Skip to main content

Row Level Security

How Handlet uses Postgres RLS for tenant isolation.

Row-level security is the primary authorization boundary for tenant-scoped product data.

Core rule

If a table stores workspace data, it should be scoped by account_id and have RLS policies that restrict reads and writes to authorized account members.

Standard access

Use the standard Supabase server client for product operations. RLS enforces the authenticated user's access to accounts and related rows.

Admin bypass

Service role clients bypass RLS. Use them sparingly and only with explicit manual validation of the caller, target account, and intended action.

Required checks

  • New tenant tables need RLS in the same migration.
  • Tests should cover cross-account denial for sensitive data.
  • Database discipline checks should pass before pushing schema work.
© 2026 Handlet. All rights reserved.

AI Assistance: Handlet currently uses AI for intent recognition and, where enabled, social post support. AI output can be wrong and should be checked before use. Learn More