Developer Update - May 2026

[ana1337x]

Here's everything that happened with Supabase in the last month:

Custom OAuth/OIDC providers for Supabase Auth

Connect any OAuth2 or OpenID Connect identity provider to your Supabase project, including GitHub Enterprise, regional IdPs, and any standards-compliant provider, with PKCE enabled by default.

[Blog]

New tables in the public schema are no longer auto-exposed to the Data API

Starting April 28, new Supabase projects can opt out of automatic Data API exposure for public schema tables. Explicit Postgres grants are now required to make a table reachable via PostgREST or GraphQL. This becomes the default for all new projects on May 30.

[GitHub Discussion]

Supabase is now ISO 27001 certified

Supabase is certified to ISO/IEC 27001:2022, covering the information security management system across the entire platform.

[Blog]

Stripe Sync Engine moves to Stripe

The Stripe Sync Engine, originally built by Supabase, is now part of the Stripe GitHub org. It is open source and maintained by Stripe going forward.

[Blog]

Supabase brand survey

Help shape the direction of Supabase. The brand survey takes a few minutes and closes soon.

[Take the survey]

@supabase/server

A new SDK that handles auth, client creation, CORS, and context injection across runtimes. Works on Edge Functions, Vercel Functions, Deno, Bun, and Cloudflare Workers.

[Blog] [Docs]

Quick Product Announcements

• The Supabase app in the Stripe Marketplace is now generally available. [Stripe Marketplace]
• Branching without Git is now the default. Create branches directly from the dashboard without a GitHub integration. [Blog]
• Data API settings revamped: new per-table and per-function toggles let you control which tables are exposed to PostgREST and GraphQL, with a default-privileges switch at project creation. [Docs]
• The Supabase changelog now has RSS feeds, tag filtering, and a .md feed, plus links to copy any entry as Markdown or ask Claude/ChatGPT. [Changelog]
• Wrappers v0.6.0 ships with a new OpenAPI FDW, Snowflake timeout support, Clerk CRUD, and several bug fixes. [GitHub] [Docs]
• Supabase Agent Skills: an open-source set of instructions that teach AI coding agents how to build on Supabase correctly. [Blog]
• Terraform Provider v1.9.0 adds Edge Functions resource, Edge Function secrets resource, and a network bans data source. [Docs]

Made with Supabase

• Replist: Track your repertoire, sharpen your practice, and connect with the musicians you play with. [Website]
• Grepture: Trace, evaluate, and protect every LLM call. Drop-in SDK. 80+ detection rules. [Website]
• Causo: Agents that connect you with best fit partners at VCs. [Website]
• Screenfully: An app demo creator on your phone. No need to connect to a Mac. [Website]
• Anamap: Cartos by Anamap is an AI agent that investigates your dashboards, site behavior, and code releases to find the root cause of metric drops in plain English. [Website]
• Crewform: Build your AI team with Crewform. Orchestrate specialized, autonomous agents to collaborate on complex tasks and connect outputs to your stack. [GitHub]

Community Highlights

• The Supabase GitHub repo hit 100K stars and 8 million developers. [Blog]
• Introducing the OSSCAR: An index of the fastest-growing open-source orgs. [Blog]
• The State of Startups 2026 survey is still open. [Survey]
• How I Scaled My NextJS + Supabase App to 25,000 Users [YouTube]
• Stop Building Custom Auth — Auth0 vs Supabase: One Saved Us 3 Months of Engineering Work [Blog]

---

This discussion was created from the release Developer Update - May 2026.

[hardikkaurani]

A lot of strong updates in this release cycle — especially around security posture, deployment workflows, and making Supabase more production-ready for larger teams.

The change around new tables in the public schema no longer being auto-exposed to the Data API is probably one of the most important long-term improvements here. Requiring explicit grants by default is a much safer model and aligns better with least-privilege security practices. It reduces the chance of accidentally exposing internal tables through PostgREST or GraphQL simply because they were created in public.

The new @supabase/server SDK also looks promising. Having a runtime-aware server SDK that standardizes auth handling, CORS, context injection, and client creation across Edge Functions, Vercel Functions, Bun, Deno, and Cloudflare Workers should reduce a lot of duplicated boilerplate and inconsistent server-side auth implementations.

The branching improvements are also interesting from a developer-experience perspective. Removing the GitHub dependency for branching lowers friction significantly for teams that want database preview environments without tightly coupling everything to Git integrations.

A few highlights that stand out technically:

• Custom OAuth/OIDC provider support is a huge win for enterprise and regional deployments
• ISO 27001 certification is important for teams with compliance/security requirements
• Explicit Data API exposure controls improve default security posture
• Terraform Edge Function resources help infrastructure-as-code workflows mature
• OpenAPI FDW additions in Wrappers continue pushing Postgres as an integration platform
• RSS/Markdown changelog feeds are surprisingly useful for automation + AI tooling workflows

The Stripe Sync Engine move to the Stripe GitHub org also makes sense strategically. Having the integration maintained closer to the Stripe ecosystem should theoretically improve long-term ownership and domain expertise around billing synchronization.

One thing that’s becoming increasingly noticeable is that Supabase is evolving from a “Firebase alternative” into a broader developer platform with:

• infra tooling
• compliance/security layers
• AI integration workflows
• server runtime tooling
• database branching
• enterprise auth support
• operational tooling

That shift is pretty significant.

Related references:

• [Supabase Auth Docs](https://supabase.com/docs/guides/auth?utm_source=chatgpt.com)
• [Supabase Edge Functions Docs](https://supabase.com/docs/guides/functions?utm_source=chatgpt.com)
• [Supabase Branching Docs](https://supabase.com/docs/guides/deployment/branching?utm_source=chatgpt.com)
• [OIDC Specification](https://openid.net/developers/how-connect-works/?utm_source=chatgpt.com)
• [ISO 27001 Overview](https://www.iso.org/isoiec-27001-information-security.html?utm_source=chatgpt.com)

Overall, this feels like a strong release month with a clear focus on production readiness, platform maturity, and developer workflow improvements.

[musaabhasan]

The public-schema Data API change is a strong security default. It moves Supabase closer to explicit exposure rather than accidental exposure, which matters a lot for teams that prototype quickly and later discover that an internal table inherited API reachability simply because it lived in public.

One thing that would make the rollout even stronger is a project-level exposure audit view that answers:

• which tables are reachable through PostgREST or GraphQL,
• which role grants made them reachable,
• whether RLS is enabled and has at least one active policy,
• whether any anon/authenticated role has broad select, insert, update, or delete,
• and when the exposure state last changed.

That would help teams treat API exposure as an intentional deployment decision, not only as a schema property. It would also be useful in CI/CD if the CLI could fail a migration when a table becomes externally reachable without an explicit allowlist entry.

[jfutey]

Hi Team, couple questions on 2 of the images. 1. When will supabase move to Postgres 17 as the default image? 2. When will Supavisor see an update? Its a bit stale now at 7 months without any CVE fixes.

[aantti]

Did you mean the self-hosted Supabase configuration by any chance?

[jfutey]

Andrey, yes, self hosted Supabase on Docker. You know i'm always chasing those CVE fixes. :D

[aantti]

I'm planning to switch Postgres to version 17 as the default in a month or so from now. I will also be adding a simple helper script to manage compose configurations (see PR #45603). Regarding Supavisor - maybe @v0idpwn could clarify when we could expect a new version and an updated image in either the AWS registry (that CLI/local development uses), or Docker Hub - or preferrably both :)

[kekemam]

Sup🥉