Supabase Proxy - Naive API v2

Generic passthrough to the Supabase Management API for fullstack apps. Naive injects its Supabase access token and forwards your request, so any operation the Management API supports can be performed against the app’s project — database queries and migrations, auth configuration, storage, edge functions, secrets, PostgREST settings, and more. The upstream path goes after /supabase/proxy/. The HTTP method, query parameters, and JSON body are forwarded as-is; the upstream status code and body are returned verbatim.

# Get the project's auth configuration
curl "https://api.usenaive.ai/v1/apps/094cdfb5-c4dc-494d-91dc-8a0c1c3e94c2/supabase/proxy/v1/projects/abcdefghijklmnop/config/auth" \
  -H "Authorization: Bearer nv_sk_live_..."

# Update auth config (e.g. set the site URL)
curl -X PATCH "https://api.usenaive.ai/v1/apps/:id/supabase/proxy/v1/projects/abcdefghijklmnop/config/auth" \
  -H "Authorization: Bearer nv_sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{"site_url": "https://myapp.com"}'

# Run SQL directly
curl -X POST "https://api.usenaive.ai/v1/apps/:id/supabase/proxy/v1/projects/abcdefghijklmnop/database/query" \
  -H "Authorization: Bearer nv_sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{"query": "select * from users limit 10"}'

# List edge functions
curl "https://api.usenaive.ai/v1/apps/:id/supabase/proxy/v1/projects/abcdefghijklmnop/functions" \
  -H "Authorization: Bearer nv_sk_live_..."

{
  "site_url": "https://myapp.com",
  "jwt_exp": 3600,
  "disable_signup": false,
  "external_email_enabled": true,
  "external_google_enabled": false
}

Scoping Rules

Naive holds an org-wide Supabase access token, so every request is validated against the app before it is forwarded:

Path pattern	Rule
`v1/projects/{ref}/**`	`{ref}` must be this app’s Supabase project ref (visible as `supabase.projectRef` on `GET /v1/apps/:id`).

Blocked:

DELETE on the project itself — use DELETE /v1/apps/:id so all linked infrastructure is cleaned up together.
All org/account-level paths (listing organizations, creating projects, other projects) — 403 forbidden.

Requires a fullstack app — frontend_only apps have no Supabase project and return 501 feature_not_configured.

Methods

GET, POST, PATCH, PUT, DELETE, with JSON bodies.

Useful Operations

Operation	Method + path
Run SQL	`POST v1/projects/{ref}/database/query`
Apply a tracked migration	`POST v1/projects/{ref}/database/migrations`
Auth config	`GET` / `PATCH v1/projects/{ref}/config/auth`
Storage config	`GET` / `PATCH v1/projects/{ref}/config/storage`
Edge functions	`GET` / `PUT v1/projects/{ref}/functions`
Project secrets	`GET` / `POST v1/projects/{ref}/secrets`
PostgREST config	`GET` / `PATCH v1/projects/{ref}/postgrest`
API keys	`GET v1/projects/{ref}/api-keys`
Project health	`GET v1/projects/{ref}/health`

Consult the Supabase Management API reference for the complete catalog, parameters, and response shapes.

Data Plane Passthrough

Beyond the Management API (api.supabase.com), four data-plane passthroughs hit the app’s own Supabase project URL with the service-role key injected. Each backs a first-class primitive:

Route	Forwards to	Primitive
`ANY /v1/apps/:id/db/rest/*`	`{projectUrl}/rest/v1/*` (PostgREST)	Database
`ANY /v1/apps/:id/storage/proxy/*`	`{projectUrl}/storage/v1/*`	Storage
`ANY /v1/apps/:id/auth/proxy/*`	`{projectUrl}/auth/v1/*` (GoTrue)	Auth
`ANY /v1/apps/:id/functions/proxy/*`	`{projectUrl}/functions/v1/*`	Edge Functions

# PostgREST: select rows (Prefer makes inserts return the created row)
curl "https://api.usenaive.ai/v1/apps/:id/db/rest/users?select=id,email&limit=10" \
  -H "Authorization: Bearer nv_sk_live_..."

# Storage: list buckets
curl "https://api.usenaive.ai/v1/apps/:id/storage/proxy/bucket" \
  -H "Authorization: Bearer nv_sk_live_..."

# Auth (GoTrue admin): list end-users
curl "https://api.usenaive.ai/v1/apps/:id/auth/proxy/admin/users" \
  -H "Authorization: Bearer nv_sk_live_..."

# Functions: invoke
curl -X POST "https://api.usenaive.ai/v1/apps/:id/functions/proxy/hello" \
  -H "Authorization: Bearer nv_sk_live_..." -d '{"name":"world"}'

All forward with the app’s service-role key, bypassing RLS — treat as admin access. PostgREST behavior headers (Prefer, Range, Accept, Accept-Profile, Content-Profile) are forwarded on db/rest.

Errors

403

{
  "error": {
    "code": "forbidden",
    "message": "Path must reference this app's Supabase project (v1/projects/abcdefghijklmnop/...)"
  }
}

Upstream Supabase errors (4xx/5xx) are passed through with their original status code and body.

# Get the project's auth configuration curl "https://api.usenaive.ai/v1/apps/094cdfb5-c4dc-494d-91dc-8a0c1c3e94c2/supabase/proxy/v1/projects/abcdefghijklmnop/config/auth" \ -H "Authorization: Bearer nv_sk_live_..." # Update auth config (e.g. set the site URL) curl -X PATCH "https://api.usenaive.ai/v1/apps/:id/supabase/proxy/v1/projects/abcdefghijklmnop/config/auth" \ -H "Authorization: Bearer nv_sk_live_..." \ -H "Content-Type: application/json" \ -d '{"site_url": "https://myapp.com"}' # Run SQL directly curl -X POST "https://api.usenaive.ai/v1/apps/:id/supabase/proxy/v1/projects/abcdefghijklmnop/database/query" \ -H "Authorization: Bearer nv_sk_live_..." \ -H "Content-Type: application/json" \ -d '{"query": "select * from users limit 10"}' # List edge functions curl "https://api.usenaive.ai/v1/apps/:id/supabase/proxy/v1/projects/abcdefghijklmnop/functions" \ -H "Authorization: Bearer nv_sk_live_..."

​Scoping Rules

​Methods

​Useful Operations

​Data Plane Passthrough

​Errors

Scoping Rules

Methods

Useful Operations

Data Plane Passthrough

Errors