Question about using native PostgreSQL roles with Supabase Auth
I'm currently working on a multi-organization project and would like to better understand how native PostgreSQL roles interact with Supabase Auth.
As I understand it, Supabase uses the anon and authenticated roles to manage database access, and permissions are typically handled through RLS policies.
However, I’m exploring whether it’s possible to assign native PostgreSQL roles (e.g., admin, teacher, student) directly to users created through Supabase Auth — so that those roles could leverage PostgreSQL’s built-in GRANT system and role inheritance, instead of replicating role logic at the application or RLS level.
In short, I’d like to clarify:
Is it currently possible for a user authenticated via Supabase Auth to inherit or use a PostgreSQL role other than authenticated?
If not, is there a technical or architectural reason that prevents this? (And is there any plan to support it in the future?)
Finally — would it be safe or supported to modify the role field directly in auth.users to manage these roles, or is that field purely internal to Supabase Auth?
1 Reply
Yes, that can be done. You create the roles, grant them to authenticator role at a minimum. Then you set the role claim in the JWT (auth hooks has a convenient way to get this from a table by user_id). You technically can modify the auth.users role claim also.
You might also want to grant those roles authenticated role just so basic stuff works for everyone.
Note though Supabase prefers just using RLS with the custom role claim as an authenticated user with that claim. https://supabase.com/docs/guides/database/postgres/custom-claims-and-role-based-access-control-rbac
This also has some stuff on using the postgres role itself... https://github.com/orgs/supabase/discussions/11948