[mstade]

With regards to authorization – have y'all looked any at Open Policy Agent[1]? I think it could potentially be a good fit for the Supabase stack to implement policies not just in the database but also the gateway and potentially other components as well.

It'd be super cool to be able to implement custom policies in rego code that could be re-used in several parts of the stack, and tested/verified/evolved independently from the stack.

[1]: https://www.openpolicyagent.org/

[thebengeu]

We did evaluate OPA recently. For now, we're working with an approach that builds on top of PostgreSQL Row Level Security and functions. That may have a sufficient balance of power, performance and complexity for many of our users. For more complex use cases, OPA may indeed be a good fit and is something we can explore more in the future.