[{"data":1,"prerenderedAt":229},["ShallowReactive",2],{"blog-blueprints/bolt-nextjs-supabase":3},{"id":4,"title":5,"body":6,"category":209,"date":210,"dateModified":210,"description":211,"draft":212,"extension":213,"faq":214,"featured":212,"headerVariant":215,"image":214,"keywords":214,"meta":216,"navigation":217,"ogDescription":218,"ogTitle":214,"path":219,"readTime":220,"schemaOrg":221,"schemaType":222,"seo":223,"sitemap":224,"stem":225,"tags":226,"twitterCard":227,"__hash__":228},"blog/blog/blueprints/bolt-nextjs-supabase.md","Bolt.new + Next.js + Supabase Security Blueprint",{"type":7,"value":8,"toc":199},"minimark",[9,20,24,30,35,90,94,109,122,126,131,134,137,140,143,146,149,163,173,187],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure a Bolt.new + Next.js + Supabase stack,"," you need to: (1) use the correct Supabase client type for each Next.js context (browser vs server vs middleware), (2) add authentication verification to all Server Actions using auth.getUser(), (3) enable RLS on all Supabase tables, and (4) configure middleware to protect authenticated routes. This blueprint covers the unique security challenges of combining Next.js App Router with Supabase.",[21,22],"blueprint-meta",{"time":23},"2-3 hours",[25,26,27],"tldr",{},[13,28,29],{},"Next.js App Router requires different Supabase clients for different contexts. Bolt-generated code often mixes these up or skips auth verification in Server Actions. After export: verify correct client usage, add auth checks to all Server Actions, enable RLS on all tables, and configure middleware for protected routes.",[31,32,34],"h2",{"id":33},"supabase-client-types","Supabase Client Types",[36,37,38,54],"table",{},[39,40,41],"thead",{},[42,43,44,48,51],"tr",{},[45,46,47],"th",{},"Context",[45,49,50],{},"Client",[45,52,53],{},"Common Issue",[55,56,57,69,80],"tbody",{},[42,58,59,63,66],{},[60,61,62],"td",{},"Client Components",[60,64,65],{},"createBrowserClient",[60,67,68],{},"May use server client",[42,70,71,74,77],{},[60,72,73],{},"Server Components",[60,75,76],{},"createServerClient",[60,78,79],{},"May skip cookie handling",[42,81,82,85,87],{},[60,83,84],{},"Server Actions",[60,86,76],{},[60,88,89],{},"Often missing auth check",[31,91,93],{"id":92},"part-1-nextjs-server-action-security","Part 1: Next.js Server Action Security",[95,96,98],"code-block",{"label":97},"SECURE: With auth verification",[99,100,105],"pre",{"className":101,"code":103,"language":104},[102],"language-text","'use server'\n\nimport { createClient } from '@/lib/supabase/server'\n\nexport async function updateProfile(formData: FormData) {\n  const supabase = await createClient()\n\n  const { data: { user }, error } = await supabase.auth.getUser()\n\n  if (error || !user) {\n    throw new Error('Unauthorized')\n  }\n\n  await supabase.from('profiles').update({\n    name: formData.get('name')\n  }).eq('id', user.id)  // Use verified user ID\n\n  return { success: true }\n}\n","text",[106,107,103],"code",{"__ignoreMap":108},"",[110,111,112],"warning-box",{},[13,113,114,117,118,121],{},[16,115,116],{},"Critical:"," Always use ",[106,119,120],{},"auth.getUser()"," in Server Actions. Never trust user IDs from form data.",[31,123,125],{"id":124},"security-checklist","Security Checklist",[127,128,130],"h4",{"id":129},"post-export-checklist-for-bolt-nextjs-supabase","Post-Export Checklist for Bolt + Next.js + Supabase",[13,132,133],{},"Correct Supabase client for each context",[13,135,136],{},"RLS enabled on all tables",[13,138,139],{},"Auth verification in all Server Actions",[13,141,142],{},"Middleware protects authenticated routes",[13,144,145],{},"User ID from auth.getUser(), not client",[13,147,148],{},"Service role key only in server code",[150,151,152,157],"stack-comparison",{},[153,154,156],"h3",{"id":155},"alternative-stacks-to-consider","Alternative Stacks to Consider",[99,158,161],{"className":159,"code":160,"language":104},[102],"      **Bolt.new + Supabase**\n      General Supabase security guide\n\n\n      **Bolt.new + Supabase + Vercel**\n      Complete deployment security\n\n\n      **Bolt.new + React + Firebase**\n      Firebase alternative stack\n",[106,162,160],{"__ignoreMap":108},[164,165,166],"faq-section",{},[167,168,170],"faq-item",{"question":169},"Why do I need different Supabase clients?",[13,171,172],{},"Next.js runs code in different environments. Each handles cookies and auth tokens differently. Using the wrong client causes auth state mismatches.",[174,175,176,182],"related-articles",{},[177,178],"related-card",{"description":179,"href":180,"title":181},"Similar stack with Cursor","/blog/blueprints/cursor-nextjs-supabase","Cursor + Next.js + Supabase",[177,183],{"description":184,"href":185,"title":186},"General Supabase guide","/blog/blueprints/bolt-supabase","Bolt + Supabase",[188,189,192,196],"cta-box",{"href":190,"label":191},"/","Start Free Scan",[31,193,195],{"id":194},"building-nextjs-supabase-with-bolt","Building Next.js + Supabase with Bolt?",[13,197,198],{},"Scan for client misuse and auth vulnerabilities.",{"title":108,"searchDepth":200,"depth":200,"links":201},2,[202,203,204,208],{"id":33,"depth":200,"text":34},{"id":92,"depth":200,"text":93},{"id":124,"depth":200,"text":125,"children":205},[206],{"id":155,"depth":207,"text":156},3,{"id":194,"depth":200,"text":195},"blueprints","2026-01-27","Security guide for Bolt.new + Next.js + Supabase stack. Configure RLS, secure Server Components, protect API routes, and handle authentication properly.",false,"md",null,"purple",{},true,"Complete security configuration for Next.js + Supabase apps built with Bolt.new.","/blog/blueprints/bolt-nextjs-supabase","11 min read","[object Object]","Article",{"title":5,"description":211},{"loc":219},"blog/blueprints/bolt-nextjs-supabase",[],"summary_large_image","Ez5a4MbkHb0kNR6XE5SA3P9v4mZJ8UO9T2gsvsC4r7U",1775843920165]