregation for distinct customer bases within a single Supabase instance. Instead of spinning up entirely new Postgres instances per customer (which is expensive and complex to manage), you provision a new schema. This dramatically reduces infrastructure overhead while maintaining strong data boundaries.
The internal mechanism is Postgres’s schema system. Schemas are essentially namespaces within a database. By manipulating the search_path session variable, you tell Postgres which schema to look into by default when a table name is unqualified. Supabase’s RLS policies then operate on these schema-qualified tables, ensuring that access control is applied correctly within each tenant’s isolated environment.
The key levers you control are:
- Schema Creation: Manually
CREATE SCHEMA tenant_name;. - Table/Object Deployment:
CREATE TABLE tenant_name.my_table (...). - RLS Policies: Define
CREATE POLICY ... ON tenant_name.my_table .... search_pathManagement: Crucially, ensuring thesearch_pathis set correctly for each incoming connection or session based on tenant affiliation. This is often handled by custom backend logic or connection pool configurations.
Here’s a critical detail most people miss: the public schema is still accessible by default. If you don’t explicitly manage search_path or remove permissions from public, sensitive data or metadata could inadvertently be exposed or queried across tenants. Always ensure search_path is set to only the tenant’s schema and public (if needed for shared resources), and that RLS policies on public tables are robust.
The next logical step after mastering schema-based multi-tenancy is exploring how to automate tenant provisioning and deprovisioning at scale.