Supabase MCP is the broader-than-Postgres companion server. Where the read-only Postgres MCP gives you SQL, this one wraps the entire Supabase platform — DB queries, auth (list/create/delete users), Edge Function invocation, Storage bucket ops, and project management — behind agent tools.
What it produces: project-scoped tools for db_query, auth_list_users, auth_create_user, storage_list_files, functions_invoke, plus management API endpoints (list projects, deploy migrations, run SQL files).
Best for: Supabase-native founders managing their own backend. The flagship use case: “I have a support ticket from user X. Pull their auth record, their last 10 events from the events table, and last 3 storage uploads.” Three calls, one minute, done.
Skip if: you’re Postgres-only and don’t use Supabase auth/storage/functions — the lighter Postgres MCP is enough and stays read-only by design (safer).
Setup gotchas: by default it can use the service-role key, which is god-mode for your DB (bypasses RLS). Use the --read-only flag during exploration, and switch to a scoped role for any agent that runs unattended. Never put the service-role key in a shared MCP config — store in env, source from a secret manager, never commit.
Real-world workflow: I keep it scoped to one project at a time. Daily ops cycle: “show me users who signed up but didn’t verify email in the last 7 days.” It queries auth.users joined with my analytics, returns a list, I trigger a re-engagement email. Used to be 3 dashboard tabs and a CSV export.
Compatible alternatives: Postgres MCP for read-only DB-only access, Cloudflare MCP if you’re running edge logic on Workers instead.
Service-role + agent + write access = always pair with read-only mode by default.