← Back to EliteSaas

Building with Next.js + Supabase | EliteSaas

Complete guide to building SaaS applications with Next.js + Supabase. Next.js with Supabase backend.

Why Next.js with Supabase is a high-leverage SaaS stack

Combining Next.js with Supabase gives founders and teams a modern full-stack foundation that is fast to ship and easy to scale. Next.js handles the UI and server rendering, incremental static regeneration, API routes, and edge runtime. Supabase provides a managed Postgres database with real-time subscriptions, row level security, auth, storage, and serverless functions.

This stack guide focuses on practical patterns you can lift into production. You will see how to structure a Next.js app with the App Router, design a secure database with RLS, wire up authentication and multi-tenant access control, and deploy on Vercel with confident observability. Where it fits, we will also note how EliteSaas templates can reduce setup time so you focus on product instead of plumbing.

If you are building subscription SaaS with teams, roles, and dashboards, Next.js + Supabase keeps your backend simple while giving you the power of Postgres. You can progressively enhance from simple CRUD to real-time feeds, scheduled jobs, and analytics without switching stacks.

Architecture overview for a nextjs-supabase stack

At a high level, the architecture looks like this:

  • Next.js App Router in app/ with server components for data fetching and client components for interactions.
  • Supabase Postgres with Row Level Security policies enforcing per-user or per-organization access.
  • Supabase Auth for email, OAuth, or magic link sign-in integrated with Next.js middleware.
  • Supabase Storage for user uploads with signed URLs.
  • API Routes or Route Handlers in app/api/* for webhooks and server-only work.
  • Edge Functions in Supabase for tasks close to the data or public webhooks that should not hit your Next.js server.
  • Background jobs using cron triggers in the database or external schedulers calling your API routes.

Typical multi-tenant data model:

  • organizations table with id, name, owner_id.
  • profiles table keyed by auth.users.id with metadata.
  • memberships table that maps user_id to organization_id with role.
  • Domain tables (projects, invoices, etc.) each carry an organization_id column and RLS policies.

Next.js server components can call the Supabase server client with a trusted service role key for backend tasks, or use the browser client for user-scoped queries. For reliability, keep privileged mutations on the server via route handlers or server actions and expose only the queries you need on the client.

Setup and configuration

1) Create the project

npx create-next-app@latest my-saas --typescript --eslint
cd my-saas
npm install @supabase/supabase-js
npm install zod

Install the Supabase CLI to manage your Postgres schema and migrations locally:

npm install supabase --save-dev
npx supabase init

2) Configure environment variables

Set public and secret keys in .env.local. Never commit these. In Vercel, add the same values in Project Settings.

# .env.local
NEXT_PUBLIC_SUPABASE_URL=https://YOUR_PROJECT.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=public-anon-key
SUPABASE_SERVICE_ROLE_KEY=secret-service-role-key

3) Create Supabase client helpers

Use separate clients for server and browser to ensure tokens and keys are scoped correctly.

// lib/supabase/browser.ts
import { createClient } from '@supabase/supabase-js';

export function createBrowserClient() {
  return createClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
  );
}

// lib/supabase/server.ts
import { createClient } from '@supabase/supabase-js';
import { cookies } from 'next/headers';

export function createServerClient() {
  const cookieStore = cookies();
  return createClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookies: {
        get: (key) => cookieStore.get(key)?.value,
      },
    }
  );
}

// For privileged tasks, use service role on server only
export function createServiceRoleClient() {
  return createClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.SUPABASE_SERVICE_ROLE_KEY!
  );
}

4) Enforce Row Level Security with policies

Enable RLS and add policies that scope data by organization. Example for a projects table:

-- Enable RLS
alter table projects enable row level security;

-- Allow members to select rows for their organizations
create policy "org members can read projects"
on projects for select
using (
  exists (
    select 1 from memberships m
    where m.user_id = auth.uid()
      and m.organization_id = projects.organization_id
  )
);

-- Allow editors to insert
create policy "org editors can insert projects"
on projects for insert
with check (
  exists (
    select 1 from memberships m
    where m.user_id = auth.uid()
      and m.organization_id = projects.organization_id
      and m.role in ('owner','admin','editor')
  )
);

Keep policies readable, test them with the Supabase SQL editor, and version them in migrations so environments stay in sync.

5) Protect routes with Next.js middleware

Redirect unauthenticated users away from app pages. This gate keeps the UI fast and secure.

// middleware.ts
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';
import { createClient } from '@supabase/supabase-js';

export async function middleware(req: NextRequest) {
  const supabase = createClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    { global: { headers: { Authorization: req.headers.get('Authorization')! } } }
  );

  const { data: { user } } = await supabase.auth.getUser();

  const isAppPath = req.nextUrl.pathname.startsWith('/app');
  if (isAppPath && !user) {
    const url = new URL('/login', req.url);
    url.searchParams.set('redirect', req.nextUrl.pathname);
    return NextResponse.redirect(url);
  }
  return NextResponse.next();
}

export const config = {
  matcher: ['/app/:path*']
};

6) Use server components for data fetching

Keep secure queries on the server side and stream results directly to the UI.

// app/app/projects/page.tsx
import { createServerClient } from '@/lib/supabase/server';

export default async function ProjectsPage() {
  const supabase = createServerClient();
  const { data: { user } } = await supabase.auth.getUser();
  if (!user) return null;

  const { data: projects } = await supabase
    .from('projects')
    .select('*')
    .order('created_at', { ascending: false });

  return (
    <div>
      <h2>Projects</h2>
      <ul>
        {projects?.map(p => (
          <li key={p.id}>{p.name}</li>
        ))}
      </ul>
    </div>
  );
}

7) Handle webhooks and scheduled jobs

Stripe webhooks, cron tasks, or Git webhooks should hit Route Handlers. Keep these handlers idempotent and protected with secrets.

// app/api/cron/daily/route.ts
import { NextResponse } from 'next/server';
import { createServiceRoleClient } from '@/lib/supabase/server';

export async function POST(req: Request) {
  const auth = req.headers.get('authorization');
  if (auth !== `Bearer ${process.env.CRON_SECRET}`) {
    return new NextResponse('Unauthorized', { status: 401 });
  }

  const supabase = createServiceRoleClient();
  // Example: deactivate trials past 14 days
  await supabase.rpc('expire_trials');

  return NextResponse.json({ ok: true });
}

Development best practices

Type-safe data access

Generate TypeScript types from your database schema so queries are typed end to end.

npx supabase gen types typescript --project-id your-id > types/supabase.ts

Import the generated definitions into your Supabase client for typed responses.

Schema migrations first

Do not hand edit tables in production. Use the Supabase CLI to create and apply migration files. Keep one migration per change, include RLS policies and indexes in the same migration, and run them in CI before deploying the app.

Multi-tenancy patterns

  • Use an organization_id column on every table that holds tenant data.
  • Enforce access via RLS. Do not rely on client-side filtering.
  • Model roles in a memberships table with role enum and policies that check role on insert, update, delete.
  • Prefer organization slug routing like /app/acme/projects and derive organization_id server side to avoid trusting user input.

Validation and error handling

Use zod to validate all payloads entering your route handlers. Return typed errors for UI consumption.

import { z } from 'zod';

const createProjectSchema = z.object({
  name: z.string().min(1),
  organizationId: z.string().uuid()
});

export async function POST(req: Request) {
  const json = await req.json();
  const parsed = createProjectSchema.safeParse(json);
  if (!parsed.success) {
    return new Response(JSON.stringify({ error: parsed.error.flatten() }), { status: 400 });
  }
  // continue...
}

Client vs server components

  • Server components: data-heavy pages, dashboards, initial render.
  • Client components: forms, real-time updates, user interactions.
  • Keep mutations in server actions or route handlers to centralize auth and validation.

Caching and revalidation

Use Next.js caching primitives to reduce database load.

// Fetch with revalidation
export const revalidate = 60; // seconds

// Or revalidate on demand after a mutation
import { revalidatePath } from 'next/cache';
await supabase.from('projects').insert({ ... });
revalidatePath('/app/projects');

Storage security

Store files in Supabase Storage buckets with policies tied to auth.uid() or organization_id. Generate signed URLs for private access and expire them quickly.

Observability

  • Enable Sentry or a similar tool for Next.js to capture server and client errors.
  • Use Supabase logs and Postgres query statistics to detect slow queries.
  • Log structured events in API routes with correlation IDs per request.

Pricing and packaging

Your application code and infrastructure are only part of a successful SaaS. Pricing, packaging, and upgrade paths matter just as much. For deeper strategy patterns, see Pricing Strategies for Startup Founders | EliteSaas and Pricing Strategies for Indie Hackers | EliteSaas.

Deployment and scaling

Vercel and Supabase deployment flow

  1. Push to a main branch. Vercel builds and deploys Next.js automatically.
  2. Run Supabase migrations in CI before the Vercel build step or as a release step.
  3. Set all environment variables in Vercel and Supabase, including webhook secrets, service role key, and Stripe keys if used.

Database performance

  • Create indexes for frequent filters and sorts. Example: create index on projects (organization_id, created_at desc);
  • Use text search indexes (GIN with tsvector) for search features.
  • Prefer server-side joins in Postgres over multiple client round trips.
  • Apply pagination using range with order, or keyset pagination with a cursor on created_at and id.

Connection management

Supabase provides connection pooling. Limit chatty client-side code by moving data fetching to server components, which reduces concurrent connections per user. Batch queries when possible via RPC or views.

Edge functions and webhooks

Push unauthenticated public webhooks to Supabase Edge Functions when you need low-latency processing close to the database. Keep sensitive operations that require the service role key inside your Next.js server routes.

Security hardening checklist

  • All tables with user data must have RLS enabled and tested.
  • Never expose the service role key to the browser.
  • Rotate keys regularly and store secrets in your platform secret manager.
  • Validate every incoming payload with a schema and signature if supplied by a third party.
  • Audit logs for admin actions and display a user-accessible audit trail where appropriate.

Cost control tactics

  • Cache expensive queries with ISR and on-demand revalidation.
  • Archive cold data into cheaper tables or storage, surface only recent data by default.
  • Use Storage for blobs instead of database bytea columns.
  • Batch background jobs during off-peak times where latency is not critical.

Conclusion

Next.js + Supabase is a productive stack for building modern SaaS. You get the developer experience of React with server components and the power of Postgres with RLS, real-time, and managed auth. Start with a secure schema, push server-side logic into typed route handlers, and rely on caching and policies to keep the app fast as you grow.

If you want to skip boilerplate for authentication, organizations, environments, and billing screens, consider starting from EliteSaas. The template implements the patterns in this stack guide so you can focus on your product's differentiators, not scaffolding.

FAQ

How does authentication work in a Next.js with Supabase app?

Supabase Auth issues JWTs that carry the user id and optional metadata. In the browser, the Supabase client manages the session and refresh. On the server, you create a Supabase server client that reads cookies and verifies the session. RLS policies use auth.uid() to enforce access. For third-party providers, enable OAuth in Supabase and handle any provider-specific profile sync in a post-sign-in hook.

What is the right way to handle multi-tenancy?

Use an organizations table, a memberships join, and attach organization_id to every domain table. Enable RLS and write policies that authorize based on membership and role. Avoid trusting a client-supplied organization id - derive it from the current route slug and check membership server side. This keeps data boundaries strict as you scale.

Should I use Prisma with Supabase or the Supabase client directly?

Both work. The Supabase JS client is simple and integrates with RLS and real-time out of the box. If you already use Prisma and prefer its migrations and typed client, you can connect to Supabase Postgres with Prisma. Be sure to keep RLS in mind - either disable it for Prisma server-side operations using the service role key or adapt queries to user-scoped sessions.

How do I handle subscriptions and billing?

Use Stripe Checkout or the Billing Portal and store subscription status in a subscriptions table that mirrors Stripe events via webhooks. Protect the webhook route with a signature secret, keep the handler idempotent, and gate access in the UI by checking the canonical subscription state. For help determining good pricing packages, see Pricing Strategies for Freelancers | EliteSaas.

Where can a starter template help most?

Foundational pieces like auth wiring, RLS policies, invitations, organization switching, and billing integration take time to implement correctly. A template such as EliteSaas accelerates these steps while following best practices from this nextjs-supabase guide, so your team can spend cycles on the core product and customer value.

Related Articles

Top SaaS Fundamentals Ideas for E-Commerce

SaaS fundamentals help e-commerce brands control rising customer acquisition costs, plug costly cart abandonment gaps, and keep inventory in sync across sale...

Top Pricing Strategies Ideas for SaaS

Pricing can make or break a SaaS business when markets are crowded, sales cycles are long, and churn is stubborn. The right strategy aligns value with how cu...

Top SaaS Fundamentals Ideas for AI & Machine Learning

Building AI SaaS products requires more than wrapping a model with an endpoint. Teams must balance model accuracy with compute costs, while shipping fast in ...

Ready to get started?

Start building your SaaS with EliteSaas today.

Get Started Free