Why do AI-built apps have so many Supabase RLS problems?

Because Lovable, Bolt, v0, and Cursor scaffold Supabase tables with RLS disabled for speed, then either leave it disabled in production (a data leak) or enable it at the last minute without writing the matching USING and WITH CHECK policies (every insert fails silently). The Supabase dashboard itself warns on tables without RLS, but the warning is easy to dismiss during scaffolding. The fix is always the same: enable RLS, write one USING policy for SELECT and one WITH CHECK policy for INSERT/UPDATE/DELETE, match auth.uid() to the ownership column.

My Supabase insert returns 200 but no row appears. What is happening?

Three common causes. (1) RLS is enabled with a SELECT policy but no INSERT policy — the insert succeeds into a transaction, then the RLS check on the returned row fails silently and the transaction rolls back. (2) The client is calling .insert(...).select() with a filter that does not match the new row. (3) The app is using the service-role key in one place and the anon key in another, and the anon key is invisible to RLS-owning rows. Inspect the Supabase logs for the actual SQL and the RLS outcome.

When is an N+1 query a real problem vs a premature optimization?

N+1 is a real problem the moment the page renders a list and each list item fetches its own detail. With 20 items and 50ms per query, that is a second of synchronous latency before the page is interactive. AI tools generate N+1 constantly because they write the list and detail logic as separate useEffect hooks. Fix with Prisma include, Supabase nested select, or Dataloader. The typical improvement is 1.4 seconds TTFB down to 60 milliseconds.

Why does my Supabase or Postgres database crash at 30 users?

Prisma defaults to a connection pool size of 10 per serverless instance. Vercel spins up a new instance per concurrent request at cold start. 30 concurrent users on a fresh deploy instantiates 30 Prisma clients, each trying to hold 10 Postgres connections — 300 connections against a Supabase free tier cap of 60. Prisma throws P1001 or Postgres returns FATAL too many clients. Fix: use the Supabase pooled DATABASE_URL (port 6543 with pgbouncer) and set connection_limit=1 in the connection string.

Should I use the Supabase anon key or the service role key in server routes?

Service role key for server-side code that needs to bypass RLS (admin operations, cron jobs, webhooks writing to multiple users' data). Anon key for any code that runs on behalf of a signed-in user — the anon key carries the user's JWT and respects RLS. Never put the service role key in a client-side env var, never expose it with a NEXT_PUBLIC_ prefix, never log it. If the service role key ever reaches the browser, rotate it immediately.

How do I know if my database performance problem is a schema issue or a query issue?

Open the Supabase Dashboard → Database → Query Performance or run EXPLAIN ANALYZE on the offending query. Sequential scans on large tables are a schema issue (missing index). Hash joins against 100k rows are a query issue (select too wide, filter too late). A plan with 101 lines is an N+1 at the application layer, not a database problem at all. Fix the application pattern first; add indexes after profiling shows a single query that is slow at the database layer.

§ FIX/DB/database fixes

Database fixes for AI-built apps

The database layer is where AI-built apps leak data in production. Lovable, Bolt, v0, Cursor, and Claude Code scaffold Supabase and Postgres schemas with Row-Level Security disabled for speed, then either leave it off (a multi-tenant data leak) or turn it on at the last minute without writing the USING and WITH CHECKpolicies that make inserts work (every write silently fails). Per Supabase's 2025 best-practices guidance, any public table without explicit RLS policies is treated as readable to every anon key holder. This hub groups every database-category fix on the site — RLS, silent inserts, N+1, connection-pool exhaustion, storage uploads — into one navigable index.

By Hyder ShahFounder · Afterbuild LabsLast updated 2026-04-18

Free rescue diagnostic →Emergency triage — $299 · 48h

5
Indexed database fixes: 1.4s → 60ms
Typical N+1 fix TTFB: 30
Users that tip over a default pool: 100%
Root-cause fix

§ 01/scope

What this hub covers

This hub covers failures at the data layer: Supabase Row-Level Security, silent insert failures, N+1 query patterns, connection-pool exhaustion under load, and storage-bucket 403s. Primary surfaces are Supabase (Postgres plus storage plus auth), Prisma on Postgres/Neon, and raw Postgres connections. The failure modes are largely provider-agnostic — RLS and connection-pooling patterns transfer between Supabase, Neon, and self-hosted Postgres.

What this hub does not cover: authentication (covered in the auth hub), Stripe customer linkage (payments hub), or general 500 errors where the database happens to be the final failure mode (deploy hub). If the root cause is a missing RLS policy, a slow query, a connection-pool cap, or a storage permission, it belongs here. If the root cause is that the user is not signed in or a webhook is unverified, it belongs in another hub.

§ 02/common failures

The most common failures

Five database-category failure modes appear in every AI-built app rescue intake. Each is a predictable consequence of the generator optimizing for the single-user demo path and never stressing the multi-user production path.

RLS enabled without matching policies. The most common symptom is 42501 permission denied on select, or a silent PGRST116 on insert. The table has RLS turned on but no WITH CHECK policy covering INSERT, so every write fails. See Supabase RLS blocking insert.
Insert returns 200 but the row never appears. RLS with a SELECT policy but no INSERT policy, a .select() filter that excludes the new row, or the anon key writing to a table only the service-role can see. The client reads success; the database never wrote. See Database saves with no error and no row.
N+1 queries on every list page. AI tools generate list/detail patterns as separate useEffect hooks. 20 rows, 21 queries, 1.4 seconds of synchronous latency. Fix with Prisma include, Supabase nested select, or a Dataloader. See N+1 query slow page load.
Connection pool exhausted under load. Prisma on serverless instantiates a new client per concurrent request. The Supabase free tier caps at 60 connections; 30 concurrent users with default settings exhausts the cap and throws P1001 or FATAL: too many clients. Switch to the pooled DATABASE_URL (pgbouncer, port 6543) with connection_limit=1. See App crashes under load.
Supabase storage 403 on upload. Storage buckets are RLS-governed separately from tables. AI-scaffolded uploads miss the matching storage.objects policy on the bucket or push to a path prefix that does not match auth.uid(). See Supabase storage upload 403.
Service-role key in a client bundle. Not its own leaf because it is a pattern, not a symptom. A NEXT_PUBLIC_SUPABASE_SERVICE_ROLE in .envexposes the key to every visitor's devtools and grants full database access. Rotate immediately and move server-only keys out of any NEXT_PUBLIC_ variable.

§ 03/indexed fixes

Indexed database fixes

Each link is a root-cause walkthrough: exact error string, the commit shape that produced it, the fix, and the regression test.

§ 04/shared root causes

Shared root causes

Database symptoms cluster into four root causes. Rule each out before reading individual queries.

Security model written in a hurry, or not at all. RLS disabled, left at the default permissive, or enabled without the corresponding INSERT/UPDATE policies. Storage buckets without object-level policies. Service-role key used where the anon key would be correct (or worse, the other way around).
Query patterns that assume one user. N+1 list/detail loops, no pagination, select * returning joined multi-megabyte rows, and missing indexes on the filter columns the app actually uses.
Connection topology wrong for serverless. Direct Postgres connections from Vercel functions, no pooler, default Prisma connection_limit=10. The architecture works for one test user and breaks at the first ten concurrent requests.
Client/server key confusion. Anon key used where service-role is required (silent permission failures) or service-role used in client code (a catastrophic leak). Both stem from AI tools not distinguishing the two surfaces clearly in the scaffold.

§ 05/prevention checklist

Prevention checklist

Merge these before the next database-touching deploy. Each one closes a class of silent failure.

Enable RLS on every public table. Write one USING policy for SELECT and one WITH CHECK policy for INSERT/UPDATE/DELETE matching auth.uid() to the ownership column.
Write an integration test that inserts a row as User A and asserts User B cannot read it. Run it on every migration.
Route all Prisma traffic through the pooled DATABASE_URL (port 6543 on Supabase, pgbouncer equivalent on Neon). Set connection_limit=1 in serverless.
Keep the service-role key in server-only env vars. Never prefix with NEXT_PUBLIC_. Never log it, never send it to a logging service unsanitized.
Add an index on every foreign key column and every column used in a where filter the app actually ships.
Replace list/detail useEffect patterns with Prisma include, Supabase nested select (select("*, detail(*)")), or a Dataloader.
Add a Supabase storage bucket policy for every bucket before the first upload hits production.
Run the app under a load test of at least 50 concurrent requests against a fresh deploy. Connection-pool exhaustion only appears under load.
Audit the SQL log (Supabase Dashboard → Database → Logs) after every deploy for unexpected error codes — especially 42501, PGRST116, and FATAL entries.
Back up the database on a schedule independent of the platform's default snapshots, and test the restore path before the first incident.

§ 06/escalation signals

When to bring in a developer

Most database fixes resolve in 30–90 minutes once the cause is identified. Bring in a developer immediately if: users report seeing each other's data, an audit log shows cross-tenant reads, the service-role key has ever shipped in a client bundle, a migration has been reverted more than once, or the app is repeatedly OOM-killed on Vercel function invocations against the database.

Escalate without delay for any incident that could constitute a data leak or PII exposure. Book the Security Audit for a full RLS and data-isolation review, or the Emergency Triage for a single blocking database incident.

§ 07/related clusters

Related clusters

For the stack-wide walkthrough of Supabase, read the Supabase fix stack hub. For Prisma and Neon specifically, read the Prisma/Neon fix stack hub. If the app is on Firebase, the Firebase rescue hub covers equivalent security-rule failures. For platform-specific database failures, see Lovable RLS disabled, Bolt RLS disabled, v0 add backend, and Replit slow database. When the database symptom chains into another category, continue at the payment fix hub, the auth fix hub, or the deploy fix hub.

Next step

Data leaking or queries timing out?

Book the 48-hour emergency triage for one database-blocking fix, fixed price, refund if we miss. Or the free diagnostic for a written rescue-vs-rewrite recommendation.

Emergency triage — $299 →Free rescue diagnostic

Database fixes for AI-built apps

What this hub covers

The most common failures

Indexed database fixes

Supabase RLS blocking insert

Database saves with no error and no row

N+1 query slow page load

App crashes under load

Supabase storage upload 403

Shared root causes

Prevention checklist

When to bring in a developer

Related clusters

Data leaking or queries timing out?