> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Supabase connector

> C1 provides identity governance and provisioning for Supabase. Integrate Supabase with C1 to run user access reviews (UARs), enable access requests, and automatically provision and deprovision auth users across all your Supabase projects.

## Capabilities

The Supabase connector syncs the following resources:

| Resource             | Sync                                                          | Provision                                                     |
| :------------------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Organization Members | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Auth Users           | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Organizations        | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Projects             | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |

* **Organization Members**: Platform-level users synced per organization with roles (Owner, Administrator, Developer, Read-only).
* **Auth Users**: Project-level users synced per project with database roles managed via Auth Admin API.
* **Organizations**: Supabase organizations with role-based entitlements.
* **Projects**: Supabase projects with per-project database role entitlements and provisioning (grant assigns role, revoke authenticated removes user).

## Gather Supabase credentials

<Warning>
  To configure the Supabase connector, you need a **Personal Access Token
  (PAT)** for the Supabase Management API. The connector automatically discovers
  all active projects and fetches each project's `service_role` key.
</Warning>

<Steps>
  <Step>
    Log in to Supabase at [https://supabase.com/dashboard](https://supabase.com/dashboard).
  </Step>

  <Step>
    Navigate to **Account Settings** > **Access Tokens**: [https://supabase.com/dashboard/account/tokens](https://supabase.com/dashboard/account/tokens).
  </Step>

  <Step>
    Click **Generate new token**, name it (e.g., `conductorone-connector`), and
    click **Generate token**.
  </Step>

  <Step>
    Copy the token immediately — it starts with `sbp_` and is shown only once.
  </Step>
</Steps>

## Configure the Supabase connector

<Tabs>
  <Tab title="Cloud-hosted">
    Follow these instructions to use a built-in, no-code connector hosted by C1.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Supabase** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Supabase connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the required configuration:

        * **Supabase Access Token**: The Personal Access Token (PAT) you generated.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Supabase connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    Follow these instructions to use the [Supabase](https://github.com/conductorone/baton-supabase) connector, hosted and run in your own environment.

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.

    ### Step 1: Set up a new Supabase connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Supabase connector.
      </Step>

      <Step>
        Set the owner for this connector and click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**, then click **Rotate** to generate a new Client ID and Secret. Carefully copy and save these credentials.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-supabase-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-supabase-secrets
    type: Opaque
    stringData:
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>
      BATON_SUPABASE_ACCESS_TOKEN: <Supabase Personal Access Token>

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true
    ```

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-supabase.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-supabase
      labels:
        app: baton-supabase
    spec:
      selector:
        matchLabels:
          app: baton-supabase
      template:
        metadata:
          labels:
            app: baton-supabase
            baton: "true"
            baton-app: supabase
        spec:
          containers:
          - name: baton-supabase
            image: public.ecr.aws/conductorone/baton-supabase:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-supabase
            envFrom:
            - secretRef:
                name: baton-supabase-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the Supabase connector to. Supabase data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Supabase connector is now pulling access data into C1.
  </Tab>
</Tabs>

***

<Tip>
  The connector automatically syncs auth users from all active Supabase projects
  accessible via the PAT. Each auth user is linked to its parent project, so
  users from different projects are properly distinguished.
</Tip>