How to integrate Supabase MCP with Claude Code

GET STARTED FOR FREE
Framework Integration Gradient
Supabase Logo
Claude Code Logo
divider

Introduction

Manage your Supabase directly from Claude Code with zero worries about OAuth hassles, API-breaking issues, or reliability and security concerns.

You can do this in two different ways:

  1. Via Rube - Direct and easiest approach
  2. Via Composio SDK - Programmatic approach with more control

Why Rube?

Rube is a universal MCP server with access to 850+ SaaS apps. It ensures just-in-time tool loading so Claude can access the tools it needs, a remote workbench for programmatic tool calling and handling large tool responses out of the LLM context window, ensuring the LLM context window remains clean.

Connect Supabase to Claude Code with Rube

1. Get the MCP URL

Copy and paste the below command in Claude Code to add Rube MCP.

Terminal

2. Authenticate Rube

Run /mcp to view Rube

bash
/mcp
Run /mcp to view Rube in Claude Code
Click on Rube to authenticate
Authentication flow complete

3. Ensure it's connected

Run /mcp again to verify the connection. Now, do whatever you want with Claude Code and Supabase.

Rube connected successfully

Supported Tools & Triggers

Tools
Create project api keyCreates a 'publishable' or 'secret' api key for an existing supabase project, optionally with a description; 'secret' keys can have customized jwt templates.
Delete an API key from the projectPermanently deletes a specific api key (identified by `id`) from a supabase project (identified by `ref`), revoking its access.
Get a third-party integrationRetrieves the detailed configuration for a specific third-party authentication (tpa) provider, identified by `tpa id`, within an existing supabase project specified by `ref`.
List third-party auth integrations for projectLists all configured third-party authentication provider integrations for an existing supabase project (using its `ref`), suitable for read-only auditing or verifying current authentication settings.
Delete third party auth configRemoves a third-party authentication provider (e.
Update an API key for the projectUpdates an existing supabase project api key's `description` and/or `secret jwt template` (which defines its `role`); does not regenerate the key string.
Beta activate custom hostname for projectActivates a previously configured custom hostname for a supabase project, assuming dns settings are verified externally.
Activate vanity subdomain for projectActivates a vanity subdomain for the specified supabase project, requiring subsequent dns configuration for the subdomain to become operational.
Authorize user through OAuthGenerates a supabase oauth 2.
Check vanity subdomain availabilityChecks if a specific vanity subdomain is available for a supabase project; this action does not reserve or assign the subdomain.
Enable project database webhooksEnables database webhooks for the supabase project `ref`, triggering real-time notifications for insert, update, or delete events.
Get project SSL enforcement configurationRetrieves the ssl enforcement configuration for a specified supabase project, indicating if ssl connections are mandated for its database.
Get current vanity subdomain configFetches the current vanity subdomain configuration, including its status and custom domain name, for a supabase project identified by its reference id.
Beta get project's custom hostname configRetrieves a supabase project's custom hostname configuration, including its status, ssl certificate, and ownership verification, noting that availability may depend on the project's plan.
Retrieve network bans for projectRetrieves the list of banned ipv4 addresses for a supabase project using its unique project reference string; this is a read-only operation.
Retrieve project network restrictionsRetrieves the current network restriction settings (e.
Get project pgsodium configRetrieves the pgsodium configuration, including the root encryption key, for an existing supabase project identified by its `ref`.
Beta remove a read replicaIrreversibly initiates the removal of a specified read replica from an existing supabase project, confirming only the start of the process, not its completion.
Remove project network bansRemoves specified ipv4 addresses from a supabase project's network ban list, granting immediate access; ips not currently banned are ignored.
Execute project database queryExecutes a given sql query against the project's database; use for advanced data operations or when standard api endpoints are insufficient, ensuring queries are valid postgresql and sanitized.
Setup read replica for projectProvisions a read-only replica for a supabase project in a specified, supabase-supported aws region to enhance read performance and reduce latency.
Beta update project network restrictionsUpdates and applies network access restrictions (ipv4/ipv6 cidr lists) for a supabase project, which may terminate existing connections not matching the new rules.
Upgrade the project's PostgreSQL versionInitiates an asynchronous upgrade of a supabase project's postgresql database to a specified `target version` from a selected `release channel`, returning a `tracking id` to monitor status; the `target version` must be available in the chosen channel.
Update pgsodium root keyCritically updates or initializes a supabase project's pgsodium root encryption key for security setup or key rotation, requiring secure backup of the new key to prevent irreversible data loss.
Create a database branchCreates a new, isolated database branch from an existing supabase project (identified by `ref`), useful for setting up separate environments like development or testing, which can optionally be linked to a git branch.
Create a functionCreates a new serverless edge function for a supabase project (identified by `ref`), requiring valid javascript/typescript in `body` and a project-unique `slug 1` identifier.
Create an organizationCreates a new supabase organization, which serves as a top-level container for projects, billing, and team access.
Create new projectCreates a new supabase project, requiring a unique name (no dots) within the organization; project creation is asynchronous.
Create SSO provider configurationCreates a new saml 2.
Create a new third-party auth integrationCall this to add a new third-party authentication method (oidc or jwks) to a supabase project for integrating external identity providers (e.
Reverify custom hostnameRe-verifies dns and ssl configurations for an existing custom hostname associated with a supabase project.
Delete branch by idPermanently and irreversibly deletes a specific, non-default database branch by its `branch id`, without affecting other branches.
Delete an edge function by slugPermanently deletes a specific edge function (by `function slug`) from a supabase project (by `ref`); this action is irreversible and requires prior existence of both project and function.
Delete custom hostname configDeletes an active custom hostname configuration for the project identified by `ref`, reverting to the default supabase-provided hostname; this action immediately makes the project inaccessible via the custom domain and requires subsequent updates to client, oauth, and dns settings.
Delete vanity subdomain for projectPermanently and irreversibly deletes an active vanity subdomain configuration for the specified supabase project, reverting it to its default supabase url.
Delete project by refPermanently and irreversibly deletes a supabase project, identified by its unique `ref` id, resulting in complete data loss.
Deploy functionDeploys edge functions to a supabase project using multipart upload.
Disable project readonly modeTemporarily disables a supabase project's read-only mode for 15 minutes to allow write operations (e.
Disable preview branchingDisables the preview branching feature for an existing supabase project, identified by its unique reference id (`ref`).
Exchange auth code for access and refresh token(beta) implements the oauth 2.
Generate TypeScript typesGenerates and retrieves typescript types from a supabase project's database; any schemas specified in `included schemas` must exist in the project.
Get database branch configRetrieves the read-only configuration and status for a supabase database branch, typically for monitoring or verifying its settings.
Get project API keysRetrieves all api keys for an existing supabase project, specified by its unique reference id (`ref`); this is a read-only operation.
Get project PgBouncer configRetrieves the active pgbouncer configuration (postgresql connection pooler) for a supabase project, used for performance tuning, auditing, or getting the connection string.
Get Project Upgrade EligibilityChecks a supabase project's eligibility for an upgrade, verifying compatibility and identifying potential issues; this action does not perform the actual upgrade.
Get project upgrade statusRetrieves the latest status of a supabase project's database upgrade for monitoring purposes; does not initiate or modify upgrades.
Get a specific SQL snippetRetrieves a specific sql snippet by its unique identifier.
Get a SSO provider by its UUIDRetrieves the configuration details for a specific single sign-on (sso) provider (e.
Get information about an organizationFetches comprehensive details for a specific supabase organization using its unique slug.
Get project's auth configRetrieves the project's complete read-only authentication configuration, detailing all settings (e.
Get project postgres configRetrieves the current read-only postgresql database configuration for a specified supabase project's `ref`, noting that some advanced or security-sensitive details might be omitted from the response.
Get project's PostgREST configRetrieves the postgrest configuration for a specific supabase project.
Get project's service health statusRetrieves the current health status for a supabase project, for specified services or all services if the 'services' list is omitted.
Get project Supavisor configurationRetrieves the supavisor (connection pooler) configuration for a specified supabase project, identified by its reference id.
Get Table SchemasRetrieves column details, types, and constraints for multiple database tables to help debug schema issues and write accurate sql queries.
List all database branchesLists all database branches for a specified supabase project, used for isolated development and testing of schema changes; ensure the project reference id is valid.
List all functionsLists metadata for all edge functions in a supabase project (specified by 'ref'), excluding function code or logs; the project must exist.
List all organizationsLists all organizations (id and name only) associated with the supabase account, excluding project details within these organizations.
List all projectsRetrieves a list of all supabase projects, including their id, name, region, and status, for the authenticated user.
List all secretsRetrieves all secrets for a supabase project using its reference id; secret values in the response may be masked.
List members of an organizationRetrieves all members of a supabase organization, identified by its unique slug, including their user id, username, email, role, and mfa status.
List project database backupsLists all database backups for a supabase project, providing details on existing backups but not creating new ones or performing restores; availability may depend on plan and configuration.
List all bucketsRetrieves a list of all storage buckets for a supabase project, without returning bucket contents or access policies.
List all SSO providersLists all configured single sign-on (sso) providers for a supabase project, requiring the project reference id (`ref`) of an existing project.
List SQL snippets for the logged in userRetrieves a list of sql snippets for the logged-in user, optionally filtered by a specific supabase project if `project ref` is provided.
Remove an SSO providerDeletes a specific sso provider by its id (`provider id`) from a supabase project (`ref`), which disables it and returns its details; ensure this action will not inadvertently lock out users.
Reset a database branchResets an existing supabase database branch, identified by `branch id`, to its initial clean state, irreversibly deleting all its current data and schema changes.
Restore database PITR backupRestores a supabase project's database to a specific unix timestamp using point-in-time recovery (pitr), overwriting the current state; requires a paid plan with pitr and physical backups enabled.
Retrieve a functionRetrieves detailed information, metadata, configuration, and status for a specific edge function using its project reference id and function slug.
Retrieve a function bodyRetrieves the source code (body) for a specified serverless edge function using its project reference and function slug; this is a read-only operation that does not execute the function or return runtime logs.
Get project's read-only mode statusRetrieves the read-only mode status for a specified supabase project to check its operational state; this action does not change the read-only state.
Update a functionUpdates an existing supabase edge function's properties (like name, slug, source code, jwt settings, import map) identified by project `ref` and `function slug`, supporting plain text code or eszip for the body.
Update database branch configUpdates the configuration of a supabase database branch, allowing modification of its name, associated git branch, reset-on-push behavior, persistence, and status.
Update project's custom hostname configurationUpdates the custom hostname for a supabase project, requiring subsequent dns changes to a user-controlled domain for ssl certificate issuance and domain ownership.
Update an SSO provider by its UUIDUpdates an existing sso provider's saml metadata, associated email domains, or attribute mappings for a supabase project, identified by `ref` and `provider id`.
Update project's postgres configUpdates specified postgresql configuration parameters for an existing supabase project (`ref`) to optimize database performance; note that unspecified parameters remain unchanged, and caution is advised as incorrect settings can impact stability or require a restart.
Update project's PostgREST configUpdates postgrest configuration settings (e.
Update database pooler configUpdates the supavisor (database pooler) configuration, such as `default pool size`, for an existing supabase project identified by `ref`; the `pool mode` parameter in the request is deprecated and ignored.
Update SSL enforcement configUpdates the ssl enforcement configuration (enable/disable) for a specified supabase project's database.

What is the Supabase MCP server, and what's possible with it?

The Supabase MCP server is an implementation of the Model Context Protocol that connects your AI agent and assistants like Claude, Cursor, etc directly to your Supabase account. It provides structured and secure access to your Supabase projects, so your agent can perform actions like managing API keys, configuring authentication, and handling custom domains on your behalf.

  • API key management: Create, update, or permanently delete project API keys, including setting descriptions and customizing JWT templates for secure access control.
  • Third-party auth integration control: List, retrieve, or remove third-party authentication providers (like Google or GitHub) from your Supabase project to tailor user sign-in options.
  • Custom domain and subdomain setup: Activate custom hostnames or vanity subdomains for your Supabase project, ensuring your app is accessible at a branded URL after DNS verification.
  • OAuth authorization handling: Generate OAuth 2.0 authorization URLs for secure user authentication flows, supporting seamless integration with registered apps.
  • Subdomain availability checks: Instantly verify if a desired vanity subdomain is available for your project before making DNS changes or launching branded experiences.

Connecting Supabase via Tool Router

Tool Router is the underlying tech that powers Rube. It's a universal gateway that does everything Rube does but with much more programmatic control. You can programmatically generate an MCP URL with the app you need (here Supabase) for even more tool search precision. It's secure and reliable.

How the Tool Router works

The Tool Router follows a three-phase workflow:

  1. Discovery: Searches for tools matching your task and returns relevant toolkits with their details.
  2. Authentication: Checks for active connections. If missing, creates an auth config and returns a connection URL via Auth Link.
  3. Execution: Executes the action using the authenticated connection.

Step-by-step Guide

Prerequisites

Before starting, make sure you have:
  • Claude Pro, Max, or API billing enabled Anthropic account
  • Composio API Key
  • A Supabase account
  • Basic knowledge of Python or TypeScript

Install Claude Code

bash
# macOS, Linux, WSL
curl -fsSL https://claude.ai/install.sh | bash

# Windows PowerShell
irm https://claude.ai/install.ps1 | iex

# Windows CMD
curl -fsSL https://claude.ai/install.cmd -o install.cmd && install.cmd && del install.cmd

To install Claude Code, use one of the following methods based on your operating system:

Set up Claude Code

bash
cd your-project-folder
claude

Open a terminal, go to your project folder, and start Claude Code:

  • Claude Code will open in your terminal
  • Follow the prompts to sign in with your Anthropic account
  • Complete the authentication flow
  • Once authenticated, you can start using Claude Code
Claude Code initial setup showing sign-in prompt
Claude Code terminal after successful login

Set up environment variables

bash
COMPOSIO_API_KEY=your_composio_api_key_here
USER_ID=your_user_id_here

Create a .env file in your project root with the following variables:

  • COMPOSIO_API_KEY authenticates with Composio (get it from Composio dashboard)
  • USER_ID identifies the user for session management (use any unique identifier)

Install Composio library

pip install composio-core python-dotenv

Install the Composio Python library to create MCP sessions.

  • composio-core provides the core Composio functionality
  • python-dotenv loads environment variables from your .env file

Generate Composio MCP URL

import os
from composio import Composio
from dotenv import load_dotenv

load_dotenv()

COMPOSIO_API_KEY = os.getenv("COMPOSIO_API_KEY")
USER_ID = os.getenv("USER_ID")

composio_client = Composio(api_key=COMPOSIO_API_KEY)

composio_session = composio_client.create(
    user_id=USER_ID,
    toolkits=["supabase"],
)

COMPOSIO_MCP_URL = composio_session.mcp.url

print(f"MCP URL: {COMPOSIO_MCP_URL}")
print(f"\nUse this command to add to Claude Code:")
print(f'claude mcp add --transport http supabase-composio "{COMPOSIO_MCP_URL}" --headers "X-API-Key:{COMPOSIO_API_KEY}"')

Create a script to generate a Composio MCP URL for Supabase. This URL will be used to connect Claude Code to Supabase.

What's happening:
  • We import the Composio client and load environment variables
  • Create a Composio instance with your API key
  • Call create() to create a Tool Router session for Supabase
  • The returned mcp.url is the MCP server URL that Claude Code will use
  • The script prints this URL so you can copy it

Run the script and copy the MCP URL

python generate_mcp_url.py

Run your Python script to generate the MCP URL.

  • The script connects to Composio and creates a Tool Router session
  • It prints the MCP URL and the exact command you need to run
  • Copy the entire claude mcp add command from the output

Add Supabase MCP to Claude Code

bash
claude mcp add --transport http supabase-composio "YOUR_MCP_URL_HERE" --headers "X-API-Key:YOUR_COMPOSIO_API_KEY"

# Then restart Claude Code
exit
claude

In your terminal, add the MCP server using the command from the previous step. The command format is:

  • claude mcp add registers a new MCP server with Claude Code
  • --transport http specifies that this is an HTTP-based MCP server
  • The server name (supabase-composio) is how you'll reference it
  • The URL points to your Composio Tool Router session
  • --headers includes your Composio API key for authentication

After running the command, close the current Claude Code session and start a new one for the changes to take effect.

Verify the installation

bash
claude mcp list

Check that your Supabase MCP server is properly configured.

  • This command lists all MCP servers registered with Claude Code
  • You should see your supabase-composio entry in the list
  • This confirms that Claude Code can now access Supabase tools

If everything is wired up, you should see your supabase-composio entry listed:

Claude Code MCP list showing the toolkit MCP server

Authenticate Supabase

The first time you try to use Supabase tools, you'll be prompted to authenticate.

  • Claude Code will detect that you need to authenticate with Supabase
  • It will show you an authentication link
  • Open the link in your browser (or copy/paste it)
  • Complete the Supabase authorization flow
  • Return to the terminal and start using Supabase through Claude Code

Once authenticated, you can ask Claude Code to perform Supabase operations in natural language. For example:

  • "Create a new secret API key for my project"
  • "List all third-party auth providers configured"
  • "Delete Google OAuth from my Supabase project"

Complete Code

Here's the complete code to get you started with Supabase and Claude Code:

import os
from composio import Composio
from dotenv import load_dotenv

load_dotenv()

COMPOSIO_API_KEY = os.getenv("COMPOSIO_API_KEY")
USER_ID = os.getenv("USER_ID")

composio_client = Composio(api_key=COMPOSIO_API_KEY)

composio_session = composio_client.create(
    user_id=USER_ID,
    toolkits=["supabase"],
)

COMPOSIO_MCP_URL = composio_session.mcp.url

print(f"MCP URL: {COMPOSIO_MCP_URL}")
print(f"\nUse this command to add to Claude Code:")
print(f'claude mcp add --transport http supabase-composio "{COMPOSIO_MCP_URL}" --headers "X-API-Key:{COMPOSIO_API_KEY}"')

Conclusion

You've successfully integrated Supabase with Claude Code using Composio's MCP server. Now you can interact with Supabase directly from your terminal using natural language commands.

Key features of this setup:

  • Terminal-native experience without switching contexts
  • Natural language commands for Supabase operations
  • Secure authentication through Composio's managed MCP
  • Tool Router for dynamic tool discovery and execution

Next steps:

  • Try asking Claude Code to perform various Supabase operations
  • Add more toolkits to your Tool Router session for multi-app workflows
  • Integrate this setup into your development workflow for increased productivity

You can extend this by adding more toolkits, implementing custom workflows, or building automation scripts that leverage Claude Code's capabilities.

How to build Supabase MCP Agent with another framework

OpenAI Agents SDK

OpenAI Agents SDK

Use Supabase MCP with OpenAI Agents SDK

Claude Agent SDK

Claude Agent SDK

Use Supabase MCP with Claude Agent SDK

Google ADK

Google ADK

Use Supabase MCP with Google ADK

LangChain

LangChain

Use Supabase MCP with LangChain

Vercel AI SDK

Vercel AI SDK

Use Supabase MCP with Vercel AI SDK

Mastra AI

Mastra AI

Use Supabase MCP with Mastra AI

LlamaIndex

LlamaIndex

Use Supabase MCP with LlamaIndex

CrewAI

CrewAI

Use Supabase MCP with CrewAI

FAQ

What are the differences in Tool Router MCP and Supabase MCP?

With a standalone Supabase MCP server, the agents and LLMs can only access a fixed set of Supabase tools tied to that server. However, with the Composio Tool Router, agents can dynamically load tools from Supabase and many other apps based on the task at hand, all through a single MCP endpoint.

Can I use Tool Router MCP with Claude Code?

Yes, you can. Claude Code fully supports MCP integration. You get structured tool calling, message history handling, and model orchestration while Tool Router takes care of discovering and serving the right Supabase tools.

Can I manage the permissions and scopes for Supabase while using Tool Router?

Yes, absolutely. You can configure which Supabase scopes and actions are allowed when connecting your account to Composio. You can also bring your own OAuth credentials or API configuration so you keep full control over what the agent can do.

How safe is my data with Composio Tool Router?

All sensitive data such as tokens, keys, and configuration is fully encrypted at rest and in transit. Composio is SOC 2 Type 2 compliant and follows strict security practices so your Supabase data and credentials are handled as safely as possible.

Used by agents from

Context
Letta
glean
HubSpot
Agent.ai
Altera
DataStax
Entelligence
Rolai
Context
Letta
glean
HubSpot
Agent.ai
Altera
DataStax
Entelligence
Rolai
Context
Letta
glean
HubSpot
Agent.ai
Altera
DataStax
Entelligence
Rolai

Never worry about agent reliability

We handle tool reliability, observability, and security so you never have to second-guess an agent action.

Book a call↗Get started for free