| name | backend-dev-guidelines |
| description | Comprehensive backend development guide for Supabase Edge Functions + PostgreSQL. Use when working with Supabase (database, auth, storage, realtime), Edge Functions, PostgreSQL, Row-Level Security (RLS), Resend email, Stripe payments, or TypeScript backend patterns. Covers database design, auth flows, Edge Function patterns, RLS policies, email integration, payment processing, and deployment to Supabase. |
📋 OPINIONATED SCAFFOLD: Modern Supabase + Edge Functions stack
Default Stack:
- Backend: Supabase Edge Functions (Deno runtime)
- Database: Supabase PostgreSQL + Row-Level Security
- Auth: Supabase Auth (JWT-based)
- Storage: Supabase Storage
- Email: Resend (transactional emails)
- Payments: Stripe (subscriptions + one-time)
- Language: TypeScript
- Deployment: Git push to Supabase
To customize: Run /customize-scaffold backend or use the scaffold-customizer agent
to adapt for Express, NestJS, Fastify, Django, Rails, Go, or other frameworks.
Backend Development Guidelines
Purpose
Establish consistency and best practices for Supabase-powered backends using Edge Functions, PostgreSQL with Row-Level Security, and TypeScript. This skill covers database design, authentication flows, API patterns, email integration, and payment processing.
When to Use This Skill
Automatically activates when working on:
- Creating or modifying Supabase Edge Functions
- Designing PostgreSQL database schemas
- Implementing Row-Level Security (RLS) policies
- Building authentication flows with Supabase Auth
- Integrating Supabase Storage for file uploads
- Sending transactional emails with Resend
- Processing payments with Stripe
- Input validation with Zod
- Testing with Supabase CLI
- Backend deployment and configuration
Quick Start
New Edge Function Checklist
New Feature Checklist
Architecture Overview
Supabase Stack Architecture
HTTP Request
↓
Edge Function (Deno runtime)
↓
Supabase Client (Auth + validation)
↓
PostgreSQL Database (with RLS)
↓
Response with JSON
Key Principle: Edge Functions are stateless, RLS enforces data security.
Integrations:
- Supabase Auth → JWT-based authentication
- Supabase Storage → File uploads and CDN
- Supabase Realtime → WebSocket subscriptions
- Resend → Transactional emails
- Stripe → Payment processing
See architecture-overview.md for complete details.
Directory Structure
project/
├── supabase/
│ ├── functions/ # Edge Functions
│ │ ├── create-user/
│ │ │ └── index.ts
│ │ ├── send-email/
│ │ │ └── index.ts
│ │ └── process-payment/
│ │ └── index.ts
│ ├── migrations/ # Database migrations
│ │ ├── 001_initial_schema.sql
│ │ ├── 002_add_rls.sql
│ │ └── 003_add_indexes.sql
│ ├── seed.sql # Test data
│ └── config.toml # Supabase config
├── lib/
│ └── supabase/
│ ├── client.ts # Supabase client setup
│ ├── auth.ts # Auth utilities
│ └── types.ts # Database types
└── types/
└── database.types.ts # Generated from schema
Naming Conventions:
- Edge Functions:
kebab-case - create-user, send-email
- Database tables:
snake_case - user_profiles, subscription_plans
- RLS policies:
snake_case - users_select_own, posts_insert_authenticated
- TypeScript types:
PascalCase - UserProfile, SubscriptionPlan
Core Principles (7 Key Rules)
1. Edge Functions are Simple and Focused
Deno.serve(async (req) => {
});
Deno.serve(async (req) => {
const user = await getUserFromRequest(req);
const result = await createPost(user.id, req);
return new Response(JSON.stringify(result), { status: 201 });
});
2. Always Verify JWT Tokens
import { createClient } from '@supabase/supabase-js';
const supabase = createClient(
Deno.env.get('SUPABASE_URL')!,
Deno.env.get('SUPABASE_ANON_KEY')!,
{
global: {
headers: { Authorization: req.headers.get('Authorization')! }
}
}
);
const { data: { user }, error } = await supabase.auth.getUser();
if (error || !user) {
return new Response('Unauthorized', { status: 401 });
}
3. Use RLS for Data Security
ALTER TABLE posts ENABLE ROW LEVEL SECURITY;
CREATE POLICY "users_select_own" ON posts
FOR SELECT
USING (auth.uid() = user_id);
CREATE POLICY "posts_insert_own" ON posts
FOR INSERT
WITH CHECK (auth.uid() = user_id);
4. Validate All Input with Zod
import { z } from 'zod';
const CreatePostSchema = z.object({
title: z.string().min(1).max(200),
content: z.string().min(1),
tags: z.array(z.string()).optional()
});
const body = await req.json();
const validated = CreatePostSchema.parse(body);
5. Use Environment Variables via Deno.env
const apiKey = 'sk_live_abc123';
const apiKey = Deno.env.get('STRIPE_API_KEY')!;
const resendKey = Deno.env.get('RESEND_API_KEY')!;
6. Handle Errors Gracefully
try {
const result = await performOperation();
return new Response(JSON.stringify({ success: true, data: result }), {
status: 200,
headers: { 'Content-Type': 'application/json' }
});
} catch (error) {
console.error('Operation failed:', error);
return new Response(JSON.stringify({
success: false,
error: error.message
}), {
status: 500,
headers: { 'Content-Type': 'application/json' }
});
}
7. Test Locally Before Deploying
supabase start
supabase functions serve create-user --env-file .env.local
curl -i http://localhost:54321/functions/v1/create-user \
-H "Authorization: Bearer YOUR_TOKEN" \
-d '{"email":"test@example.com"}'
Common Imports
import { createClient } from '@supabase/supabase-js';
import type { Database } from '../types/database.types.ts';
import { z } from 'zod';
import { Resend } from 'resend';
import Stripe from 'stripe';
import { corsHeaders } from '../_shared/cors.ts';
Quick Reference
HTTP Status Codes
| Code | Use Case |
|---|
| 200 | Success |
| 201 | Created |
| 204 | No Content (DELETE success) |
| 400 | Bad Request (validation error) |
| 401 | Unauthorized (no/invalid token) |
| 403 | Forbidden (valid token, no permission) |
| 404 | Not Found |
| 500 | Server Error |
Common Edge Function Patterns
Auth Check → Verify JWT, get user
CRUD Operations → Create, Read, Update, Delete with RLS
Email Sending → Resend integration
Payment Processing → Stripe webhooks and charges
File Upload → Supabase Storage integration
Anti-Patterns to Avoid
❌ Skipping JWT verification
❌ Querying database without RLS
❌ No input validation
❌ Exposing secrets in code
❌ Missing error handling
❌ Deploying without local testing
❌ Direct database access (bypassing RLS)
❌ console.log for production errors (use proper logging)
Example Resource Files
📝 Note: This is a scaffold skill with example resources. The provided resources demonstrate the pattern - you should generate additional resources as needed for your specific project.
✅ Provided Examples
architecture-overview.md - Complete Supabase stack architecture
edge-functions-guide.md - Edge Function patterns and deployment
database-and-rls.md - Database design and RLS policies
📋 Generate On-Demand
When you need guidance on a specific topic, ask Claude to generate a resource file following the same pattern as the examples above. Common topics:
- Validation patterns - Zod schemas and error handling
- Auth patterns - JWT verification, session management
- Storage patterns - File uploads, CDN, signed URLs
- Email integration - Resend templates and sending
- Stripe integration - Payments, subscriptions, webhooks
- Testing guide - Local testing, integration tests
- Complete examples - Full working Edge Function examples
How to request: "Generate a resource file for [topic] following the pattern in architecture-overview.md"
Customization Instructions
For Your Tech Stack
Not using Supabase? Use the scaffold-customizer agent or manual replacement:
Supabase → Your database (Prisma, TypeORM, etc.)
Edge Functions → Your backend (Express, NestJS, etc.)
PostgreSQL → Your database (MySQL, MongoDB, etc.)
RLS → Your auth strategy
For Your Domain
Replace the generic examples with your domain:
- Update "posts" table → your entities
- Update "users" → your user model
- Update business logic examples
For Your Patterns
Adapt the principles to your architecture:
- Keep security-first approach
- Keep validation patterns
- Keep error handling patterns
- Adjust structure to your needs
Related Skills
- frontend-dev-guidelines - Next.js + React patterns for Supabase integration
- memory-management - Track architectural decisions
- skill-developer - Meta-skill for creating and managing skills
Skill Status: SCAFFOLD ✅
Line Count: < 500 ✅
Progressive Disclosure: Example resources + generation instructions ✅
