Your AI Coder Just Signed You Up for $200/Month in Supabase

You asked Cursor to build your MVP. It generated clean Next.js code, connected a database, set up auth, and deployed everything. You felt unstoppable.

Then the Supabase bill arrived.

If you vibe-coded your way into a Supabase dependency, you're not alone. But you are probably overpaying — by a lot. And you might have a security time bomb sitting in your codebase.

Let's break down why AI tools love Supabase, what it actually costs, the real risks no one talks about, and what to do about it.

Why AI Coding Tools Default to Supabase

Ask Cursor, Copilot, or any AI coding assistant to "set up a backend," and Supabase appears almost every time. There are good reasons for this:

It's in the training data. Supabase has been heavily documented, blogged about, and discussed since 2020. Every AI model has seen thousands of Supabase tutorials, boilerplate projects, and Stack Overflow answers. When you say "build a backend," the statistical weight of that training data pushes toward Supabase. It's a single command. AI tools optimize for simplicity. Instead of orchestrating Postgres setup, auth middleware, storage buckets, and edge functions separately, Supabase bundles everything. The AI can "complete" your request in one coherent code path. The documentation is good. Supabase invested heavily in DX and docs. That documentation became training material. The better your docs, the more AI tools reference you. Row Level Security sounds safe. RLS is genuinely useful — but only if it's configured correctly. More on that in a minute.

The problem is that AI tools don't check your budget. They don't ask "do you actually need real-time subscriptions?" or "will you hit the storage limits?" They just pick the path of least resistance and hand you a working prototype with a monthly bill attached.

The Real Cost of Supabase Pricing

Let's talk numbers. Supabase's pricing page makes the free tier look generous. 500MB database, 1GB storage, 50,000 monthly active users. Great for a side project.

But here's what happens when you move beyond a toy:

Free tier ($0/month): 500MB database, 1GB file storage, 2GB bandwidth. Fine for development and maybe a weekend project. Not fine for anything with real users. Pro tier ($25/month): 8GB database, 100GB storage, 250GB bandwidth. This is where most projects land. Seems reasonable until you realize this is per project. Scale tier ($599/month): 8GB database (same as Pro), but with higher limits on everything else and better support. The jump from $25 to $599 is steep.

But wait — there's a hidden cost most people miss: compute add-ons.

Supabase lets you scale compute independently. A Small instance costs $5/month. XL costs $200/month. Many AI-generated projects are set up with default settings that don't optimize for cost, and you can easily end up paying for compute you don't need.

As one Hacker News user put it: "Supabase easily the most expensive part of my stack (at $200/month, if we ran in it XL)." Another user echoed: "I was also surprised with how expensive Supabase turned out to be."

Here's a realistic cost breakdown for a growing project:

And that's a modest project. Hit viral traffic or store large files, and you're looking at $200+ quickly. For what amounts to a managed Postgres database with some wrappers.

One commenter on Hacker News put it bluntly: "That could get you a pretty decent VPS." They're right. A Hetzner CX32 with 8GB RAM costs $15/month. Running Postgres on that gives you the same database performance without the markup.

The Security Problem: service_role Bypassing Row Level Security

This is the issue that doesn't get enough attention. And it's the one that could actually get you in trouble.

When AI tools generate Supabase code, they typically use the service_role key for server-side operations. This makes sense from a development perspective — the service role bypasses all Row Level Security policies, which means your server-side code can read and write anything.

The problem? AI-generated code often uses service_role where it shouldn't.

As Hacker News user buremba pointed out: "The cursor assistant operates the Supabase database with elevated access via the service_role, which bypasses all row-level security."

Here's what this looks like in practice:

// This is what AI tools generate for server-side operations
import { createClient } from '@supabase/supabase-js'

const supabase = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL,
  process.env.SUPABASE_SERVICE_ROLE_KEY // <-- bypasses ALL security
)

The SUPABASE_SERVICE_ROLE_KEY gives your server unrestricted access to every row in every table. If that key leaks — through a misconfigured environment variable, a public repository, or a compromised deployment — an attacker has full database access.

But here's the worse scenario: AI tools sometimes use the service role key in client-side code or in edge functions that don't need elevated access. The code works fine in development. In production, it creates a security hole.

The fix isn't to avoid Supabase entirely. It's to audit your generated code for:

service_role usage in client components — should only use anon key

Missing RLS policies — Supabase requires explicit policy creation

Edge functions using service_role unnecessarily — use the anon key where possible

Hardcoded keys — service_role key should never appear in client bundles

If your AI-generated codebase has never had a security audit, assume there are issues. This isn't hypothetical — it's a pattern in vibe-coded projects.

What to Use Instead: Postgres on a $5 VPS

The alternative isn't complicated. It's just less marketed.

Option 1: Postgres on a VPS ($5-15/month)

Spin up a Hetzner CX22 ($6.50/month, 2 vCPU, 4GB RAM). Install Postgres. Set up connection pooling with PgBouncer. You get a database that handles more traffic than Supabase Pro at a fraction of the cost.

The downside? You manage it yourself. No automatic backups (set up pg_dump cron), no built-in dashboard (install pgAdmin or use pgcli), no edge functions (use your own server).

For solo founders and small teams, this trade-off is usually worth it.

Option 2: Neon ($0-19/month)

Serverless Postgres with a generous free tier. Neon scales to zero, so you only pay when you're using it. For low-traffic projects, this can be nearly free.

Option 3: Railway ($5-20/month)

Deploy Postgres as a service on Railway. More expensive than raw VPS but simpler to manage. Good middle ground.

Option 4: Supabase free tier with real limits

If you must use Supabase, stay on the free tier and actually respect the limits. Set up billing alerts. Monitor storage and bandwidth. Don't add compute add-ons unless you've verified you need them.

The key insight: Supabase is fine as a service. It's just expensive for what you get. If your AI-generated project relies on Supabase features like real-time subscriptions and auth, evaluate whether you actually need those features or whether they're there because the AI defaulted to them.

The Math: Supabase vs Self-Hosted

Let's do the actual comparison:

Supabase wins on convenience. Self-hosted wins on cost and control. For a vibe-coded MVP where you're trying to keep burn rate low, the self-hosted route saves $200+/year.

How to Audit Your Supabase Bill

If you're already on Supabase and the bill is climbing, here's a quick audit:

Check your compute add-on. Go to Settings → Database. Are you paying for an XL instance? Do you need it?

Review storage. Go to Storage. Are you storing files that should be on S3 or Cloudflare R2?

Check bandwidth. Go to Usage. Are you serving files directly from Supabase instead of a CDN?

Review auth. Are you over the free tier limit on monthly active users?

Look for orphaned projects. Old test projects still running on Pro tier?

Most teams I've worked with find $30-50/month in waste just from old projects and over-provisioned compute.

The Bigger Picture: AI Tools and Cloud Costs

Supabase is just one example of a broader pattern. AI coding tools optimize for working code, not cost-efficient code. They'll happily use Vercel, Supabase, Stripe, and a dozen other services that each charge monthly fees.

The result: your "free" MVP costs $500+/month before you have a single paying customer.

If you're using AI tools to build your product, budget time for a cost audit. Better yet, read our article on the full vibe coding cost trap to understand the total cost picture.

And if you've already got a codebase full of Supabase dependencies and aren't sure what it's actually costing you, our free vibe-code assessment can map out exactly where your money's going and what to optimize.

FAQ

Is Supabase free tier really free?

Yes, but with limits. 500MB database, 1GB storage, 2GB bandwidth. Fine for development. Breaks down quickly with real users. The free tier also lacks automatic backups and point-in-time recovery.

Can I migrate from Supabase to plain Postgres?

Yes. Supabase is built on Postgres, so your schema and data transfer directly. You'll need to replace Supabase-specific features (auth, RLS, real-time) with alternatives. Most migrations take 1-3 days depending on complexity.

Why do AI tools keep picking Supabase?

Training data bias. Supabase has extensive documentation and tutorials that AI models were trained on. The AI sees it as the "standard" backend choice because it appears more often in its training data than alternatives.

Should I never use Supabase?

No — Supabase is a good service for certain use cases. If you need managed auth, real-time subscriptions, and storage with minimal setup, it's great. The issue is when AI tools add it by default and you're paying $200+/month for features you don't need.

How much can I save by switching to a VPS?

Typically $150-200/month. A Hetzner CX22 at $6.50/month replaces most of what Supabase Pro offers. The trade-off is you manage backups, security patches, and infrastructure yourself. For solo founders, that's usually worth the savings.