The PlanetScale Discovery CLI can analyze Supabase-hosted PostgreSQL infrastructure, providing insights into database configuration, connection pooling, networking, and operational details.
- Supabase account with project access
- Personal Access Token or Service Role Key
- Python package:
pip install "ps-discovery[supabase]"
Personal Access Tokens provide read-only access to project metadata and are the recommended approach for discovery operations.
How to obtain:
- Log in to Supabase Dashboard
- Navigate to Account Settings → Access Tokens
- Click "Generate New Token"
- Give it a descriptive name (e.g., "PlanetScale Discovery")
- Copy the token immediately (it won't be shown again)
Configure in YAML:
providers:
supabase:
enabled: true
access_token: "sbp_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"Service Role Keys have elevated privileges and should be used with caution. Only use this if Personal Access Tokens don't provide sufficient access.
How to obtain:
- Log in to Supabase Dashboard
- Select your project
- Navigate to Project Settings → API
- Copy the "service_role" key (under "Project API keys")
Configure in YAML:
providers:
supabase:
enabled: true
access_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." # Service role keyFor security, you can store credentials in environment variables:
export SUPABASE_ACCESS_TOKEN="sbp_xxxxxxxxxxxx"
export SUPABASE_PROJECT_REF="abcdefghijklmnop" # Optional: target specific projectThen use a minimal config:
providers:
supabase:
enabled: true
# Token will be read from SUPABASE_ACCESS_TOKENFor Personal Access Tokens:
- Read access to organization projects
- Read access to project metadata
- Read access to project settings
API Endpoints Used:
GET /v1/projects- List accessible projectsGET /v1/projects/{ref}- Get project detailsGET /v1/projects/{ref}/config/database- Get database configurationGET /v1/projects/{ref}/config/pgbouncer- Get pooler configuration
Here's a complete configuration template you can copy and paste into your config file:
# PlanetScale Discovery - Supabase Provider Configuration Template
# Modules to enable
modules:
- cloud
# Provider configuration
providers:
supabase:
enabled: true
# Required: Personal Access Token from Supabase Dashboard
# Get token from: https://app.supabase.com/account/tokens
access_token: "sbp_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Optional: Target a specific project (leave commented to discover all projects)
# project_ref: "abcdefghijklmnop"
# Optional: Filter projects by organization ID
# organization_id: "org_xxxxx"
# Discover all accessible projects (set to false if using project_ref)
discover_all: true
# Output configuration
output:
output_dir: ./supabase_discovery_output
include_costs: true
mask_sensitive_data: true
generate_diagrams: false
# Logging settings
log_level: INFO
# log_file: ./discovery.logDiscover all projects accessible with your token:
modules:
- cloud
providers:
supabase:
enabled: true
access_token: "sbp_xxxxxxxxxxxx"
discover_all: true
output:
output_dir: ./supabase_discovery_outputTarget a specific project by its reference ID:
modules:
- cloud
providers:
supabase:
enabled: true
access_token: "sbp_xxxxxxxxxxxx"
project_ref: "abcdefghijklmnop" # Your project ref
discover_all: false
output:
output_dir: ./supabase_discovery_outputFilter projects by organization:
providers:
supabase:
enabled: true
access_token: "sbp_xxxxxxxxxxxx"
organization_id: "org_xxxxx" # Optional
discover_all: trueCombine Supabase with other cloud providers:
modules:
- cloud
providers:
aws:
enabled: true
regions:
- us-east-1
supabase:
enabled: true
access_token: "sbp_xxxxxxxxxxxx"
discover_all: true
output:
output_dir: ./multi_cloud_discoveryThe Supabase analyzer collects the following information:
- Project reference ID
- Project name and organization
- Region/hosting location
- Project status and health
- Creation timestamp
- PostgreSQL version
- Instance size/pricing tier
- Database connection limits
- Storage capacity and usage
- Host and port information
- PgBouncer configuration
- Pool mode (transaction/session)
- Connection pool size
- Max client connections
- IPv4/IPv6 support
- Connection strings (direct vs pooled)
- SSL/TLS enforcement
- IPv6 availability
- Custom domain configuration
- SSL enforcement status
- Network policies
- Connection security settings
# Using configuration file
ps-discovery cloud --config supabase-config.yaml
# With specific output directory
ps-discovery cloud --config supabase-config.yaml --output-dir ./output
# Combined with database discovery
ps-discovery both --config full-config.yamlThe tool generates two report files:
-
JSON Report (
cloud_discovery_results.json)- Complete structured data
- Programmatically accessible
- All discovered details
-
Markdown Report (
cloud_discovery_summary.md)- Human-readable summary
- Project overview tables
- Configuration details
- Recommendations
- Supabase Management API has rate limits
- Discovery tool includes basic retry logic
- For large numbers of projects, discovery may take time
- Tool only reads project metadata
- No access to actual database data (by design)
- Cannot modify project configuration
- Some configuration endpoints may not be available on all pricing tiers
- Tool gracefully handles missing data
- Reports indicate when specific data is unavailable
Problem: Invalid or expired access token
Solution:
- Verify token is correct (check for copy/paste errors)
- Regenerate token if expired
- Ensure token has proper permissions
- Check environment variables are set correctly
Problem: API returned non-200 status code
Solution:
- Verify network connectivity to
api.supabase.com - Check if token has organization access
- Confirm Supabase API is accessible (not behind firewall)
Problem: No projects accessible with provided token
Solution:
- Verify you have projects in your Supabase account
- Check token belongs to correct organization
- Ensure
project_refis correct if targeting specific project
Problem: Some API endpoints return 404
Solution:
- This is expected for certain Supabase tiers
- Tool continues with available data
- Report will indicate which data is unavailable
- Not an error condition
- Never commit tokens to version control
- Use environment variables for sensitive data
- Rotate tokens regularly
- Use Personal Access Tokens (not service role keys) when possible
- Personal Access Tokens have read-only access to metadata
- Service Role Keys have elevated privileges - use carefully
- Tool does not access database contents, only configuration metadata
- Reports may contain sensitive project information
- Use
mask_sensitive_data: trueto sanitize outputs - Store reports securely
- Review reports before sharing
# 1. Install with Supabase support
pipx install -e ".[supabase]"
# 2. Create configuration file
ps-discovery config-template --output supabase-config.yaml
# 3. Edit the config file and add your Supabase token
# 4. Run discovery
ps-discovery cloud --config supabase-config.yaml
# 5. Review reports in output directory
ls ./supabase_discovery_output/- Supabase uses PgBouncer in transaction mode by default
- Review application compatibility with transaction-mode pooling
- Supabase enforces SSL connections
- Review SSL certificate handling in applications
- Catalog installed Supabase extensions
- If projects span multiple regions, plan regional strategy
- Consider data residency requirements
- Evaluate network latency impacts
- Supabase Management API Documentation
- Supabase Architecture Overview
- Connection Pooling Best Practices
For issues with the discovery tool:
- Report bugs: https://github.com/planetscale/ps-discovery/issues
- Documentation: See main README.md
For Supabase-specific questions:
- Supabase Support: https://supabase.com/support
- Supabase Documentation: https://supabase.com/docs