Skip to main content

Self Hosting

Supabase is a Hosted Platform, so you don't have to deploy it yourself. However, if you want to configure and deploy it yourself, that's also possible.

Supabase Architecture

Before you begin#

The self-hosted version of Supabase does not include a UI yet. We are working on this in stages, starting with our UI library and with a WIP PR here. [more context]

In the meantime, here are some suggestions for working with your Postgres Database:

Get the Docker Compose#

We provide a Docker Compose directory which is includes all of the tools required for building on top of Supabase.

Download the Docker files:

# 1. Copy an empty repogit clone https://github.com/supabase/supabase
# 2. Move into the empty repocd supabase/docker

Running Locally#

Now that you have the Docker set up on your local machine, you can start it here by running

docker-compose up

Deploying#

Configuring each service#

Supabase is made up of several services. We have prefilled the docker-compose file with all the configuration you need to get started. If you would like to change any of the configuration, you can update the env variables in the docker-compose file.

Here are a list of environment variables for each service:

Configure persistent storage#

The default docker-compose file does not use volumes, as it is also used for local development where transiency is desirable. For non-dev self-hosted setups, you'll likely want to provision storage volumesstorage-options for the stateful services:

  • Postgres: the data dir for PG12 is located at /var/lib/postgresql/12
  • Storage: the default data dir is /var/data/storage

For the Storage service, you can also choose to configure it to use an s3 bucket instead.

Update secrets#

If you are deploying to production, you should update the default passwords and secrets.

Update API keys#

All config for the API Gateway is stored in the kong directory. Inside kong.yml you'll find the routing for all services, the routing rules, and down the bottom you'll find the JWTs capable of accessing services that require API Key access.

See the full docs here.

If you are deploying to production, you should encode a new anon and service_role API key and update them here.

After you have regenerated the JWT secret in the step above, use a JWT generator (for example, using jsonwebtoken.io) to regenerate the API Keys using the payloads below:

# anon Payload:{ "iss": "supabase", "iat": 1603968834, "exp": 2550653634, "aud": "", "sub": "", "role": "anon"}# service_role Payload:{ "iss": "supabase", "iat": 1603968834, "exp": 2550653634, "aud": "", "sub": "", "role": "service_role"}

Configuring email#

GoTrue requires an SMTP server to send emails for all authentication actions. You will need to provide the following settings inside the .env file here.

Deploying#

See the following guides to deploy Docker Compose setup using your preferred tool and platform:

Example environment variable configuration#

The default environment variable configuration for most services should be sufficient. The default GoTrue config may not support all the settings you require to get up and running.

For brevity, here is an example of what the environment variables for the auth / GoTrue container might look like once the service is deployed:

GOTRUE_OPERATOR_TOKEN=your-super-secret-operator-tokenGOTRUE_JWT_DEFAULT_GROUP_NAME=authenticated
# Make sure this JWT secret matches what was configured during setupGOTRUE_JWT_SECRET=your-super-secret-jwt-token-with-at-least-32-characters-long
# How long should JWT tokens be valid for?GOTRUE_JWT_EXP=3600
# Since Supabase is based on Postgres, you shouldn't need to change thisGOTRUE_DB_DRIVER=postgres
# What schema should requests be routed to?# There should be no reason to change thisDB_NAMESPACE=auth
# Where is our auth/GoTrue located# You shouldn't need to change these unless the ports are mapped differentlyGOTRUE_API_HOST=0.0.0.0PORT=9999
# Email settings# You must set these if you want to be able to send emailsGOTRUE_SMTP_HOST=smtp.your-email-host.comGOTRUE_SMTP_PORT=465GOTRUE_SMTP_USER=your-smtp-userGOTRUE_SMTP_PASS=your-smtp-password
# Should users be required to confirm their email address before they can log in?# If set to false, users won't have to confirm their registration# If set to true, users will have to click the link in their email to confirmGOTRUE_MAILER_AUTOCONFIRM=false
# What is the 'from' address that emails are sent from?GOTRUE_SMTP_ADMIN_EMAIL=noreply@example.com
# Remove this if you don't want debug logsGOTRUE_LOG_LEVEL=debug
# The connection string for your database# `@db` says we're looking for the container called 'db' on our docker networkDATABASE_URL=postgres://postgres:your-super-secret-and-long-postgres-password@db:5432/postgres
# Email templates# Invite user - provide a URL to a HTML or Text templateGOTRUE_MAILER_TEMPLATES_INVITE=https://example.com/path/to/your/invite/template.html
# Confirm registration - provide a URL to a HTML or Text templateGOTRUE_MAILER_TEMPLATES_CONFIRMATION=https://example.com/path/to/your/confirmation/template.html
# Password recovery - provide a URL to a HTML or Text templateGOTRUE_MAILER_TEMPLATES_RECOVERY=https://example.com/path/to/your/password_reset/template.HTML
# Magic link - provide a URL to a HTML or Text templateGOTRUE_MAILER_TEMPLATES_MAGIC_LINK=https://example.com/path/to/your/magic_link/template.html
# GoTrue URLs# These are appended after the API_EXTERNAL_URL# You shouldn't need to change theseGOTRUE_MAILER_URLPATHS_CONFIRMATION=/auth/v1/verifyGOTRUE_MAILER_URLPATHS_INVITE=/auth/v1/verifyGOTRUE_MAILER_URLPATHS_CONFIRMATION=/auth/v1/verifyGOTRUE_MAILER_URLPATHS_RECOVERY=/auth/v1/verify
# Site URLs# This is where the user will be redirected to after clicking a link in an email and after oAuthGOTRUE_SITE_URL=https://example.com/redirect_to_hereGOTRUE_URI_ALLOW_LIST=https://example.com/redirect_to_here
# This is the URL where your supabase stack is accessible# i.e. this is the endpoint URL you would pass into a `createClient()` call in the supabase-js libraryAPI_EXTERNAL_URL=https://database.example.com/
# Set this to true if you want to prevent signing up with email and passwordGOTRUE_DISABLE_SIGNUP=true
# oAuth# If you are not using oAuth to login (e.g. Login with Facebook), you can ignore the below# If you want to disable oAuth for a specific provider, set the `GOTRUE_EXTERNAL_<provider>_ENABLED` to false# Github oAuthGOTRUE_EXTERNAL_GITHUB_CLIENT_ID=your_github_client_idGOTRUE_EXTERNAL_GITHUB_SECRET=your_github_client_secretGOTRUE_EXTERNAL_GITHUB_ENABLED=true
# Google oAuthGOTRUE_EXTERNAL_GOOGLE_CLIENT_ID=your-google-client-id.apps.googleusercontent.comGOTRUE_EXTERNAL_GOOGLE_SECRET=your-google-secretGOTRUE_EXTERNAL_GOOGLE_ENABLED=true
# Facebook oAuthGOTRUE_EXTERNAL_FACEBOOK_CLIENT_ID=your-facebook-client-idGOTRUE_EXTERNAL_FACEBOOK_SECRET=your-facebook-app-secretGOTRUE_EXTERNAL_FACEBOOK_ENABLED=true
# Add other oAuth provider details below

More details can be found in the 'Configuring each service section' above.

One-click deploys#

For some tools we also provide images and deployments into cloud marketplaces:

Postgres#

Realtime#

Next steps#


  1. Other deployment platforms will usually provide an alternative mechanism for persistent disk storage, e.g. Persistent Volumes in Kubernetes