We've built over 150 web platforms for clients across 12 countries. In that time, we've worked with PHP monoliths, Django backends, Ruby on Rails, pure React frontends with custom Node APIs, Firebase, PlanetScale, and more stacks than we care to remember. After all of that, Next.js paired with Supabase is what we reach for on the majority of new projects today — and the reasons go well beyond personal preference.
How We Got Here
Five years ago, our default stack was React on the frontend and a Node/Express API backed by PostgreSQL on the backend. It worked. But "worked" is a low bar. Every new project meant re-solving the same infrastructure problems: auth, file storage, real-time subscriptions, row-level security, API route organisation. We were spending 20–30% of every project's timeline on setup that had nothing to do with the client's actual product.
We tried Firebase as a shortcut. It solved some of those problems but created new ones: vendor lock-in, NoSQL data modelling that got messy fast, and pricing that surprised clients as they scaled. We needed something that gave us the speed of a managed backend-as-a-service without sacrificing the power of a relational database and open standards.
Next.js we had been using for a while for its SSR and SEO benefits. What changed was combining it with Supabase — and realising how well the two fit together. Within three projects, it had become our default.
Why Next.js Specifically
There are good React frameworks. Next.js isn't good — it's in a class of its own right now, and here's what actually matters to us as a team that ships production products:
- Server Components + App Router — The App Router model lets us co-locate data fetching with the components that need it. No more prop drilling data through five levels or maintaining sprawling API routes just to pass data to a page.
- Built-in performance defaults — Image optimisation, font loading, code splitting, and prefetching are all handled by the framework. Clients don't pay for a performance consultant because we're not starting from zero.
- Edge and serverless ready — Middleware runs at the edge. API routes run serverless. We can deploy globally on Vercel with near-zero configuration and get sub-100ms response times in most regions without managing a single server.
- Full-stack in one repository — Frontend, API routes, server actions, and middleware all live in one codebase. One CI/CD pipeline. One deployment. The cognitive overhead for both our team and the client is dramatically lower.
- SEO without sacrificing interactivity — Marketing pages are server-rendered for perfect Lighthouse scores. Dynamic app sections hydrate on the client. We don't have to choose between a fast-loading site and a rich user experience.
The ecosystem matters too. TypeScript support is first-class. The community is enormous. When a client's in-house team eventually needs to maintain or extend the codebase, finding Next.js developers is not hard.
Why Supabase Specifically
Supabase markets itself as "the open-source Firebase alternative," which undersells it. What Supabase actually gives you is a production-grade PostgreSQL database with a full set of services built on top — and the key word is PostgreSQL. You're not locked into a proprietary data model. You're working with the most capable open-source relational database in the world.
Here's what we use and why it matters:
- Row Level Security (RLS) — Security policies are defined at the database level, not scattered across your application code. A user can only read their own data because the database enforces it — not because we remembered to add a WHERE clause everywhere. This has eliminated entire categories of security bugs from our projects.
- Built-in Auth — Email/password, magic links, OAuth with Google, GitHub, Apple — all configured in minutes. The auth JWT integrates directly with RLS policies, so your database automatically knows which user is making a request without extra middleware.
- Realtime subscriptions — Postgres changes broadcast to connected clients over WebSockets. Building a live dashboard, a chat feature, or a collaborative document editor doesn't require a separate WebSocket server or a third-party service like Pusher.
- Storage — File uploads with access policies tied to the same RLS system. A user's profile photo is only accessible to them unless you explicitly make it public. Storage permissions and database permissions use the same mental model.
- Edge Functions — Serverless Deno functions for custom backend logic, webhooks, or background tasks. They run globally and integrate with the rest of the Supabase platform with almost no configuration.
Critically, it's open source. If Supabase ever became untenable — pricing, reliability, whatever — we could self-host the entire stack on our own infrastructure. That's not something you can say about Firebase.
How the Two Work Together
The integration between Next.js and Supabase is where the real productivity gain happens. Supabase maintains an official Next.js integration that handles the auth cookie lifecycle, server-side client creation, and middleware-based session refresh automatically.
In practice this means:
- Server Components can query Supabase directly — No separate API route needed for most data fetching. A Server Component creates a Supabase client with the user's session and queries the database. The data arrives with the initial HTML. Zero client-side loading states for critical content.
- Type-safe database queries — Supabase generates TypeScript types from your database schema. Your IDE knows the shape of every table, column, and relationship. Database schema changes break TypeScript at compile time, not at runtime in production.
- Server Actions + Supabase mutations — Form submissions and data mutations happen through Next.js Server Actions that call Supabase directly. No API layer to maintain. The data flow is: user submits form → Server Action runs on the server → Supabase mutation → page revalidates. Four lines of code for what used to be an API route, a fetch call, error handling, and a loading state.
- Middleware auth protection — Route protection happens in Next.js middleware before any page renders. Unauthenticated users are redirected at the edge, not after the page loads and a client-side check fires.
A Real Example: What We Built in 6 Weeks
For a property management client, we built a platform with the following features: multi-tenant architecture (property managers and tenants as separate roles), real-time maintenance request tracking, document storage with role-based access, automated email notifications, a payment tracking dashboard, and a mobile-responsive interface.
Six weeks from kickoff to production deployment. Here's roughly how that time was distributed:
- Week 1 — Schema design, RLS policies, auth setup, base UI components and design system.
- Week 2–3 — Core feature development: tenant onboarding, property listings, maintenance request flow.
- Week 4 — Document storage, notification system, payment tracking.
- Week 5 — Dashboard, reporting, admin panel.
- Week 6 — QA, performance tuning, client UAT, deployment.
A comparable project on our old stack would have taken 10–12 weeks. The difference wasn't that we worked harder — it was that we weren't re-building infrastructure that Supabase already provided.
When This Stack Is Not the Right Choice
We'd be doing you a disservice if we didn't address the cases where this stack isn't ideal. We've run into them:
- Extremely high write throughput — If you're ingesting millions of events per second, Supabase's managed Postgres will hit limits before purpose-built solutions like ClickHouse or Cassandra. Know your write patterns before committing.
- Complex background job requirements — Supabase Edge Functions are great for lightweight async work but aren't a replacement for a dedicated job queue like BullMQ or a workflow engine like Temporal when you have heavy, long-running processes.
- Highly customised auth flows — Supabase Auth is excellent for 90% of use cases. If you need complex multi-factor setups, enterprise SSO with deep SAML customisation, or phone-carrier-level verification, a dedicated auth provider may serve you better.
- Teams with no SQL experience — RLS is a superpower, but it requires understanding SQL policies. Teams that have only worked with ORMs and NoSQL will have a learning curve. Plan for it.
Our Standard Project Setup
When we start a new Next.js + Supabase project, here's what the first day typically looks like:
- Create Supabase project, configure Auth providers, set up email templates
- Scaffold Next.js app with TypeScript, Tailwind CSS, and the official Supabase SSR package
- Write initial database migrations and RLS policies before any application code
- Generate TypeScript types from the schema and commit them to the repo
- Set up GitHub Actions CI pipeline — type check, lint, and Supabase migration dry-run on every PR
- Configure Vercel deployment with environment variables and preview deployments for each branch
- Set up Supabase branching for database schema previews (if on a Pro plan)
By end of day one, the project has working authentication, a type-safe database client, automated deployments, and a CI pipeline. The team can start building features on day two without making any infrastructure decisions.
Performance Numbers We've Seen
These are real numbers from recent projects, not benchmarks on optimised test servers:
- Time to First Byte (TTFB) — Typically 60–180ms on Vercel Edge for server-rendered pages, compared to 400–900ms on our old Node/Express setup hosted on a single-region VPS.
- Lighthouse scores — Average 94 Performance, 100 Accessibility, 100 Best Practices, 100 SEO across our last five projects at launch.
- Database query latency — Supabase Postgres on the same region as the Vercel deployment averages 8–22ms for standard queries with appropriate indexing.
- Cold start times — Next.js API routes and Server Actions on Vercel cold-start in under 250ms. For most users, there is no perceptible cold start.
What We'd Tell Ourselves Starting Out
If we were giving advice to a team adopting this stack for the first time:
- Write RLS policies before application code. It's tempting to disable RLS and add it later. Don't. Adding it after means auditing every query you've written. Adding it first means every query is secure by default.
- Use Supabase's local development CLI. Running a local Supabase instance with Docker means your database and migrations are version-controlled and reproducible. It also means you can test RLS policies locally before pushing.
- Don't overuse Server Actions for reads. Server Actions are for mutations. For data fetching, use Server Components. Mixing them leads to inconsistent patterns that confuse new team members.
- Enable the Postgres extensions you need on day one. pgvector for AI features, pg_cron for scheduled jobs, PostGIS for location data — enabling them later requires a migration and can cause downtime on a busy database.
- Invest in your type generation workflow. Set up automatic type regeneration whenever migrations run. Type drift between your database schema and your TypeScript types is the most common source of subtle bugs on this stack.
The Honest Bottom Line
No stack is perfect forever. What makes Next.js and Supabase compelling today is the combination of speed-to-production, operational simplicity, open standards, and genuine scalability. We've taken products built on this stack from zero to tens of thousands of daily active users without changing the architecture — just provisioning more Supabase compute and relying on Vercel's auto-scaling.
For most web products — SaaS platforms, internal tools, marketplaces, dashboards, client portals — this stack gets you to production faster, keeps running costs lower, and is easier to hand off to a client's in-house team than anything else we've used. That's why it's our default.
Building a web platform and want to know if this stack is right for your use case? Talk to our team — we're happy to give an honest recommendation.
