Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah I’ve ran a small project where I just did everything with the “service account” credentials which operates like a normal Postgres connection.


If you're not supporting users, it's fine.

But if you usecase involves Supabase auth, using a service account to bypass RLS is kind of like hardcoding connection strings.


You can use both properly and together.

The service account should only be accessed on the service.

If using Auth+Server, you can check the verified user identity via Auth JWTs (or something, see the docs).

Yeah, don't use the server connection on the client, but they have many warnings against that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: