Should I expose database types to client?
I’m building a fintech application using Supabase (Postgres + TypeScript).
I don’t use Supabase directly in the client — it’s used behind my API server — but I’m wondering about best practices for sharing database types.
Is it considered safe or standard practice to bundle the generated Database types with the frontend app to get type safety (e.g., matching API response shapes), or should I only expose a limited subset of types since this could reveal parts of the schema?
Given this is a fintech product where security really matters, I’d love to hear how others handle this in production setups.
6 Replies
the types are stripped out of the bundle when you build so i dont think they'd leak, even if they do ideally there shouldn't even be a way to pull the data represented by the type from client facing api without the necessary auths
i cant think of a scenario where types alone would leak anything but id love to be corrected
Yes, you're right. That went over my head, the types should not be bundled when it is built.
I would argue that there are some security concerns with exposing your database schema in a sensitive application. But as you mentioned, yes everything should be behind auth.
Appreciate your insight!
This got me curious, don't you use trpc?
Because i usually just get the return type of my api routes using trpc helpers when i need to
tbh didnt know you could use trpc with supabase you might have just changed my life
Drizzle then trpc
may your lc mediums feel extra easy for days to come🙇🏿♂️