Forem: Mahidhar Reddy The latest articles on Forem by Mahidhar Reddy (@mahidhar_reddy_1dc0fe96f8). https://forem.com/mahidhar_reddy_1dc0fe96f8 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3799762%2F4cd2fa2d-fc3f-46b6-823b-121a5dd300e7.jpg Forem: Mahidhar Reddy https://forem.com/mahidhar_reddy_1dc0fe96f8 en Supabase Blocked in India: The Complete Guide to Fixing Your App Mahidhar Reddy Sun, 01 Mar 2026 10:18:18 +0000 https://forem.com/mahidhar_reddy_1dc0fe96f8/-supabase-blocked-in-india-the-complete-guide-to-fixing-your-app-456p https://forem.com/mahidhar_reddy_1dc0fe96f8/-supabase-blocked-in-india-the-complete-guide-to-fixing-your-app-456p <p><em>Every solution, from 5-minute quick fixes to permanent $0/month architecture changes</em></p> <h2> What Happened </h2> <p>Last Friday evening, a user in Chennai sent me a screenshot. My app's login page was throwing a 525 SSL handshake error. No Google login, no email login, nothing.</p> <p>I checked git log. No recent changes. Checked server logs. Clean. Checked Supabase status — "All Systems Operational."</p> <p>Then I scrolled down and found it buried under the main dashboard: "Users Experiencing Network Connectivity Problems (India Region)."</p> <p>My stomach dropped.</p> <p>I'm building WhatsScale, a WhatsApp automation platform. My target market is India — 535 million WhatsApp users. And the authentication service my entire app depends on had just been blocked by the Indian government.</p> <p>On February 24, 2026, a blocking order was issued under Section 69A of the Information Technology Act. Major ISPs — Jio (500M+ subscribers), Airtel, ACT Fibernet — were instructed to block DNS resolution for <code>*.supabase.co</code> domains.</p> <p>This isn't a DNS glitch. This is a deliberate government action. There is no official timeline for when (or if) it will be resolved.</p> <p>Supabase is the 4th-largest BaaS market in India — 365,000 developers used it in January 2026 alone, with 179% year-over-year growth. All of them woke up to broken apps.</p> <p>If you're one of them, this guide is for you.</p> <h2> What's Actually Broken </h2> <p>The block is at the DNS level. When a browser or server in India tries to reach any <code>*.supabase.co</code> domain, the ISP's DNS resolver returns nothing. Some ISPs also use deep packet inspection (DPI), which blocks requests even if you change your DNS settings.</p> <p>This breaks different things depending on your architecture:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>What</th> <th>How it works</th> <th>Broken?</th> </tr> </thead> <tbody> <tr> <td><strong>Google OAuth / email login</strong></td> <td>Browser redirects through <code>*.supabase.co</code> </td> <td>❌ Yes — browser can't reach Supabase</td> </tr> <tr> <td><strong><code>supabase.from().select()</code> from browser</strong></td> <td>Browser calls Supabase REST API directly</td> <td>❌ Yes</td> </tr> <tr> <td><strong>Supabase Realtime</strong></td> <td>Browser opens WebSocket to <code>*.supabase.co</code> </td> <td>❌ Yes</td> </tr> <tr> <td><strong>Supabase Storage</strong></td> <td>Browser uploads/downloads from <code>*.supabase.co</code> </td> <td>❌ Yes</td> </tr> <tr> <td><strong>Supabase Edge Functions (from browser)</strong></td> <td>Browser calls <code>*.supabase.co/functions/v1/</code> </td> <td>❌ Yes</td> </tr> <tr> <td><strong>Server-to-Supabase (server outside India)</strong></td> <td>Server calls Supabase from US/EU/etc</td> <td>✅ Works fine</td> </tr> <tr> <td><strong>Server-to-Supabase (server in India)</strong></td> <td>Server calls Supabase from Indian VPS</td> <td>❌ Yes — server DNS is also blocked</td> </tr> <tr> <td><strong>Local development</strong></td> <td>Your laptop calls Supabase</td> <td>❌ Yes — your laptop uses Indian ISP DNS</td> </tr> </tbody> </table></div> <p>The pattern is simple: <strong>if the request originates from an Indian network and goes to <code>*.supabase.co</code>, it fails.</strong></p> <h2> All Available Solutions </h2> <p>Here's every option, from quickest to most permanent. Pick based on your situation.</p> <h3> Fix 1: Change Your DNS (5 minutes, $0) </h3> <p><strong>Fixes:</strong> Your own development machine only<br> <strong>Doesn't fix:</strong> Your end users' browsers</p> <p>Change your system DNS to Cloudflare (1.1.1.1) or Google (8.8.8.8). This bypasses your ISP's DNS resolver.</p> <p><strong>macOS:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set DNS</span> networksetup <span class="nt">-setdnsservers</span> Wi-Fi 1.1.1.1 1.0.0.1 <span class="c"># Flush cache</span> <span class="nb">sudo </span>dscacheutil <span class="nt">-flushcache</span><span class="p">;</span> <span class="nb">sudo </span>killall <span class="nt">-HUP</span> mDNSResponder </code></pre> </div> <p><strong>Linux:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Edit resolv.conf</span> <span class="nb">sudo </span>nano /etc/resolv.conf <span class="c"># Add:</span> nameserver 1.1.1.1 nameserver 1.0.0.1 </code></pre> </div> <p><strong>Android / iOS:</strong><br> Settings → Wi-Fi → your network → DNS → set to 1.1.1.1</p> <p><strong>Limitations:</strong></p> <ul> <li>You cannot ask your end users to do this. It's fine for your dev machine, not for production.</li> <li>Some ISPs use DPI (deep packet inspection) which blocks traffic regardless of DNS settings. If changing DNS doesn't work, your ISP is using DPI.</li> </ul> <p><strong>When to use this:</strong> Local development, testing, debugging. That's it.</p> <h3> Fix 2: Supabase Custom Domain (30 minutes, $35/month) </h3> <p><strong>Fixes:</strong> Everything — auth, database, storage, realtime<br> <strong>Doesn't fix:</strong> Cost sensitivity</p> <p>This is the fastest production fix. Instead of your app calling <code>your-project.supabase.co</code>, it calls <code>db.yourapp.com</code>. Since your domain isn't blocked, the ISP lets the traffic through. Supabase handles the rest behind the scenes.</p> <h4> Prerequisites </h4> <ul> <li>A domain on Cloudflare (free plan works)</li> <li>Supabase Pro plan ($25/month)</li> <li>Custom Domain add-on ($10/month)</li> </ul> <h4> Step 1: Upgrade to Supabase Pro </h4> <p>Supabase dashboard → Organization → Billing → Upgrade to Pro.</p> <h4> Step 2: Enable Custom Domain </h4> <p>Project Settings → General → Custom Domains → Add.</p> <h4> Step 3: Add DNS Records in Cloudflare </h4> <p><strong>CNAME record:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Type: CNAME Name: db Target: &lt;your-project-ref&gt;.supabase.co Proxy: DNS only (grey cloud — critical!) TTL: Auto </code></pre> </div> <p>The proxy MUST be off (DNS only / grey cloud). Supabase needs to handle SSL termination directly.</p> <p><strong>TXT record (for verification):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Type: TXT Name: _acme-challenge.db Content: (copy from Supabase dashboard) </code></pre> </div> <h4> Step 4: Verify and Activate </h4> <p>Back in Supabase, click Verify, wait 1-2 minutes, then Activate.</p> <h4> Step 5: Update Your App </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Before NEXT_PUBLIC_SUPABASE_URL=https://&lt;project-ref&gt;.supabase.co # After NEXT_PUBLIC_SUPABASE_URL=https://db.yourapp.com </code></pre> </div> <p>Rebuild and deploy.</p> <h4> Step 6: Update Google OAuth (if using) </h4> <p>Google Cloud Console → APIs &amp; Credentials → your OAuth client → add redirect URI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://db.yourapp.com/auth/v1/callback </code></pre> </div> <p>Keep the old one too (for non-Indian users on the default domain).</p> <h4> Step 7: Fix nginx Cookie Error (if applicable) </h4> <p>If you get <code>400 Bad Request — Request Header Or Cookie Too Large</code> after OAuth redirect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># Add to your nginx server block</span> <span class="k">large_client_header_buffers</span> <span class="mi">4</span> <span class="mi">32k</span><span class="p">;</span> </code></pre> </div> <p>Reload nginx and retry.</p> <p><strong>When to use this:</strong> You need everything working today and $35/month is acceptable. This is the lowest-effort production fix.</p> <h3> Fix 3: Cloudflare Worker Proxy (2-3 hours, $0) </h3> <p><strong>Fixes:</strong> REST API, Auth, Storage, Edge Functions from browser<br> <strong>Doesn't fix:</strong> Realtime/WebSockets (needs extra work)</p> <p>A Cloudflare Worker sits between your users and Supabase. Your app calls <code>db.yourapp.com</code>, the Worker forwards everything to <code>*.supabase.co</code>. Cloudflare's network isn't blocked in India.</p> <p>Free tier: 100,000 requests/day. More than enough for most apps.</p> <h4> Step 1: Create the Worker </h4> <p>Install Wrangler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> wrangler wrangler login </code></pre> </div> <p>Create the project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>supabase-proxy <span class="o">&amp;&amp;</span> <span class="nb">cd </span>supabase-proxy wrangler init </code></pre> </div> <h4> Step 2: Write the Proxy </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/index.ts</span> <span class="kd">const</span> <span class="nx">SUPABASE_URL</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://&lt;your-project-ref&gt;.supabase.co</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">fetch</span><span class="p">(</span><span class="na">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Response</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="c1">// Build the target URL</span> <span class="kd">const</span> <span class="nx">targetURL</span> <span class="o">=</span> <span class="nx">SUPABASE_URL</span> <span class="o">+</span> <span class="nx">url</span><span class="p">.</span><span class="nx">pathname</span> <span class="o">+</span> <span class="nx">url</span><span class="p">.</span><span class="nx">search</span><span class="p">;</span> <span class="c1">// Clone headers, forward everything</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">);</span> <span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Host</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">SUPABASE_URL</span><span class="p">).</span><span class="nx">host</span><span class="p">);</span> <span class="c1">// Forward the request</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">targetURL</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="nx">headers</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">method</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">request</span><span class="p">.</span><span class="nx">method</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">HEAD</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Clone response and add CORS headers</span> <span class="kd">const</span> <span class="nx">responseHeaders</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">headers</span><span class="p">);</span> <span class="nx">responseHeaders</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">);</span> <span class="nx">responseHeaders</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Methods</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">GET, POST, PUT, PATCH, DELETE, OPTIONS</span><span class="dl">'</span><span class="p">);</span> <span class="nx">responseHeaders</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Handle preflight</span> <span class="k">if </span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">OPTIONS</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">204</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">responseHeaders</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">,</span> <span class="na">statusText</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">statusText</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">responseHeaders</span><span class="p">,</span> <span class="p">});</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <h4> Step 3: Configure the Route </h4> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># wrangler.toml</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"supabase-proxy"</span> <span class="py">main</span> <span class="p">=</span> <span class="s">"src/index.ts"</span> <span class="py">compatibility_date</span> <span class="p">=</span> <span class="s">"2024-01-01"</span> <span class="py">routes</span> <span class="p">=</span> <span class="p">[</span> <span class="err">{</span> <span class="py">pattern</span> <span class="p">=</span> <span class="s">"db.yourapp.com/*"</span><span class="p">,</span> <span class="py">zone_name</span> <span class="p">=</span> <span class="s">"yourapp.com"</span> <span class="err">}</span> <span class="p">]</span> </code></pre> </div> <h4> Step 4: Deploy </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wrangler deploy </code></pre> </div> <h4> Step 5: Update Your App </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Change your Supabase client URL</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="dl">'</span><span class="s1">https://db.yourapp.com</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Your Cloudflare Worker</span> <span class="nx">SUPABASE_ANON_KEY</span> <span class="c1">// Anon key stays the same</span> <span class="p">);</span> </code></pre> </div> <p>That's it. All REST API calls, auth redirects, storage requests, and edge function calls now route through your Worker.</p> <h4> What About Realtime (WebSockets)? </h4> <p>Cloudflare Workers support WebSockets, but proxying Supabase Realtime requires additional handling — you need to upgrade the connection and relay frames. This is doable but complex enough to deserve its own article. If Realtime is critical for you, use Fix 2 (custom domain) for now.</p> <p><strong>When to use this:</strong> You want a free solution that covers most use cases, and you don't depend heavily on Supabase Realtime.</p> <h3> Fix 4: Firebase Auth + Supabase Database (2 days, $0/month) </h3> <p><strong>Fixes:</strong> Authentication permanently — ISP-proof<br> <strong>Doesn't fix:</strong> Direct browser-to-Supabase DB calls (combine with Fix 3 for that)</p> <p>This is what I'm doing for WhatsScale. Firebase Auth runs on Google's infrastructure. India is not going to block Google. Firebase Auth's free tier includes unlimited Google and email logins.</p> <p>The architecture: Firebase handles authentication, Supabase handles the database, and a token bridge connects them.</p> <h4> Architecture: Before vs After </h4> <p><strong>Before (everything through Supabase):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser → Supabase Auth (BLOCKED in India) → Google Browser → Supabase DB with Supabase JWT → RLS checks auth.uid() </code></pre> </div> <p><strong>After (Firebase Auth + Supabase DB):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser → Firebase Auth → Google (never touches supabase.co) Browser → Your server /api/auth/token → mints Supabase JWT Browser → Supabase DB with custom JWT → RLS still checks auth.uid() </code></pre> </div> <p>The browser never reaches <code>*.supabase.co</code> for auth. Firebase handles Google OAuth entirely on Google's domain.</p> <h4> The Token Bridge </h4> <p>This is the critical component. It takes a Firebase ID token, verifies it, looks up the user in your Supabase database, and returns a Supabase-compatible JWT.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/token/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">admin</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase-admin</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/supabase-js</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Initialize Firebase Admin (once)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">admin</span><span class="p">.</span><span class="nx">apps</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="p">{</span> <span class="nx">admin</span><span class="p">.</span><span class="nf">initializeApp</span><span class="p">({</span> <span class="na">credential</span><span class="p">:</span> <span class="nx">admin</span><span class="p">.</span><span class="nx">credential</span><span class="p">.</span><span class="nf">cert</span><span class="p">({</span> <span class="na">projectId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FIREBASE_ADMIN_PROJECT_ID</span><span class="p">,</span> <span class="na">clientEmail</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FIREBASE_ADMIN_CLIENT_EMAIL</span><span class="p">,</span> <span class="na">privateKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FIREBASE_ADMIN_PRIVATE_KEY</span><span class="p">?.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\\</span><span class="sr">n/g</span><span class="p">,</span> <span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">),</span> <span class="p">}),</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">supabaseAdmin</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_SERVICE_ROLE_KEY</span><span class="o">!</span> <span class="p">);</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">firebaseToken</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// 1. Verify the Firebase token</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">admin</span><span class="p">.</span><span class="nf">auth</span><span class="p">().</span><span class="nf">verifyIdToken</span><span class="p">(</span><span class="nx">firebaseToken</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">email</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No email in token</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// 2. Find existing user by email</span> <span class="kd">let</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">profile</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabaseAdmin</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">profiles</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="nx">email</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">();</span> <span class="c1">// 3. New user? Create them in Supabase</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">profile</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">authUser</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabaseAdmin</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nx">admin</span><span class="p">.</span><span class="nf">createUser</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="na">email_confirm</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">;</span> <span class="k">await</span> <span class="nx">supabaseAdmin</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">profiles</span><span class="dl">'</span><span class="p">).</span><span class="nf">insert</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">authUser</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="na">full_name</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">name</span> <span class="o">||</span> <span class="kc">null</span><span class="p">,</span> <span class="p">});</span> <span class="nx">profile</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">authUser</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// 4. Mint a Supabase-compatible JWT</span> <span class="kd">const</span> <span class="nx">supabaseJWT</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">sub</span><span class="p">:</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="c1">// auth.uid() reads this</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">authenticated</span><span class="dl">'</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="na">aud</span><span class="p">:</span> <span class="dl">'</span><span class="s1">authenticated</span><span class="dl">'</span><span class="p">,</span> <span class="na">exp</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">)</span> <span class="o">+</span> <span class="mi">3600</span><span class="p">,</span> <span class="na">iat</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">),</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_JWT_SECRET</span><span class="o">!</span> <span class="p">);</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">access_token</span><span class="p">:</span> <span class="nx">supabaseJWT</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">email</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Token bridge error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Authentication failed</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Why Existing Data Doesn't Break </h4> <p>This was my biggest worry. My database has users, contacts, scheduled messages — all linked by Supabase UUIDs. Would I need to migrate everything?</p> <p>No.</p> <p>Supabase RLS policies use <code>auth.uid()</code>, which reads the <code>sub</code> claim from the JWT. The token bridge looks up the user by email and puts their <strong>original Supabase UUID</strong> in the <code>sub</code> claim. All existing RLS policies work without changes. Zero data migration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- This policy still works:</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can view own contacts"</span> <span class="k">ON</span> <span class="n">contacts</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">());</span> <span class="c1">-- auth.uid() reads 'sub' from your custom JWT</span> <span class="c1">-- 'sub' = the original Supabase UUID</span> </code></pre> </div> <h4> The Updated Auth Client (Simplified) </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/firebase-auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">initializeApp</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase/app</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getAuth</span><span class="p">,</span> <span class="nx">signInWithRedirect</span><span class="p">,</span> <span class="nx">getRedirectResult</span><span class="p">,</span> <span class="nx">GoogleAuthProvider</span><span class="p">,</span> <span class="nx">signInWithEmailAndPassword</span><span class="p">,</span> <span class="nx">createUserWithEmailAndPassword</span><span class="p">,</span> <span class="nx">sendPasswordResetEmail</span><span class="p">,</span> <span class="nx">onAuthStateChanged</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase/auth</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/supabase-js</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">firebaseApp</span> <span class="o">=</span> <span class="nf">initializeApp</span><span class="p">({</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_FIREBASE_API_KEY</span><span class="p">,</span> <span class="na">authDomain</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN</span><span class="p">,</span> <span class="na">projectId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_FIREBASE_PROJECT_ID</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">getAuth</span><span class="p">(</span><span class="nx">firebaseApp</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">googleProvider</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">GoogleAuthProvider</span><span class="p">();</span> <span class="c1">// Exchange Firebase token for Supabase JWT</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getSupabaseSession</span><span class="p">(</span><span class="nx">firebaseUser</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">idToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">firebaseUser</span><span class="p">.</span><span class="nf">getIdToken</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/auth/token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">firebaseToken</span><span class="p">:</span> <span class="nx">idToken</span> <span class="p">}),</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// Create authenticated Supabase client</span> <span class="kd">function</span> <span class="nf">createAuthenticatedClient</span><span class="p">(</span><span class="nx">accessToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="p">,</span> <span class="p">{</span> <span class="na">global</span><span class="p">:</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Google login — use redirect, not popup</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">signInWithGoogle</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">signInWithRedirect</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="nx">googleProvider</span><span class="p">);</span> <span class="c1">// Email login</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">signInWithEmail</span> <span class="o">=</span> <span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">signInWithEmailAndPassword</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="c1">// Email signup</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">signUpWithEmail</span> <span class="o">=</span> <span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">createUserWithEmailAndPassword</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="c1">// Password reset</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">resetPassword</span> <span class="o">=</span> <span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">sendPasswordResetEmail</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="nx">email</span><span class="p">);</span> <span class="c1">// Sign out</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">signOut</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">auth</span><span class="p">.</span><span class="nf">signOut</span><span class="p">();</span> </code></pre> </div> <p><strong>Important: Use <code>signInWithRedirect</code>, not <code>signInWithPopup</code>.</strong> Many Indian users open links from WhatsApp or Telegram. In-app browsers block popups. Mobile Safari blocks them. The redirect flow works everywhere.</p> <h4> Bonus: Phone OTP Login </h4> <p>Firebase gives you phone number auth for free — up to 10,000 verifications per month. In India, phone OTP is the preferred login method. This crisis actually unlocked the auth method my users want most.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">signInWithPhoneNumber</span><span class="p">,</span> <span class="nx">RecaptchaVerifier</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase/auth</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Send OTP</span> <span class="kd">const</span> <span class="nx">confirmation</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">signInWithPhoneNumber</span><span class="p">(</span> <span class="nx">auth</span><span class="p">,</span> <span class="dl">'</span><span class="s1">+91</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">recaptchaVerifier</span> <span class="p">);</span> <span class="c1">// Verify OTP — then use same token bridge</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">confirmation</span><span class="p">.</span><span class="nf">confirm</span><span class="p">(</span><span class="nx">otpCode</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">access_token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getSupabaseSession</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">user</span><span class="p">);</span> </code></pre> </div> <p>Same token bridge, same Supabase JWT, same RLS. Just a different Firebase auth method.</p> <p><strong>When to use this:</strong> You want permanently ISP-proof authentication, phone OTP for Indian users, and $0/month auth costs. Combine with Fix 3 (Cloudflare Worker) if your frontend also makes direct Supabase DB calls.</p> <h3> Fix 5: Move Your Server Outside India ($5-12/month) </h3> <p><strong>Fixes:</strong> Server-to-Supabase calls<br> <strong>Doesn't fix:</strong> Browser-to-Supabase calls (still need Fix 2, 3, or 4)</p> <p>If your backend runs on an Indian VPS or your local machine, even server-side Supabase calls are blocked. The simplest fix is to move your server to a non-Indian region.</p> <p>DigitalOcean, Hetzner, and Vultr all offer VPS instances in Singapore, Amsterdam, or Frankfurt for $5-12/month. Your Indian users will see slightly higher latency (50-100ms to Singapore), but your server can reach Supabase without any issues.</p> <p><strong>When to use this:</strong> Your server is currently hosted in India.</p> <h2> Which Fix For Your Situation </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Your situation</th> <th>Recommended fix</th> <th>Time</th> <th>Cost</th> </tr> </thead> <tbody> <tr> <td>Need it working TODAY</td> <td>Fix 2 (Custom Domain)</td> <td>30 min</td> <td>$35/mo</td> </tr> <tr> <td>Indie dev, $35/mo matters</td> <td>Fix 3 (Cloudflare Worker)</td> <td>2-3 hrs</td> <td>$0</td> </tr> <tr> <td>Want auth that can never be blocked</td> <td>Fix 4 (Firebase Auth)</td> <td>2 days</td> <td>$0</td> </tr> <tr> <td>Server is in India</td> <td>Fix 5 (Move server) + Fix 3 or 4</td> <td>Hours</td> <td>$5-12/mo</td> </tr> <tr> <td>Just need local dev working</td> <td>Fix 1 (Change DNS)</td> <td>5 min</td> <td>$0</td> </tr> <tr> <td>Full Supabase app (DB + Auth + Storage from browser)</td> <td>Fix 3 (Cloudflare Worker) covers everything</td> <td>2-3 hrs</td> <td>$0</td> </tr> <tr> <td>Starting a new project for India</td> <td>Consider Firebase, AWS Amplify, or self-hosted Postgres</td> <td>—</td> <td>—</td> </tr> </tbody> </table></div> <p>You can combine fixes. I'm running Fix 2 (custom domain) as my emergency solution while I build Fix 4 (Firebase Auth) as the permanent architecture.</p> <h2> Will This Block Be Lifted? </h2> <p>Nobody knows.</p> <p>Supabase has publicly stated they are in contact with Indian authorities. There has been no response from the government. Section 69A blocking orders are not published — there is no public document explaining why Supabase was blocked or what would need to change for it to be lifted.</p> <p>For context: TikTok was banned in India in June 2020. It's still banned in 2026. Some blocks are temporary. Some aren't. Building your architecture around the assumption that this will be resolved soon is a risk.</p> <h2> The Bigger Lesson </h2> <p>This incident taught me something I should have known from the start: <strong>never let a third-party domain sit in your browser's critical path if your users are in a country where ISP blocks happen.</strong></p> <p>India has blocked TikTok, PUBG, and hundreds of other services under Section 69A. The precedent exists. If your app targets Indian users and depends on a third-party domain that the browser must reach directly, you have a single point of failure.</p> <h3> Quick Architecture Audit </h3> <p><strong>Does your user's browser directly call any third-party domain during:</strong></p> <ul> <li>Login / signup / OAuth redirects?</li> <li>Database queries?</li> <li>File uploads or downloads?</li> <li>Real-time subscriptions?</li> <li>Payment processing?</li> </ul> <p>If yes — what happens if that domain gets blocked tomorrow? Can you proxy it through your own domain? Can you move the call server-side?</p> <p>The cost of this audit is an hour. The cost of not doing it is finding out on a Friday evening when your users send you screenshots.</p> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Fix</th> <th>Time</th> <th>Cost</th> <th>What it fixes</th> <th>Best for</th> </tr> </thead> <tbody> <tr> <td>Change DNS</td> <td>5 min</td> <td>$0</td> <td>Your dev machine</td> <td>Local development</td> </tr> <tr> <td>Supabase Custom Domain</td> <td>30 min</td> <td>$35/mo</td> <td>Everything</td> <td>Need it working today</td> </tr> <tr> <td>Cloudflare Worker Proxy</td> <td>2-3 hrs</td> <td>$0</td> <td>REST, Auth, Storage</td> <td>Free fix for most apps</td> </tr> <tr> <td>Firebase Auth + Supabase DB</td> <td>2 days</td> <td>$0</td> <td>Auth permanently</td> <td>Long-term ISP-proof auth</td> </tr> <tr> <td>Move server outside India</td> <td>Hours</td> <td>$5-12/mo</td> <td>Server-side calls</td> <td>Server currently in India</td> </tr> </tbody> </table></div> <p>Pick the fix that matches your urgency and architecture. Or combine them.</p> <p>If this helped, share it with other Indian devs who are dealing with broken Supabase apps right now. The more people who have working solutions, the better.</p> <p><em>I'm Mahi, building <a href="https://whatsscale.com" rel="noopener noreferrer">WhatsScale</a> — a WhatsApp automation platform for creators and businesses. If you're using WhatsApp in India, check it out.</em></p> <p><em>Questions about any of these fixes? Drop a comment or find me on <a href="https://x.com/mahidhar_k" rel="noopener noreferrer">Twitter/X</a>.</em></p> supabase webdev tutorial