Supabase for Zeabur Self-hosted

This is a demo of Supabase for Zeabur Self-hosted. You can use this template to deploy a Supabase instance on Zeabur.

Services

This Supabase instance includes Kong (API Gateway), Studio (Supabase Studio), PostgreSQL (Database), Meta (Postgres Meta), REST (PostgREST), Auth (GoTrue), Supavisor (Connection Pooler), Realtime (Database Change Subscriptions), Storage (Storage API), MinIO (Object Storage), ImgProxy (Image Processing), and Functions (Edge Functions).

For detailed architecture information, visit the official Supabase architecture documentation.

Services Not Included Due to Platform Limitations:

• Vector (Log Aggregation): Requires Kubernetes RBAC ClusterRole permissions to collect pod logs, which Zeabur does not provide for security reasons.
• Analytics (Logflare): Depends on Vector for log ingestion. Without Vector, Analytics has no data source and is therefore not included.

Note: Without Analytics, the Logs feature in Supabase Studio will not be available. All other Studio features (Database, Auth, Storage management, etc.) will work normally.

If you need additional Supabase services, feel free to implement them according to the upstream docker-compose.yaml file and submit your changes to our Discord server. This applies to our Contribution Reward Program.

Getting Started

Access the Dashboard

After deployment, your Supabase Studio dashboard will be available at your configured domain.

Finding Your Credentials:

1. Go to the Kong service in your Zeabur project
2. Click on the Instructions tab
3. You'll find:
   • Supabase Username: Your dashboard username (from DASHBOARD_USERNAME variable)
   • Supabase Password: Auto-generated secure password

Important Security Keys

The following keys are exposed in the Kong service environment variables:

Key	Location	Description
JWT_SECRET	Kong service	Secret for signing JWT tokens
ANON_KEY	Kong service	Public API key for anonymous access
SERVICE_ROLE_KEY	Kong service	Admin API key with full access

⚠️ CRITICAL: The default keys are for demo purposes only. You MUST generate new keys before production use.

How to Generate Secure Keys:

1. Visit the Supabase JWT Generator
2. Generate new keys using your custom JWT_SECRET:
   • Generate anon key → use as ANON_KEY
   • Generate service_role key (shown as SERVICE_KEY on the website) → use as SERVICE_ROLE_KEY
3. Update the environment variables in the Kong service
4. Restart all services to apply changes:
   • Go to your Project → Settings → General
   • Scroll down to Batch Actions
   • Click Restart All to restart all services

Securing your services

While we provided you with some example secrets for getting started, you should NEVER deploy your Supabase setup using the defaults we have provided. Follow all of the steps in this section to ensure you have a secure setup, and then restart all services to pick up the changes.

Official Guide

Configuration

Add Google OAuth support

Add the following environment variables to the auth service:

• GOTRUE_EXTERNAL_GOOGLE_ENABLED=true
• GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID=xxxxxxxx
• GOTRUE_EXTERNAL_GOOGLE_SECRET=yyyyyyyy
• GOTRUE_EXTERNAL_GOOGLE_REDIRECT_URI=https://supabase.zeabur.app/auth/v1/callback

Update supabase.zeabur.app to your public domain, for example: supabase.example.com.

You can find the client ID and secret in the Google Cloud Console.

Then, restart your auth service.

Add Apple OAuth support

Add the following environment variables to the auth service:

• GOTRUE_EXTERNAL_APPLE_ENABLED=true
• GOTRUE_EXTERNAL_APPLE_CLIENT_ID=xxxxxxxx
• GOTRUE_EXTERNAL_APPLE_SECRET=yyyyyyyy
• GOTRUE_EXTERNAL_APPLE_REDIRECT_URI=https://supabase.zeabur.app/auth/v1/callback

Update supabase.zeabur.app to your public domain, for example: supabase.example.com.

You can find the client ID and secret in the Apple Developer Console.

Then, restart your auth service.

Configure SMTP Email Service (Resend Integration)

To enable email functionality in Supabase (user verification, password reset, etc.), configure SMTP settings using Resend as the email service provider.

Step 1: Resend Setup (Email Service Provider)

Domain Verification:

1. Verify your domain (e.g., mail.yourdomain.com) in Resend
2. Configure DNS records (TXT, CNAME, SPF, MX) as provided by Resend
3. Ensure verification status shows "Verified"

Sender Email Setup:

1. Configure sender email address: noreply@mail.yourdomain.com
2. Obtain your Resend API key from the dashboard

Step 2: Supabase Auth SMTP Configuration

Add the following environment variables to the auth service:

• GOTRUE_SMTP_HOST=smtp.resend.com - SMTP server host
• GOTRUE_SMTP_PORT=587 - Use STARTTLS port
• GOTRUE_SMTP_USER=resend (or leave blank) - Resend doesn't validate username, only API key
• GOTRUE_SMTP_PASS=re_xxx - Your Resend API Key
• GOTRUE_SMTP_ADMIN_EMAIL=noreply@mail.yourdomain.com - Admin sender email
• GOTRUE_SMTP_SENDER_NAME=Your App Name - Display name for emails
• GOTRUE_SITE_URL=https://yourdomain.zeabur.app - Determines the domain for verification links in emails

Step 3: Zeabur Environment Configuration

1. Navigate to your Zeabur project
2. Go to Service > Auth > Variables
3. Add all the SMTP variables listed above
4. Restart the auth service to apply changes

Step 4: Testing Email Functionality

Manual Testing:

curl -X POST "https://yourdomain.zeabur.app/auth/v1/signup" \
  -H "Content-Type: application/json" \
  -H "apikey: YOUR_ANON_KEY" \
  -d '{
    "email": "test@example.com",
    "password": "yourpassword"
  }'

Expected Results:

• Verification email sent successfully
• Email delivered to recipient (check spam folder initially)
• Supabase Auth handles registration verification and password reset emails automatically

Troubleshooting Notes

• SPF/DKIM Issues: Ensure all DNS settings match Resend's requirements to prevent email rejection
• Redirect URI Mismatch: Make sure GOTRUE_SITE_URL matches your actual deployed domain
• Email Delivery: Initial emails may go to spam; proper DNS configuration improves deliverability
• API Key Security: Store Resend API key securely in environment variables, never in code

Additional Features (Optional)

For advanced email customization, you can configure:

• Custom email templates
• Delivery report webhooks
• BIMI (Brand Indicators for Message Identification) settings
• Rate limiting and frequency controls

Advanced Auth Configuration (Optional)

Add these environment variables to the auth service for advanced features:

Custom Access Token Hook:

• GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_ENABLED=true
• GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_URI=pg-functions://postgres/public/custom_access_token_hook
• GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_SECRETS=<your-base64-secret>

MFA Verification Hook:

• GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_ENABLED=true
• GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_URI=pg-functions://postgres/public/mfa_verification_attempt

Password Verification Hook:

• GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_ENABLED=true
• GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_URI=pg-functions://postgres/public/password_verification_attempt

Custom SMS Hook:

• GOTRUE_HOOK_SEND_SMS_ENABLED=true
• GOTRUE_HOOK_SEND_SMS_URI=pg-functions://postgres/public/custom_sms_hook
• GOTRUE_HOOK_SEND_SMS_SECRETS=v1,whsec_<your-secret>

Custom Email Hook:

• GOTRUE_HOOK_SEND_EMAIL_ENABLED=true
• GOTRUE_HOOK_SEND_EMAIL_URI=http://host.docker.internal:54321/functions/v1/email_sender
• GOTRUE_HOOK_SEND_EMAIL_SECRETS=v1,whsec_<your-secret>

Other Options:

• GOTRUE_EXTERNAL_SKIP_NONCE_CHECK=true (for mobile Google Sign In)
• GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED=true
• GOTRUE_SMTP_MAX_FREQUENCY=1s

Studio SQL Assistant: Add to studio service:

• OPENAI_API_KEY=your-openai-api-key