Cursor·Fix

Fix: Getting 403 Forbidden on Supabase Queries in Cursor-Built App

Quick Answer

Your RLS policies require auth.uid() but the Supabase client isn't passing the user's session. Use createServerClient (not createClient) in server components, and pass cookies properly.

Quick Fix Summary

IssueCursor + Supabase RLS 403 error
Fastest fixUse the correct Supabase client
Use this page ifAll Supabase queries return 403 Forbidden

Symptoms

  • !All Supabase queries return 403 Forbidden
  • !Queries work in Supabase dashboard but fail in the app
  • !Error: new row violates row-level security policy
  • !Auth works but database queries are blocked

Step-by-Step Fix

1

Use the correct Supabase client

In Next.js App Router, use createServerClient from @supabase/ssr for server components and API routes. In client components, use createBrowserClient. These automatically handle session tokens.

2

Check your RLS policies

In Supabase Dashboard > Authentication > Policies, verify your policy uses auth.uid(). Then check: does auth.uid() actually return a value? Run SELECT auth.uid(); in the SQL editor to test.

3

Pass cookies in server components

createServerClient needs access to Next.js cookies. Import cookies from next/headers and pass them: createServerClient(url, key, { cookies: { getAll: () => cookieStore.getAll() } })

4

Debug with RLS disabled temporarily

To confirm RLS is the issue: temporarily disable RLS on the table (ALTER TABLE your_table DISABLE ROW LEVEL SECURITY). If queries work without RLS, the issue is your policy. Re-enable immediately after testing.

Frequently Asked Questions

The dashboard uses the service role key which bypasses RLS. Your app uses the anon key which respects RLS. If your RLS policies don't match your auth setup, queries get blocked.

NEVER in client-side code. Only in server-side API routes for admin operations. The service role key bypasses all security — exposing it is a critical vulnerability.

Related

Cursor ReviewCursor AlternativesCursor vs LovableCursor vs BoltCursor vs ReplitTool Picker QuizWhat is Vibe Coding?Prompt Library

Weekly Signals

Get the next fix, switch, or warning before it hits your build.

Join builders getting the community signals, fix patterns, and tool shifts that matter before they show up everywhere else.

Follow the signals →