appycodes.

Our default BaaS choice, and the team you call when the prototype meets production load.

We don't just build on Supabase, we teach it. Live sessions for practising CAs on Lovable + Supabase + Vercel + Cloudflare + Make.com. We train the same audience we sell to.

Engagement scope · Draft

#SUPA-2026-001
  • Production-hardening AI prototypes
  • Multi-role RLS auth design
  • Stripe + Supabase + Resend stack
  • Database design & migration
TotalProduction-grade, scoped on intake

What you get

Six engagement shapes. Each one a definition-of-done.

We don't ship demo-grade Supabase. Each engagement below includes the unsexy production work most prototypes skip.

01

Production-hardening AI prototypes

Lovable / Bolt / Cursor / v0 apps moved from 'works on the demo' to 'works under real load.' RLS on every table, indexes on join columns, backups, env separation, audit columns, soft deletes.

02

Multi-role auth design

Admin / Team / Client. Parent / Child (family billing on youth sports). Vendor / Buyer. RLS policies that enforce the model at the database, not in app code that someone will eventually forget.

03

Stripe + Supabase + Resend

Default starter stack. Webhook to service-role-key to database write, done correctly. Idempotency, signature verification, dead-letter handling.

04

Database design & migration

When to use Postgres views, when to use Edge Functions, when to reach for triggers, when to skip them and put it in app code. Opinions backed by production scars.

05

Supabase + Next.js

Server actions, SSR auth, cookie-based session handling. The patterns that don't break the moment you turn on caching.

06

Supabase + React Native / Expo

Mobile patterns: offline-first writes, secure storage of auth tokens, realtime channels where the product actually needs them.

Prototype-to-production checklist

What ships in a prototype. What ships in production.

Twelve items, two columns. The middle column is what a typical Lovable / Bolt build has on day one. The right is what we add before it sees real users.

Item
Prototype
Production
Tables created
Basic auth working
Working UI
RLS policies on every table
Indexes on join + lookup columns
Backup strategy + restore tested
Environment separation (dev/staging/prod)
Webhook secrets in env, not source
Error logging + alerting
Rate limiting on Edge Functions
Soft deletes where data matters
Audit columns (created_by, updated_at)

Multi-role RLS, drawn at the database

The access model lives in Postgres, not in app code.

Anonymised schema from the CA compliance calendar. Row Level Security joins users to clients through an assignments table, so a team member only ever reads the clients actually assigned to them.

ANONYMISED SCHEMA · CA COMPLIANCE CALENDARauth.usersid (uuid)emailrole (admin/team/client)clientsid (uuid)nameowner_id to usersRLS: per ownerteam_assignmentsteam_id to usersclient_id to clientsPK (team_id, client_id)submissionsid (uuid)client_id to clientsdeadline_idstatus, submitted_atdeadlines (seeded)id, code (GSTR-3B, ITR)due_at (per client)frequency

Evidence

Three engagements. Each one a different shape of Supabase work.

Multi-role RLS · production

CA Compliance Calendar

Built for an Indian CA firm: a compliance calendar tracking GST, ROC, and Income Tax deadlines across multiple clients and team members. Multi-role auth (Admin / Team / Client) enforced via Supabase Row Level Security policies.

Email reminders via Resend, WhatsApp via wa.me click-to-send (no paid API). Client portal lets clients mark their own submissions. Real RLS work, real production constraints, real-world Indian statutory deadline data seeded.

-- RLS: clients see only their own submissions
create policy "clients_own_submissions"
on submissions for select
using (auth.uid() = client_id);

-- team members see their assigned clients
create policy "team_assigned_clients"
on submissions for select
using (
  exists (
    select 1 from team_assignments
    where team_assignments.team_id = auth.uid()
      and team_assignments.client_id = submissions.client_id
  )
);

Teaching · authority

Live training for Chartered Accountants

We ran a live session for practising CAs on AI-assisted app building. Stack: Lovable + Supabase + Vercel + Cloudflare + Make.com. Covered creating Supabase tables, connecting from Lovable, setting up Row Level Security (critical for professionals handling client data), user signup, data persistence and retrieval.

Also covered when Supabase is the right call versus Google Sheets as a 'backend lite.' We train the same audience we sell to. That is an authority signal most agencies cannot make.

# Stack we teach
- Lovable (UI assembly)
- Supabase (DB + auth + storage)
- Vercel (deploy)
- Cloudflare (DNS, R2, WAF)
- Make.com (automations)

Public engineering content

The Jio-DNS-Supabase write-up

We published a piece explaining why Jio's ISP-level DNS blocks Supabase connections (affecting Lovable users in India specifically), and how to work around it with alternative DNS servers.

One of our most useful pieces of public engineering content, and it speaks directly to the Lovable user trying to ship a real app from India.

# workaround
- Set DNS to 1.1.1.1 / 8.8.8.8
- Or use a hosts file override
- Or use Cloudflare WARP

# /blog/fix-lovable-app-jio-internet-supabase-dns/

Pairs naturally with AI app completion (the Lovable graduation engagement), SaaS web app development, Stripe billing, and internal tools where RLS and multi-role auth carry the access model.

Good fit if

When RLS is non-negotiable

  • Founders graduating from Lovable / Bolt / v0 / Cursor prototypes to production
  • Apps handling client data where RLS is non-negotiable (accounting, legal, healthcare-adjacent)
  • Multi-role products: admin/team/client, parent/child, vendor/buyer
  • Teams who tried Firebase and want Postgres semantics back

Probably not a fit

When a managed BaaS is the wrong tool

  • Apps that need full backend ownership and don't want a managed BaaS
  • Workloads requiring dedicated DB resources for cost reasons at scale (move to self-hosted Postgres)
  • Pure backend services with no auth, storage, or realtime: plain Postgres is fine

Supabase surface we ship on

Postgres semantics, plus the managed parts that matter.

Database
Postgres · RLS policies · functions / triggers · views · pg_cron
Auth
Supabase Auth · email + OAuth · custom claims · server-side session
Compute
Edge Functions · Deno runtime · cron schedules
Storage
Supabase Storage · bucket policies · signed URLs
Realtime
Supabase Realtime · channels · broadcast · presence
Frontend
Next.js · React · React Native / Expo · Lovable graduation

If the prototype works but won't survive load

Bring the Lovable URL. We'll have a hardening plan inside a week.

Contact