Flutter Client Library

You can initialize Supabase with the static initialize() method of Supabase class.

The Supabase client is your entrypoint to the rest of the Supabase functionality and is the easiest way to interact with everything we offer within the Supabase ecosystem.

Perform a SELECT query on the table or view.

• By default, Supabase projects will return a maximum of 1,000 rows. This setting can be changed in Project API Settings. It's recommended that you keep it low to limit the payload size of accidental or malicious requests. You can use range() queries to paginate through your data.
• select() can be combined with Filters
• select() can be combined with Modifiers
• apikey is a reserved keyword if you're using the Supabase Platform and should be avoided as a column name.

Perform an INSERT into the table or view.

Perform an UPDATE on the table or view.

• update() should always be combined with Filters to target the item(s) you wish to update.

Perform an UPSERT on the table or view. Depending on the column(s) passed to onConflict, .upsert() allows you to perform the equivalent of .insert() if a row with the corresponding onConflict columns doesn't exist, or if it does exist, perform an alternative action depending on ignoreDuplicates.

• Primary keys must be included in values to use upsert.

Perform a DELETE on the table or view.

• delete() should always be combined with Filters to target the item(s) you wish to delete.
• If you use delete() with filters and you have RLS enabled, only rows visible through SELECT policies are deleted. Note that by default no rows are visible, so you need at least one SELECT/ALL policy that makes the rows visible.

You can call stored procedures as a "Remote Procedure Call".

That's a fancy way of saying that you can put some logic into your database then call it from anywhere. It's especially useful when the logic rarely changes - like password resets and updates.

Filters allow you to only return rows that match certain conditions.

Filters can be used on select(), update(), and delete() queries.

If a Database function returns a table response, you can also apply filters.

Finds all rows whose value on the stated column exactly matches the specified value.

Finds all rows whose value on the stated column doesn't match the specified value.

Finds all rows whose value on the stated column is greater than the specified value.

Finds all rows whose value on the stated column is greater than or equal to the specified value.

Finds all rows whose value on the stated column is less than the specified value.

Finds all rows whose value on the stated column is less than or equal to the specified value.

Finds all rows whose value in the stated column matches the supplied pattern (case sensitive).

Finds all rows whose value in the stated column matches the supplied pattern (case insensitive).

A check for exact equality (null, true, false), finds all rows whose value on the stated column exactly match the specified value.

is_ and in_ filter methods are suffixed with _ to avoid collisions with reserved keywords.

Finds all rows whose value on the stated column is found on the specified values.

is_ and in_ filter methods are suffixed with _ to avoid collisions with reserved keywords.

Finds all rows whose tsvector value on the stated column matches to_tsquery(query).

Finds all rows whose columns match the specified query object.

Finds all rows which doesn't satisfy the filter.

• .not() expects you to use the raw PostgREST syntax for the filter names and values.

  
  

  _10

  .not('name','eq','Paris')

  _10

  .not('arraycol','cs','{"a","b"}') // Use Postgres array {} for array column and 'cs' for contains.

  _10

  .not('rangecol','cs','(1,2]') // Use Postgres range syntax for range column.

  _10

  .not('id','in','(6,7)') // Use Postgres list () and 'in' for in_ filter.

  _10

  .not('id','in','(${mylist.join(',')})') // You can insert a Dart list array.

  
  

Finds all rows satisfying at least one of the filters.

• .or() expects you to use the raw PostgREST syntax for the filter names and values.

  
  

  _10

  .or('id.in.(6,7),arraycol.cs.{"a","b"}') // Use Postgres list () and 'in' for in_ filter. Array {} and 'cs' for contains.

  _10

  .or('id.in.(${mylist.join(',')}),arraycol.cs.{${mylistArray.join(',')}}') // You can insert a Dart list for list or array column.

  _10

  .or('id.in.(${mylist.join(',')}),rangecol.cs.(${mylistRange.join(',')}]') // You can insert a Dart list for list or range column.

  
  

Finds all rows whose column satisfies the filter.

• .filter() expects you to use the raw PostgREST syntax for the filter names and values, so it should only be used as an escape hatch in case other filters don't work.
  
  

  _10

  .filter('arraycol','cs','{"a","b"}') // Use Postgres array {} and 'cs' for contains.

  _10

  .filter('rangecol','cs','(1,2]') // Use Postgres range syntax for range column.

  _10

  .filter('id','in','(6,7)') // Use Postgres list () and 'in' for in_ filter.

  _10

  .filter('id','cs','{${mylist.join(',')}}') // You can insert a Dart array list.

  
  

Filters work on the row level—they allow you to return rows that only match certain conditions without changing the shape of the rows. Modifiers are everything that don't fit that definition—allowing you to change the format of the response (e.g., returning a CSV string).

Modifiers must be specified after filters. Some modifiers only apply for queries that return rows (e.g., select() or rpc() on a function that returns a table response).

Orders the result with the specified column.

Limits the result with the specified count.

Limits the result to rows within the specified range, inclusive.

Retrieves only one row from the result. Result must be one row (e.g. using limit), otherwise this will result in an error.

Creates a new user.

• By default, the user needs to verify their email address before logging in. To turn this off, disable Confirm email in your project.
• Confirm email determines if users need to confirm their email address after signing up.
  • If Confirm email is enabled, a user is returned but session is null.
  • If Confirm email is disabled, both a user and a session are returned.
• When the user confirms their email address, they are redirected to the SITE_URL by default. You can modify your SITE_URL or add additional redirect URLs in your project.
• If signUp() is called for an existing confirmed user:
  • If Confirm email is enabled in your project, an obfuscated/fake user object is returned.
  • If Confirm email is disabled, the error message, User already registered is returned.

Receive a notification every time an auth event happens.

• Types of auth events: AuthChangeEvent.passwordRecovery, AuthChangeEvent.signedIn, AuthChangeEvent.signedOut, AuthChangeEvent.tokenRefreshed, AuthChangeEvent.userUpdatedand AuthChangeEvent.userDeleted

Log in an existing user using email or phone number with password.

• Requires either an email and password or a phone number and password.

• Requires either an email or phone number.
• This method is used for passwordless sign-ins where a OTP is sent to the user's email or phone number.
• If you're using an email, you can configure whether you want the user to receive a magiclink or a OTP.
• If you're using phone, you can configure whether you want the user to receive a OTP.
• The magic link's destination URL is determined by the SITE_URL. You can modify the SITE_URL or add additional redirect urls in your project.

Signs in a user using native Apple login.

• You need to register your bundle ID and add it to Supabase dashboard.
• This method is only available in iOS and macOS
• For other platforms, signInWithOAuth() should be used.

Signs the user in using third party OAuth providers.

• This method is used for signing in using a third-party provider.
• Supabase supports many different third-party providers.

Signs out the current user, if there is a logged in user.

• In order to use the signOut() method, the user needs to be signed in first.

• The verifyOtp method takes in different verification types. If a phone number is used, the type can either be sms or phone_change. If an email address is used, the type can be one of the following: signup, magiclink, recovery, invite or email_change.
• The verification type used should be determined based on the corresponding auth method called before verifyOtp to sign up / sign-in a user.

Returns the session data, if there is an active session.

Returns the user data, if there is a logged in user.

Updates user data for a logged in user.

• In order to use the updateUser() method, the user needs to be signed in first.
• By Default, email updates sends a confirmation link to both the user's current and new email. To only send a confirmation link to the user's new email, disable Secure email change in your project's email auth provider settings.

• This method is used together with updateUser() when a user's password needs to be updated.
• This method will send a nonce to the user's email. If the user doesn't have a confirmed email address, the method will send the nonce to the user's confirmed phone number instead.

• Resends a signup confirmation, email change or phone change email to the user.
• Passwordless sign-ins can be resent by calling the signInWithOtp() method again.
• Password recovery emails can be resent by calling the resetPasswordForEmail() method again.
• This method will only resend an email or phone OTP to the user if there was an initial signup, email change or phone change request being made.

This section contains methods commonly used for Multi-Factor Authentication (MFA) and are invoked behind the supabase.auth.mfa namespace.

Currently, we only support time-based one-time password (TOTP) as the 2nd factor. We don't support recovery codes but we allow users to enroll more than 1 TOTP factor, with an upper limit of 10.

Having a 2nd TOTP factor for recovery frees the user of the burden of having to store their recovery codes somewhere. It also reduces the attack surface since multiple recovery codes are usually generated compared to just having 1 backup TOTP factor.

Starts the enrollment process for a new Multi-Factor Authentication (MFA) factor. This method creates a new unverified factor. To verify a factor, present the QR code or secret to the user and ask them to add it to their authenticator app. The user has to enter the code from their authenticator app to verify it.

• Currently, totp is the only supported factorType. The returned id should be used to create a challenge.
• To create a challenge, see mfa.challenge().
• To verify a challenge, see mfa.verify().
• To create and verify a challenge in a single step, see mfa.challengeAndVerify().

Prepares a challenge used to verify that a user has access to a MFA factor.

• An enrolled factor is required before creating a challenge.
• To verify a challenge, see mfa.verify().

Verifies a code against a challenge. The verification code is provided by the user by entering a code seen in their authenticator app.

• To verify a challenge, please create a challenge first.

Helper method which creates a challenge and immediately uses the given code to verify against it thereafter. The verification code is provided by the user by entering a code seen in their authenticator app.

• An enrolled factor is required before invoking challengeAndVerify().
• Executes mfa.challenge() and mfa.verify() in a single step.

Unenroll removes a MFA factor. A user has to have an aal2 authenticator level in order to unenroll a verified factor.

Returns the Authenticator Assurance Level (AAL) for the active session.

• Authenticator Assurance Level (AAL) is the measure of the strength of an authentication mechanism.
• In Supabase, having an AAL of aal1 refers to having the 1st factor of authentication such as an email and password or OAuth sign-in while aal2 refers to the 2nd factor of authentication such as a time-based, one-time-password (TOTP).
• If the user has a verified factor, the nextLevel field will return aal2, else, it will return aal1.

• Any method under the supabase.auth.admin namespace requires a service_role key.
• These methods are considered admin methods and should be called on a trusted server. Never expose your service_role key in the Flutter app.

Get user by id.

• Fetches the user object from the database based on the user's id.
• The getUserById() method requires the user's id which maps to the auth.users.id column.

Get a list of users.

• Defaults to return 50 users per page.

Creates a new user.

• To confirm the user's email address or phone number, set email_confirm or phone_confirm to true. Both arguments default to false.
• createUser() will not send a confirmation email to the user. You can use inviteUserByEmail() if you want to send them an email invite instead.
• If you are sure that the created user's email or phone number is legitimate and verified, you can set the email_confirm or phone_confirm param to true.

Delete a user.

• The deleteUser() method requires the user's ID, which maps to the auth.users.id column.

Sends an invite link to the user's email address.

Generates email links and OTPs to be sent via a custom email provider.

• The following types can be passed into generateLink(): signup, magiclink, invite, recovery, emailChangeCurrent, emailChangeNew, phoneChange.
• generateLink() only generates the email link for email_change_email if the "Secure email change" setting is enabled under the "Email" provider in your Supabase project.
• generateLink() handles the creation of the user for signup, invite and magiclink.

Invokes a Supabase Function. See the guide for details on writing Functions.

• Requires an Authorization header.
• Invoke params generally match the Fetch API spec.

Returns real-time data from your table as a Stream.

• Realtime is disabled by default for new tables. You can turn it on by managing replication.
• stream() will emit the initial data as well as any further change on the database as Stream<List<Map<String, dynamic>>> by combining Postgrest and Realtime.
• Takes a list of primary key column names that will be used to update and delete the proper records within the SDK.
• The following filters are available
  • .eq('column', value) listens to rows where the column equals the value
  • .neq('column', value) listens to rows where the column does not equal the value
  • .gt('column', value) listens to rows where the column is greater than the value
  • .gte('column', value) listens to rows where the column is greater than or equal to the value
  • .lt('column', value) listens to rows where the column is less than the value
  • .lte('column', value) listens to rows where the column is less than or equal to the value
  • .inFilter('column', [val1, val2, val3]) listens to rows where the column is one of the values

Subscribe to realtime changes in your database.

• Realtime is disabled by default for new tables. You can turn it on by managing replication.
• If you want to receive the "previous" data for updates and deletes, you will need to set REPLICA IDENTITY to FULL, like this: ALTER TABLE your_table REPLICA IDENTITY FULL;

Unsubscribes and removes Realtime channel from Realtime client.

• Removing a channel is a great way to maintain the performance of your project's Realtime service as well as your database if you're listening to Postgres changes. Supabase will automatically handle cleanup 30 seconds after a client is disconnected, but unused channels may cause degradation as more clients are simultaneously subscribed.

Unsubscribes and removes all Realtime channels from Realtime client.

• Removing channels is a great way to maintain the performance of your project's Realtime service as well as your database if you're listening to Postgres changes. Supabase will automatically handle cleanup 30 seconds after a client is disconnected, but unused channels may cause degradation as more clients are simultaneously subscribed.

Returns all Realtime channels.

Creates a new Storage bucket

• Policy permissions required:
  • buckets permissions: insert
  • objects permissions: none

Retrieves the details of an existing Storage bucket.

• Policy permissions required:
  • buckets permissions: select
  • objects permissions: none

Retrieves the details of all Storage buckets within an existing product.

• Policy permissions required:
  • buckets permissions: select
  • objects permissions: none

Updates a new Storage bucket

• Policy permissions required:
  • buckets permissions: update
  • objects permissions: none

Deletes an existing bucket. A bucket can't be deleted with existing objects inside it. You must first empty() the bucket.

• Policy permissions required:
  • buckets permissions: select and delete
  • objects permissions: none

Removes all objects inside a single bucket.

• Policy permissions required:
  • buckets permissions: select
  • objects permissions: select and delete

Uploads a file to an existing bucket.

• Policy permissions required:
  • buckets permissions: none
  • objects permissions: insert

Downloads a file.

• Policy permissions required:
  • buckets permissions: none
  • objects permissions: select

Lists all the files within a bucket.

• Policy permissions required:
  • buckets permissions: none
  • objects permissions: select

Replaces an existing file at the specified path with a new one.

• Policy permissions required:
  • buckets permissions: none
  • objects permissions: update and select

Moves an existing file, optionally renaming it at the same time.

• Policy permissions required:
  • buckets permissions: none
  • objects permissions: update and select

Deletes files within the same bucket

• Policy permissions required:
  • buckets permissions: none
  • objects permissions: delete and select

Create signed url to download file without requiring permissions. This URL can be valid for a set number of seconds.

• Policy permissions required:
  • buckets permissions: none
  • objects permissions: select

Retrieve URLs for assets in public buckets

• The bucket needs to be set to public, either via updateBucket() or by going to Storage on supabase.com/dashboard, clicking the overflow menu on a bucket and choosing "Make public"
• Policy permissions required:
  • buckets permissions: none
  • objects permissions: none