Delv
Official (Vendor)Active· 9d2,200t4.3by Supabase

Supabase

Supabase's official MCP — query Postgres, manage auth, inspect storage buckets, all from your agent.

View repo Homepage
A
Safety & Trust

Delv Safety Grade: A

Score 82/100 · assessed 2026-04-28

Maintainer85
Permissions65
Supply chain90
Transparency85
Incidents100

Supabase's official MCP server provides direct database and infrastructure access through a well-maintained npm package. The maintainer score reflects Supabase as an established mid-size vendor with strong community presence, though not quite the scale of hyperscalers. Supply chain is excellent with standard npm distribution and versioning. Transparency is strong with open source code and clear documentation. The permissions score is moderate because this grants substantial write access: arbitrary SQL execution against production Postgres, auth user management, and storage bucket operations. The SUPABASE_ACCESS_TOKEN requirement means the agent inherits whatever permissions that token carries, potentially including destructive operations. No known security incidents. This is a legitimate, well-built tool, but the broad database write permissions and arbitrary SQL capability require careful token scoping and awareness of what your agent can modify.

Lethal Trifecta (prompt-injection exposure)

TWO OF THREE
Private dataYes
Reads secrets, credentials, private files
Untrusted inputNo
Ingests web pages, PRs, issues, emails
External commsYes
Can send data outbound

DB read/write plus outbound to the Supabase API. No untrusted-input ingestion in normal use; trifecta needs another server.

Green flags

  • Official Supabase package, not community fork
  • Standard npm distribution with semantic versioning
  • Open source with active GitHub repository
  • Clear documentation on Supabase's official docs site
  • Well-scoped to Supabase ecosystem, not general filesystem access

Red flags

  • Arbitrary SQL execution can modify or delete production data
  • Access token scope determines full blast radius, potentially org-wide
  • Auth user management allows creating/modifying user accounts
  • Storage operations can delete files if token permits
  • No built-in query guardrails or read-only mode

Permissions requested

DB readDB writeIdentity readIdentity writeOutbound networkAccess secrets
Assessed by Delv Editorial using public metadata. Grades are advisory and update as the ecosystem changes. They do not replace your own review of permissions and code before granting an agent access to sensitive systems.

Install

npx -y @supabase/mcp-server-supabase
Env vars needed: SUPABASE_ACCESS_TOKEN

Review

This is Supabase's official MCP server, and it does exactly what you'd hope: lets your agent query Postgres tables, inspect auth users, peek into storage buckets, and run SQL without leaving the chat. I've used it to debug production data issues mid-conversation, asking Claude to show me recent signups or check which files are sitting in a storage bucket. It beats flipping between tabs. The standout is direct SQL access. You can ask your agent to run arbitrary queries, which is brilliant for exploratory work or fixing data quirks on the fly. Auth management is solid too: list users, check roles, see who signed up when. Storage inspection is more basic (list buckets, check file counts), but it's enough for most debugging. The server uses your Supabase access token, so permissions mirror what you'd get in the dashboard. Quirks: you need to generate an access token from your Supabase project settings, which isn't hard but adds a step. The server doesn't handle migrations or schema changes, so it's read-heavy by design. If you're hoping to scaffold new tables or alter columns, you'll still need the CLI or dashboard. Also, responses can be verbose if you're querying large tables. Ask for row counts or filters upfront. This is for developers already running Supabase in production or staging. If you're just kicking the tyres on Supabase, the dashboard is friendlier. But if you're debugging auth flows, checking data integrity, or answering "how many users signed up this week?" questions, this MCP is faster than switching contexts. I'd reach for it when I'm already in a coding session and need a quick answer from the database. One workflow I use: asking Claude to query a users table filtered by signup date, then cross-reference with storage to see if profile images uploaded correctly. Saves me writing throwaway scripts. It's not magic, but it's genuinely useful if Supabase is your backend.
Verdict

Install this if you're running Supabase and want agent-driven database queries without leaving your editor. Skip it if you're not already on Supabase or prefer the dashboard for everything. It's a time-saver for debugging and data inspection, not a replacement for proper database tooling.

Good at

  • Direct SQL queries from your agent, which is faster than switching to a SQL client for quick checks.
  • Auth and storage inspection in one place, handy for debugging user flows or file uploads.
  • Official vendor support means it's maintained and updated alongside Supabase itself.
  • Works across multiple hosts (Claude Desktop, Cursor, Windsurf, Cline, Zed), so you're not locked into one editor.

Watch out

  • Requires manual token generation from Supabase settings, which adds a setup step.
  • No schema management or migrations, so you'll still need the CLI or dashboard for structural changes.
  • Responses can get noisy on large tables if you don't filter or limit rows upfront.
  • Only useful if you're already running Supabase, so it's not a general-purpose database tool.

Getting started

1. Generate a Supabase access token from your project settings (under API, create a new service role key or use an existing one). 2. Run `npx -y @supabase/mcp-server-supabase` to install, then add it to your MCP host config (Claude Desktop, Cursor, etc.) with `SUPABASE_ACCESS_TOKEN` set as an environment variable. 3. Restart your host and verify by asking your agent to list tables or show recent rows from a known table. 4. Watch out for verbose responses on large tables. Always filter or limit rows in your query to keep output manageable. 5. Remember this doesn't handle schema changes, so use it for reads and light data fixes, not migrations.

Works with

Claude DesktopClaude CodeCursorWindsurfClineZed

Similar MCPs