Skip to content

Docs

Security

How SupaClone handles credentials, Supabase tokens, data movement, target writes, logs, and deletion expectations.

Last updated 2026-07-09

Credential model

SupaClone needs enough access to read from the source project and write to the target project. Depending on the selected clone scope, this can include database connection strings and Supabase OAuth access for Management API operations.

Use least privilege where practical and disconnect projects when you no longer need them.

What SupaClone reads

SupaClone may read:

  • Database schema metadata.
  • Selected table data when data cloning is enabled.
  • Storage bucket configuration and object metadata.
  • Storage object contents when Storage file cloning is enabled.
  • Edge Function code and function settings.
  • Allowlisted Auth configuration.
  • Selected project/PostgREST/Realtime settings for comparison.

What SupaClone writes

SupaClone writes only to the target project during a clone run.

Target writes can include:

  • Schemas, tables, indexes, constraints, views, functions, triggers, and policies.
  • Selected table data.
  • Storage buckets, files, and Storage policies.
  • Edge Functions.
  • Allowlisted Auth configuration fields.

The source project is treated as read-only for clone operations.

Secrets

Secret values are not copied automatically. SupaClone records manual steps for secrets that must be recreated on the target.

This applies to Edge Function secrets, Auth provider secrets, custom SMTP passwords, hook secrets, and other write-only values.

Data contents

Database contents are copied only when table data cloning is enabled. A structure-only clone copies database structure without table rows.

Storage object contents are copied only when Storage cloning is selected in a mode that copies files.

Logs and reports

Clone reports are designed to explain what happened without exposing secret values. Error handling should redact database passwords and other sensitive connection details.

Still, treat clone reports as operational artifacts. Do not paste reports containing project refs, schema names, or business-sensitive table names into public channels.

Rollback

SupaClone does not provide a one-click rollback of a target project after writes begin. Use a fresh/disposable target project. If a clone writes the wrong state, delete the target project or recreate it before another run.

Deleting connected projects

If you no longer want SupaClone connected to a Supabase project, remove the project connection in SupaClone and revoke OAuth access in Supabase where applicable.

For security-related questions, contact security@supaclone.io.

Ready to run a verified clone?

Start with a fresh target project, choose exactly what to copy, and review the clone report after the run completes.

Clone your first project free