An authorization rule that controls what actions a user can perform on data, enforced through RLS policies in Supabase.
Permissions control what a user is allowed to do in your app. Can they read all posts? Can they edit only their own? Can they delete anything? Permissions answer these questions.
In Supabase, permissions are enforced through Row Level Security and RLS Policies. Each policy grants a specific permission:
Permissions are usually tied to Authentication:
auth.uid() = user_id → "You can only access your own data"auth.role() = 'authenticated' → "Any logged-in user can do this"true → "Anyone can do this, even anonymous users"Permission errors and debugging:
When permissions block an operation, you'll see specific status codes:
401 Unauthorized → No auth token (user isn't logged in)403 Forbidden → Auth token exists but permission denied (wrong RLS policy)200 OK with empty data → RLS silently blocked a SELECT queryThe Network Tab is your best tool for diagnosing permission issues. Check the response body for error messages, and check the request headers for the Authorization token.
Related: Row Level Security, RLS Policy, Authentication, Token, Status Code, Network Tab, HTTP Response, HTTP Header
Permissions are enforced through Authorization — the process of checking what a user is allowed to do after they've been authenticated.
We give you the skills to build, deploy, and own a full product. Professional stack, AI co-pilot, no coding background required.