SupabaseS
Supabase6mo ago
UltraGeoPro

Supabase Auth session works, but RLS treats the request as unauthenticated in Flask

What I’m trying to do


I’m building a Flask backend that calls Supabase via the async Python client. The user successfully signs in and auth.get_user() returns the expected profile, but any subsequent SELECT on the users table returns zero rows. RLS seems to think the request is anonymous.

Environment


  • OS: MacOS Sequoia 15.5
  • Supabase client: supabase>=2.16.0
  • Python: 3.13.5
  • Flask: 3.1.1
## Code snippets

Client setup


options = AsyncClientOptions(
    storage=FlaskSessionStorage(),  # thin wrapper over flask.session
    auto_refresh_token=True,
    persist_session=True,
)
supabase = create_client(SUPABASE_URL, SUPABASE_ANON_KEY, options)


Sign-in


# works, saves session

await supabase.auth.sign_in_with_password(
    {"email": email, "password": password}
)


Read all users


async def read_all(self):
    result = await supabase.table("users").select("*").execute()
    return result.data              # ← always []


Read users route


async def get(self) -> tuple[Response, int]:
    all_users = await self.__users.read_all()
    # return 200 and json data


RLS policy


create policy "policy_name"
on public.users
as PERMISSIVE
for SELECT
to authenticated
using (true);


What’s going wrong


Even though the session is live and the JWT is attached, Postgres behaves as if the role is anon instead of authenticated, so the SELECT is filtered out by RLS.

What I’m looking for


  1. An explanation of what exactly causes this problem.
  2. Any pointers on which extra header / cookie / claim Supabase expects when using the async Python client in Flask.
  3. Known gotchas when combining Flask session storage with the supabase library.
  4. A minimal working example (with SUPABASE_ANON_KEY) that proves RLS + Supabase Auth with Python works on the server side.
Was this page helpful?