Services
Solutions
Use cases
Industries
Tools
Pricing
Book a call
Stack in production

Supabase stack — Backend-as-a-Service on your own server

Thirteen containers that together form a complete backend platform: , Auth, Realtime, Storage, , Studio UI, gateway. A concrete alternative to Firebase and AWS Amplify for startups and SaaS providers with GDPR requirements.

Compose excerpt — core services of the Supabase stack

services:
  db:
    image: supabase/postgres:15.8.1.085
    container_name: supabase-db
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "postgres"]
    environment:
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      JWT_SECRET: ${JWT_SECRET}
    volumes:
      - db_data:/var/lib/postgresql/data

  auth:
    image: supabase/gotrue:v2.186.0
    depends_on: { db: { condition: service_healthy } }
    environment:
      GOTRUE_DB_DRIVER: postgres
      GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:...@db:5432/postgres
      GOTRUE_JWT_SECRET: ${JWT_SECRET}
      GOTRUE_MAILER_AUTOCONFIRM: "false"
      GOTRUE_SMTP_HOST: mail.lernnet.com

  rest:
    image: postgrest/postgrest:v14.5
    depends_on: { db: { condition: service_healthy } }
    environment:
      PGRST_DB_URI: postgres://authenticator:...@db:5432/postgres
      PGRST_DB_SCHEMAS: public,storage,graphql_public
      PGRST_JWT_SECRET: ${JWT_SECRET}

  kong:
    image: kong:2.8.1
    ports: ["8000:8000", "8443:8443"]
    volumes:
      - ./volumes/api/kong.yml:/home/kong/temp.yml:ro
    environment:
      KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml
      KONG_LOG_LEVEL: info
Excerpt from the official docker-compose.yml. 13 services in total, orchestrated through the Kong gateway. PostgreSQL as single source of truth, every other service talks through the DB. Source: github.com/supabase/supabase, Apache-2.0.

Thirteen components as a backend platform

is not a single application — it is an orchestrated bundle of open-source components that together do what Firebase delivers as a proprietary service. Each component is individually replaceable.

PostgreSQL

Database core

The heart of the stack. is the — all data, auth users, storage metadata, edge-function logs go through here.

PostgreSQLC
→ GitHub→ HomepageQ192490Wikidata

PostgREST

27k

Auto-REST API from the schema

Generates a full REST automatically from the schema. No backend code for CRUD — tables become endpoints.

MITHaskell
→ GitHub→ Homepage

GoTrue (Auth)

2.5k

Authentication + user management

User management, email login, OAuth (Google, GitHub, ...), magic links, MFA. JWT-based sessions, compatible with every other component.

MITGo
→ GitHub→ Homepage

Realtime

7.6k

WebSocket live updates

Reads logical replication and pushes changes via to connected clients. For live quizzes, collaboration, real-time dashboards.

Apache-2.0Elixir
→ GitHub→ Homepage

Storage

1.3k

S3-compatible file storage

S3 for file uploads (PDFs, videos, images). Access control via row-level security. No backend code for auth logic.

Apache-2.0TypeScript
→ GitHub→ Homepage

Studio

103k

Browser UI for DB and auth

Browser interface for DB admin, SQL editor, schema designer, user management, storage browser. The official Cloud UI as a version.

Apache-2.0TypeScript
→ GitHub→ Homepage

Kong

44k

API gateway in front

Routes incoming HTTP requests to the right services (auth, rest, storage). Rate limiting, keys, JWT validation at the gateway level.

Apache-2.0Lua
→ GitHub→ Homepage

Supavisor

2.2k

Connection pooler

connection pooler for scale. Scales DB connections for thousands of parallel calls down to a manageable pool size.

Apache-2.0Elixir
→ GitHub→ Homepage

Edge Runtime

Serverless edge functions

Deno-based runtime for custom logic — , GDPR audit triggers, external calls. Functions are written in TypeScript and rolled out globally.

MITRust
→ GitHub→ Homepage

imgproxy

11k

Image transformations on the fly

Resizes, crops, watermarks images at request time. Instead of pre-generating 4 sizes: one source file, arbitrary resolutions by URL parameter.

Apache-2.0Go
→ GitHub→ Homepage

Logflare

Log analytics + aggregation

Logflare aggregates logs from all services in a searchable interface. Important for production debugging and for GDPR audit logs.

MITElixir
→ GitHub→ Homepage

postgres-meta

Schema metadata API

Serves schema information (tables, columns, triggers) as a REST . Used by the Studio UI and can be addressed by custom migration tools.

Apache-2.0TypeScript
→ GitHub→ Homepage

Vector

Log shipper

Vector.dev as a log pipeline: collects container logs, transforms them and ships them to Logflare. A configurable replacement for classic log collectors.

MPL-2.0Rust
→ GitHub→ Homepage

What does the stack do together?

The stack is a complete Backend-as-a-Service platform: as database, auto-generated REST and GraphQL APIs from the schema, auth with JWT sessions, storage with S3 , realtime via , in Deno. What you would otherwise build with 6 different AWS services runs here in one orchestrated container stack.

The decisive difference to Firebase or AWS Amplify: every component is open source (MIT or Apache-2.0), the stack runs fully on your own hardware. If needed, a component can be swapped individually (e.g. PostgREST for Hasura, or Kong for Caddy).

Why a startup self-hosts Supabase

For a SaaS startup the choice of backend platform is existential. Firebase is technically excellent — but means vendor lock-in (proprietary APIs, US cloud, exponential cost growth with scale). AWS Amplify is comprehensive — but means managing 6+ services in parallel. Both mean: under GDPR requirements it gets complicated.

: every datum in German legal space on Hetzner EU. Standard as DB core — no vendor lock-in, every admin can contribute. At scale to 1,000+ active users, the stack typically becomes 70–90 % cheaper than Firebase. And if Inc. vanishes tomorrow: every component is open source and individually usable.

Client case study

LernNet

EdTech startup for vocational education, 5-person founding team, platform for German vocational schools and chamber-of-commerce training centres. Launched 6 months ago with 12 school tenants, target 100+ in 12 months. Firebase would have been the obvious choice — but pupil data and learning progress have to stay GDPR-compliant in the EU. on Hetzner Cloud Frankfurt was the answer.

Multi-tenant for 100+ educational institutions

Every vocational school is its own tenant with isolated pupil, teacher and course data. Row-level security in separates tenants at DB level — one school cannot see another school's data.

GDPR-compliant user management

Pupils under 16 need parental consent, schools need teacher administration. GoTrue with its own SMTP server, JWT sessions, a detailed . No user data leaves the system.

Realtime for live classroom features

Live quizzes during lessons, collaborative whiteboard sessions, chat between teachers and pupils. Realtime via logical replication — sub-second latency, no extra server.

Storage for learning material

PDFs, videos, interactive learning modules (HTML5) — every file upload via S3 into Storage. Access control via policies: a pupil at school X only sees materials of that school.

PostgreSQL as a reliable DB core

The entire data model runs on 15. Proven for 25 years, standard SQL, every admin in the world can contribute. On a competitor's acquisition offer, the DB is portable directly — no Firebase lock-in.

Self-hosted instead of Supabase Cloud

offers a cloud version on AWS. For GDPR reasons and vendor-lock-in risk, LernNet decides for self-hosting on Hetzner Cloud Frankfurt. More setup effort, but full sovereignty over pupil data.

Eight productive patterns in operation

Concrete setups LernNet has been using for 6 months. Each pattern uses 2–4 components of the stack together — the synergies are the actual argument.

PostgreSQL as single source of truth

Pupils, teachers, courses, lessons, quizzes, grading — all in . Schema migrations as migration files in Git. Row-level security separates tenants. One DB, one truth.

PostgREST API from the schema

The Next.js frontend calls the PostgREST directly — tables become REST endpoints. No backend code for CRUD. On schema change: the changes automatically, JWT auth passed through.

GoTrue auth with magic links

Pupil registration via magic link by email (no password initially). Teachers via school-admin invitation. OAuth via Microsoft Education for school-federation logins. JWT sessions with refresh tokens.

Realtime for live quizzes

Teacher posts a question in Studio, pupils see it on mobile in <300 ms via the realtime . Answers go back into , the teacher sees the aggregation live. Classic clicker functionality, but in the own platform.

Storage with row-level security

A teacher uploads a PDF → lands in bucket 'school-15/materials'. Pupils of school 15 can read it, others cannot. Access control purely in policies, no separate auth code.

Edge functions for GDPR audit

Every pupil data query triggers an edge function that writes an event. Searchable per school, one-click export for GDPR data-subject requests. A TypeScript function, deployed via functions deploy.

Studio for schema migrations

During development the schema is adapted in the Studio UI, migration files generated automatically. In production: only migration files via CLI, no direct Studio editing. Clean dev/prod separation.

Supavisor connection pooling

With 500 parallel pupils in the same live class: every browser holds an connection. Supavisor pools those down to 50 real connections. DB stays relaxed, app scales linearly.

What the stack delivers as a whole

Six stack-level capabilities — properties that only emerge from the interplay of the 13 components.

PostgreSQL as core

DB-first architecture: every component talks to the others through the DB. No own message bus, no own cache layer. Schema changes propagate automatically through the whole stack.

Auto-generated REST + GraphQL

PostgREST serves REST from the schema, the Storage container serves REST from its own schema. Plus optional pg_graphql for GraphQL from — all without custom code generation.

Auth with 20+ OAuth providers

GoTrue supports Google, GitHub, Microsoft, Apple, Facebook, Twitter and 15+ more. Plus email login, magic links, MFA. JWT sessions consistently validated across every component.

Realtime via logical replication

The Realtime container reads the logical replication stream and pushes changes to clients. No extra message broker, no double data storage — the DB is the event source.

Storage with image transformations

S3 for upload + access control via policies, plus imgproxy for on-the-fly resize/crop. One source file, arbitrary presentation — bandwidth optimised, storage minimal.

Self-hosted = full data sovereignty

Every datum in one instance under your own control. Backup via pg_dump, disaster recovery via pg_basebackup. On vendor insolvency or strategy change: the entire data is portable instantly.

Honest alternatives

If the self-hosted stack is not a fit — what else?

Three alternatives for Backend-as-a-Service. is the most pragmatic choice, but the competitors each have their own strengths.

Market leader

Firebase

Google, proprietary

  • + Very easy setup, good UX
  • + Mobile SDKs for iOS/Android perfect
  • − US cloud, no self-hosting
  • − Cost explosion at scale (reads per cent)

Single binary

Pocketbase

Gani Georgiev, MIT

  • + One Go binary, runs anywhere
  • + Very easy self-hosting
  • − SQLite only (no PostgreSQL)
  • − Does not scale beyond a single server

AWS variant

AWS Amplify

Amazon, proprietary

  • + Deep AWS integration
  • + Scales arbitrarily high
  • − No self-hosting, US cloud
  • − Very complex architecture

Rule of thumb: with a GDPR requirement and knowledge, is the best place to be. Firebase is the fastest pick when data sovereignty does not matter (hobby projects, MVPs in the US market). Pocketbase makes sense for single-user setups (internal tools, hobby), but does not scale into multi-tenant SaaS. AWS Amplify pays off when you already live deep in AWS.

Pricing

Everything open source. Hetzner hosting. No per-seat licence.

License

All 13 components open source: PostgreSQL under the PostgreSQL Licence, GoTrue + PostgREST + Edge Runtime + Logflare under MIT, every other under Apache-2.0, Vector under MPL-2.0. For own use without redistribution no obligations.

Running costs

Production setup: VPS with 8–16 GB RAM, 200 GB SSD (Hetzner CCX23 from €30/month). Plus separate S3-compatible object storage for bucket data (Hetzner Object Storage from €5/month). RAM footprint of the complete stack: around 6 GB idle, 10 GB under load.

Effort

Initial setup with all 13 components via supabase/docker: 1 day. Production configuration (auth providers, SMTP, backup, monitoring): 2–3 days. Complete startup onboarding including schema design and frontend integration: 8–15 consulting days.

Important for clarity: Inc. (the company) offers a commercial cloud service from $25/month. The variant is not 'the same service for free' — it means own responsibility for updates, scaling, backup. For startups with GDPR requirements and 1,000+ users in the pipeline, this is the right choice. For a 100-user : take Cloud.

Related topics

Supabase needs infrastructure and connections

as the platform, Caddy as the gateway in front, as the layer for external integrations:

→ Docker (container engine)→ Caddy (HTTPS in front)→ n8n (workflow integration)

Ready for the next step?

Free intro call, no strings attached. In 30 minutes you'll know whether and how AI can help your business.

Book a callCheck eligibility
Book a callBAFA funding