Row-level security (RLS)

Row-level security is a Postgres feature where access policies are enforced per-row at the database layer — Supabase's primary auth pattern, foundational for multi-tenant apps that talk to Postgres directly from the client.

Traditional web apps put authorization in the app layer: the API server checks the user, then queries the database. Row-level security flips that: the database itself enforces 'user can see / modify only their own rows' via SQL policies. This unlocks client-direct database access (Supabase's flagship pattern) — the JS client hits Postgres directly, JWT in the request, RLS policies validate each row. By 2026 RLS is the standard for serverless / Jamstack apps using Postgres. Failure modes: missing policies expose data ([[supabase-rls-needs-real-auth]] is a common bug), overly permissive policies grant cross-tenant access, performance issues when policies require subqueries on every row.

When to use row-level security (rls)

• Multi-tenant SaaS on Postgres / Supabase.
• Client-direct database access patterns.

Common mistakes

• Forgetting to ENABLE RLS on a table — all rows exposed by default.
• Using `auth.uid()` without a real authenticated session — policy denies everything silently.

FAQ

Related terms

• Serverless database — A serverless database scales compute and storage independently and bills based on actual use — no fixed instance provisioning — typical of Neon, PlanetScale, Supabase, Convex in 2026.
• Edge function — An edge function is a small serverless function that runs at the network edge — geographically close to the user — typically on Cloudflare Workers, Deno Deploy, Vercel Edge, or AWS Lambda@Edge.

Last updated: 2026-06-01. Raw markdown: https://promtable.com/glossary/row-level-security.md.