By Supabase’s June 2026 developer update ships three things: a security debugging tool that should have existed two years ago, a proper schema diff engine, and a logs pricing change you have 16 days to prepare for. The pricing part is buried at the bottom of their changelog, but it’s the one that could surprise you on your next invoice.
RLS Tester: Finally, a Way to Verify Your Policies Before Production Bites You
Row Level Security has been Supabase’s most powerful and most misused feature since launch. The Moltbook breach in January 2026 — 1.5 million API keys exposed — came down to missing RLS. Earlier, 170+ Lovable-generated apps had the same problem. The core issue was never that RLS was hard to write. It was that there was no good way to verify it was actually working.
The RLS Tester, now in Feature Preview, fills that gap. You run a query through the dashboard, pick a user context — anonymous, authenticated, or a specific user UID — and see both the query result and which RLS policies evaluated and fired. The AI assistant converts client library code to SQL if you want to test your actual application queries instead of writing raw SQL.
Current limitations: SELECT queries only, and you need to enable it in the Feature Previews section of your dashboard. It doesn’t cover INSERT, UPDATE, or DELETE policy testing yet, so you still need manual verification for write paths. That’s a real gap, but SELECT coverage alone will catch the most common production incidents.
The old workflow involved SET ROLE authenticated tricks in the SQL Editor — which doesn’t even test RLS correctly because the SQL Editor runs as a superuser by default. The RLS Tester runs in the correct context. That’s not a minor improvement.
Logs Are Now Metered — Check Your Usage Before July 1
This is the part of the update that requires action. Starting July 1, 2026, logs usage is billed by consumption for all existing organizations. Pro and Team plans include 5 GB ingest and 1,000 GB query per month. Overage runs $0.50 per GB for ingest and $0.002 per GB for query. New organizations may already be on the metered model.
Five gigabytes of log ingest is generous for most applications. Where it gets expensive: verbose Postgres query logging, pgAudit enabled at the statement level, or apps generating unusually high realtime event volumes. If you’ve been logging everything because storage felt free, it no longer is.
The check is simple: open your Supabase dashboard, navigate to Logs, and look for the Usage tab. If you’re approaching 5 GB, the fastest fixes are reducing log verbosity settings in your database configuration and filtering which events you’re actually retaining. The pricing itself is competitive — Vercel and Cloudflare charge comparable rates for observability — but the timing of the change, buried in a developer update rather than a dedicated pricing announcement, leaves something to be desired.
pg-delta: Schema Diffing That Actually Understands Postgres
Supabase’s previous schema diff tool, migra, struggled with Postgres-specific DDL. RLS policies, triggers, complex function signatures — these would either fail silently or generate incorrect migration SQL. pg-delta is a from-scratch TypeScript rewrite that handles all of them.
It only targets Postgres 15 and above. That’s a deliberate trade-off: by dropping support for older versions, the team could write cleaner code without years of backward-compatibility hacks. If you’re still on Postgres 14, this doesn’t apply to you yet.
The more interesting feature is the declarative schema workflow. Describe your desired schema state as SQL files. Run supabase db diff --use-pg-delta. The CLI generates migration SQL that takes your database from current state to desired state. It’s the Terraform model applied to Postgres schema management — and something the ecosystem has needed for a while.
pg-delta is alpha software. File issues on GitHub if you hit edge cases. Don’t run it against production without testing first.
Auth Email Templates: Free Tier Gets Locked Down
New free-tier projects created after June 3, 2026 cannot modify authentication email templates when using Supabase’s default email provider. This covers magic link emails, confirmation emails, and password reset messages. The reason is spam: abusive accounts were using Supabase’s default SMTP infrastructure in bulk, putting the shared email server at risk of being blacklisted.
If you created your project before June 3, nothing changes. If you’re on a paid plan, nothing changes. If you’re on the free tier and want custom templates, configure your own SMTP provider in Authentication > SMTP Settings. For production applications, using your own SMTP is the right call regardless — you shouldn’t be sending auth emails through a shared provider you don’t control.
The Bigger Picture
Supabase becoming a connector on Perplexity Computer is worth noting as a signal. AI agents — Claude Code, Cursor, Codex — are already generating Supabase backends at scale. After raising $500M in May, the Perplexity integration extends that to AI assistants being able to query, inspect, and manage Supabase projects through natural language. Supabase is positioning itself as AI agent infrastructure, not just Firebase for Postgres.
The full June 2026 changelog is worth reading. But the three things that matter most this month: enable the RLS Tester in Feature Previews, check your logs usage before July 1, and treat pg-delta as alpha until further notice.
