Here's the thing nobody warns you about when you put Supabase behind a "real" backend.
My stack is React + FastAPI + Supabase Postgres. Every write goes through FastAPI. Every endpoint checks the user, the role, the ownership. I audited that backend HARD — rate limits, JWT validation, RLS, the whole thing. I was proud of it.
And none of it mattered for the two holes I actually shipped.
Because the Supabase anon key lives in the browser. It HAS to — that's how supabase-js talks to your project. Which means every logged-in user is holding a key that talks to Postgres directly. Not through my FastAPI. Around it.
That anon key is a SECOND API. And I'd spent months hardening the first one while the second one sat there, wide open, the whole time.






