GoForLaunch Scan your repo
SupabaseRLSPostgresTenant isolation
Supabase RLS

Supabase RLS checker for multi-tenant SaaS

Supabase exposes your Postgres database to the browser through the anon key. Row Level Security is what decides which rows each request can read or write — so a missing or loose policy is a direct path to one tenant reading another tenant's data.

RLS is easy to get subtly wrong: a table created without the switch, a USING (true) policy added to silence an error, or an INSERT policy with no WITH CHECK. GoForLaunch checks every table and policy and separates real isolation bugs from routine cleanup.

Run a free scanBuy one-time scan
Features

What you get

Per-table RLS coverage

Identifies tables where Row Level Security is disabled, including join tables and anything added after the initial schema.

Policy quality checks

Flags USING (true), policies that don't reference auth.uid() or membership, and INSERT/UPDATE policies missing WITH CHECK.

Service-role leakage

Detects the service-role key — which bypasses RLS entirely — reaching client code, edge functions or public environment variables.

Storage and upload gaps

Checks for public buckets and permissive storage policies that can expose uploaded files by URL.

Checklist

What the RLS check looks for

RLS enabled on every user and tenant table
No USING (true) policies on sensitive tables
WITH CHECK present on INSERT and UPDATE policies
Policies scoped to auth.uid() or workspace membership
Service-role key kept strictly server-side
Private storage buckets with scoped policies
File type and size validation on upload
Cross-tenant access blocked for a second test account
FAQ

What is the most common RLS mistake the checker finds?

A USING (true) policy. It makes RLS look enabled while granting access to every row. The fix is to scope the policy to auth.uid(), auth.jwt(), or a workspace-membership lookup.

Why does service-role key exposure matter?

The service-role key bypasses RLS entirely. If it leaks into client code or a public variable, your policies stop protecting anything. The checker flags those usages.

Does the checker replace testing my data model by hand?

No. It helps identify RLS issues before production and explains the risk of each, but you should still run cross-tenant tests against your specific schema before a high-stakes launch.

Keep reading

Related guides and scanners

Supabase RLS Audit Guide (article)Lovable Security ChecklistSupabase RLS scanner use case

Run the scan

Connect a repository or upload a zip and get a severity-ranked, founder-readable report. Scans are read-only and the tool helps identify launch blockers before your users do.

Scan your repo for free
Supabase RLS Checker | GoForLaunch