Dev & Project Management
🗄️ Supabase integration
Access levels: Read-only · Read + write · Verified
Dev & Project Management
Access levels: Read-only · Read + write · Verified
Connect Supabase once and every agent in your squad can work in it for you, with exactly as much access as you decide to give, and a receipt for every call it makes.
You can change an account's access level any time under Manage. It applies instantly, no re-authorization. If the connection ever expires, the card shows Reconnect; one click re-authorizes the same account with the same settings.
Multiple accounts: connect as many as you need (say, yours and a client's). One is primary. Agents use it unless a mission says otherwise.
The level you pick at connect time is enforced on our side for every agent call: an agent can never do more than the level allows, no matter what it's asked.
| Level | What it allows | |
|---|---|---|
| Read-only | Read project, org info, auth config, DB metadata. | |
| Read + write | Read/write project settings, DB schema, auth config. | Recommended |
On top of the connection's level, every agent can be individually allowed, scoped down, or denied for this app from the Integrations page. Deny an agent and it doesn't even see the connection.
The 102 tools agents use in Supabase through Mission Control, and the lowest access level that includes each. Agents discover these themselves. You never have to name a tool; asking in plain language is enough. A few rows are marked "Not currently enabled": Supabase offers them, but no access level includes them yet, so agents can't run them.
| Tool | What it does | Access level |
|---|---|---|
Alpha create api keySUPABASE_ALPHA_CREATE_API_KEY | Creates a 'publishable' or 'secret' API key for an existing Supabase project, optionally with a description; 'secret' keys can have customized JWT templates. | Read + write |
Alpha delete api keySUPABASE_ALPHA_DELETE_API_KEY | Permanently deletes a specific API key (identified by id) from a Supabase project (identified by ref), revoking its access. | Not currently enabled |
Alpha delete third party auth integrationSUPABASE_ALPHA_DELETE_THIRD_PARTY_AUTH_INTEGRATION | Removes a third-party authentication provider (e.g., Google, GitHub) from a Supabase project's configuration; this immediately prevents users from logging in via that method. | Not currently enabled |
Alpha get third party integrationSUPABASE_ALPHA_GET_THIRD_PARTY_INTEGRATION | Retrieves the detailed configuration for a specific third-party authentication (TPA) provider, identified by tpa_id, within an existing Supabase project specified by ref. | All levels |
Alpha list third party auth integrationsSUPABASE_ALPHA_LIST_THIRD_PARTY_AUTH_INTEGRATIONS | Lists all configured third-party authentication provider integrations for an existing Supabase project (using its ref), suitable for read-only auditing or verifying current authentication settings. | All levels |
Alpha update api keySUPABASE_ALPHA_UPDATE_API_KEY | Updates an existing Supabase project API key's description and/or secret_jwt_template (which defines its role); does not regenerate the key string. | Read + write |
Apply a migrationSUPABASE_APPLY_A_MIGRATION | Apply database migrations to a Supabase project. | Read + write |
Beta activate custom hostnameSUPABASE_BETA_ACTIVATE_CUSTOM_HOSTNAME | Activates a previously configured custom hostname for a Supabase project, assuming DNS settings are verified externally. | Read + write |
Beta activate vanity subdomainSUPABASE_BETA_ACTIVATE_VANITY_SUBDOMAIN | Activates a vanity subdomain for the specified Supabase project (e.g., 'my-brand.supabase.co'). | Read + write |
Beta authorize user through oauthSUPABASE_BETA_AUTHORIZE_USER_THROUGH_OAUTH | Generates a Supabase OAuth 2.0 authorization URL for user redirection. | All levels |
Beta check vanity subdomain availabilitySUPABASE_BETA_CHECK_VANITY_SUBDOMAIN_AVAILABILITY | Checks if a specific vanity subdomain is available for a Supabase project; this action does not reserve or assign the subdomain. | All levels |
Beta create read replicaSUPABASE_BETA_CREATE_READ_REPLICA | Provisions a read-only replica for a Supabase project in a specified, Supabase-supported AWS region to enhance read performance and reduce latency. | Read + write |
Beta enable database webhooksSUPABASE_BETA_ENABLE_DATABASE_WEBHOOKS | Enables database webhooks for the Supabase project ref, triggering real-time notifications for INSERT, UPDATE, or DELETE events. | Read + write |
Beta get project custom hostname configSUPABASE_BETA_GET_PROJECT_CUSTOM_HOSTNAME_CONFIG | Retrieves a Supabase project's custom hostname configuration, including its status, SSL certificate, and ownership verification, noting that availability may depend on the project's plan. | All levels |
Beta get project network bansSUPABASE_BETA_GET_PROJECT_NETWORK_BANS | Retrieves the list of banned IPv4 addresses for a Supabase project using its unique project reference string; this is a read-only operation. | All levels |
Beta get project network restrictionsSUPABASE_BETA_GET_PROJECT_NETWORK_RESTRICTIONS | Retrieves the network restriction settings (IP allowlists) for a Supabase project. | All levels |
Beta get project pgsodium configSUPABASE_BETA_GET_PROJECT_PGSODIUM_CONFIG | Retrieves the PGSodium configuration, including the root encryption key, for an existing Supabase project identified by its ref. | All levels |
Beta get project ssl enforcement configSUPABASE_BETA_GET_PROJECT_SSL_ENFORCEMENT_CONFIG | Retrieves the SSL enforcement configuration for a specified Supabase project, indicating if SSL connections are mandated for its database. | All levels |
Beta get vanity subdomain configSUPABASE_BETA_GET_VANITY_SUBDOMAIN_CONFIG | Fetches the current vanity subdomain configuration, including its status and custom domain name, for a Supabase project identified by its reference ID. | All levels |
Beta remove network bansSUPABASE_BETA_REMOVE_NETWORK_BANS | Removes specified IPv4 addresses from a Supabase project's network ban list, granting immediate access; IPs not currently banned are ignored. | Not currently enabled |
Beta remove read replicaSUPABASE_BETA_REMOVE_READ_REPLICA | Remove a read replica from a Supabase project (Pro plan or higher required). | Not currently enabled |
Beta run sql querySUPABASE_BETA_RUN_SQL_QUERY | Executes a given SQL query against the project's database; use for advanced data operations or when standard API endpoints are insufficient, ensuring queries are valid PostgreSQL and sanitized. | Not currently enabled |
Beta update project network restrictionsSUPABASE_BETA_UPDATE_PROJECT_NETWORK_RESTRICTIONS | Updates and applies network access restrictions (IPv4/IPv6 CIDR lists) for a Supabase project, which may terminate existing connections not matching the new rules. | Not currently enabled |
Beta upgrade project postgres versionSUPABASE_BETA_UPGRADE_PROJECT_POSTGRES_VERSION | Initiates an asynchronous upgrade of a Supabase project's PostgreSQL database to a specified target_version from a selected release_channel, returning a tracking_id to monitor status; the target_version must be… | Read + write |
Count action runsSUPABASE_COUNT_ACTION_RUNS | Counts the number of action runs for a Supabase project using a HEAD request. | All levels |
Create a projectSUPABASE_CREATE_A_PROJECT | Creates a new Supabase project, requiring a unique name (no dots) within the organization; project creation is asynchronous. | Read + write |
Create bulk secretsSUPABASE_CREATE_BULK_SECRETS | Bulk create secrets for a Supabase project. | Read + write |
Create database branchSUPABASE_CREATE_DATABASE_BRANCH | Creates a new, isolated database branch from an existing Supabase project (identified by ref), useful for setting up separate environments like development or testing, which can optionally be linked to a Git branch. | Read + write |
Create functionSUPABASE_CREATE_FUNCTION | Creates a new serverless Edge Function for a Supabase project (identified by ref), requiring valid JavaScript/TypeScript in body and a project-unique slug identifier. | Read + write |
Create login roleSUPABASE_CREATE_LOGIN_ROLE | Creates a temporary CLI login role for database access with specified permissions; use when setting up CLI authentication for development or administrative tasks. | Read + write |
Create organizationSUPABASE_CREATE_ORGANIZATION | Creates a new Supabase organization, which serves as a top-level container for projects, billing, and team access. | Read + write |
Create project signing keySUPABASE_CREATE_PROJECT_SIGNING_KEY | Create a new signing key for JWT authentication in a Supabase project. | Read + write |
Create sso providerSUPABASE_CREATE_SSO_PROVIDER | Creates a new SAML 2.0 Single Sign-On (SSO) provider for a Supabase project, requiring either metadata_xml or metadata_url for SAML IdP configuration. | Read + write |
Create third party auth integrationSUPABASE_CREATE_THIRD_PARTY_AUTH_INTEGRATION | Call this to add a new third-party authentication method (OIDC or JWKS) to a Supabase project for integrating external identity providers (e.g., for SSO); the API may also support custom_jwks if sent directly. | Read + write |
Delete custom hostname configSUPABASE_DELETE_CUSTOM_HOSTNAME_CONFIG | Deletes an active custom hostname configuration for the project identified by ref, reverting to the default Supabase-provided hostname; this action immediately makes the project inaccessible via the custom domain and… | Not currently enabled |
Delete database branchSUPABASE_DELETE_DATABASE_BRANCH | Permanently and irreversibly deletes a specific, non-default database branch by its branch_id, without affecting other branches. | Not currently enabled |
Delete functionSUPABASE_DELETE_FUNCTION | Permanently deletes a specific Edge Function (by function_slug) from a Supabase project (by ref); this action is irreversible and requires prior existence of both project and function. | Not currently enabled |
Delete login rolesSUPABASE_DELETE_LOGIN_ROLES | [Beta] Deletes existing login roles used by the Supabase CLI for the specified project. | Not currently enabled |
Delete projectSUPABASE_DELETE_PROJECT | Permanently and irreversibly deletes a Supabase project, identified by its unique ref ID, resulting in complete data loss. | Not currently enabled |
Delete project vanity subdomainSUPABASE_DELETE_PROJECT_VANITY_SUBDOMAIN | Permanently and irreversibly deletes an active vanity subdomain configuration for the specified Supabase project, reverting it to its default Supabase URL. | Not currently enabled |
Delete secretsSUPABASE_DELETE_SECRETS | Bulk delete secrets from a Supabase project. | Not currently enabled |
Delete sso providerSUPABASE_DELETE_SSO_PROVIDER | Deletes a specific SSO provider by its ID (provider_id) from a Supabase project (ref), which disables it and returns its details; ensure this action will not inadvertently lock out users. | Not currently enabled |
Deploy functionSUPABASE_DEPLOY_FUNCTION | Deploys Edge Functions to a Supabase project using multipart upload. | Read + write |
Disable preview branchingSUPABASE_DISABLE_PREVIEW_BRANCHING | Disables the preview branching feature for an existing Supabase project, identified by its unique reference ID (ref). | Not currently enabled |
Disable project readonlySUPABASE_DISABLE_PROJECT_READONLY | Temporarily disables a Supabase project's read-only mode for 15 minutes to allow write operations (e.g., for maintenance or critical updates), after which it automatically reverts to read-only. | Read + write |
Exchange oauth tokenSUPABASE_EXCHANGE_OAUTH_TOKEN | (Beta) Implements the OAuth 2.0 token endpoint to exchange an authorization code or refresh token for access/refresh tokens, based on grant_type. | Read + write |
Generate typescript typesSUPABASE_GENERATE_TYPESCRIPT_TYPES | Generates and retrieves TypeScript types from a Supabase project's database; any schemas specified in included_schemas must exist in the project. | All levels |
Gets project s auth configSUPABASE_GETS_PROJECT_S_AUTH_CONFIG | Retrieves the project's complete read-only authentication configuration, detailing all settings (e.g., providers, MFA, email/SMS, JWT, security policies) but excluding sensitive secrets. | All levels |
Gets project s service health statusSUPABASE_GETS_PROJECT_S_SERVICE_HEALTH_STATUS | Retrieves the current health status for a Supabase project, for specified services or all services if the 'services' list is omitted. | All levels |
Get action runSUPABASE_GET_ACTION_RUN | Retrieves the status and details of a specific action run, including its steps, timestamps, and configuration. | All levels |
Get action run logsSUPABASE_GET_ACTION_RUN_LOGS | Retrieves the execution logs for a specific action run by its ID. | All levels |
Get available regionsSUPABASE_GET_AVAILABLE_REGIONS | Get the list of available regions for creating a new Supabase project. | All levels |
Get branchSUPABASE_GET_BRANCH | Retrieves detailed information about a specific database branch by its name and project reference. | All levels |
Get database branch configSUPABASE_GET_DATABASE_BRANCH_CONFIG | Retrieves the read-only configuration and status for a Supabase database branch, typically for monitoring or verifying its settings. | All levels |
Get database metadataSUPABASE_GET_DATABASE_METADATA | Gets database metadata for the given project. | All levels |
Get functionSUPABASE_GET_FUNCTION | Retrieves detailed information, metadata, configuration, and status for a specific Edge Function using its project reference ID and function slug. | All levels |
Get function bodySUPABASE_GET_FUNCTION_BODY | Retrieves the source code (body) for a specified serverless Edge Function using its project reference and function slug; this is a read-only operation that does not execute the function or return runtime logs. | All levels |
Get healthSUPABASE_GET_HEALTH | Check the health status of the Supabase API. | All levels |
Get jit access configSUPABASE_GET_JIT_ACCESS_CONFIG | [Beta] Retrieves the project's just-in-time (JIT) access configuration, including user roles and their expiration settings. | All levels |
Get legacy signing keySUPABASE_GET_LEGACY_SIGNING_KEY | Retrieves the signing key information for the JWT secret imported as signing key for this project. | All levels |
Get migrationSUPABASE_GET_MIGRATION | Retrieves a specific database migration entry from the migration history using its version identifier. | All levels |
Get organizationSUPABASE_GET_ORGANIZATION | Fetches comprehensive details for a specific Supabase organization using its unique slug. | All levels |
Get performance advisorsSUPABASE_GET_PERFORMANCE_ADVISORS | Retrieves project performance advisors for a Supabase project. | All levels |
Get projectSUPABASE_GET_PROJECT | Retrieves detailed information about a specific Supabase project by its unique reference ID. | All levels |
Get project api keySUPABASE_GET_PROJECT_API_KEY | Retrieves details of a specific API key for a Supabase project by its UUID. | All levels |
Get project api keysSUPABASE_GET_PROJECT_API_KEYS | Retrieves all API keys for an existing Supabase project, specified by its unique reference ID (ref); this is a read-only operation. | All levels |
Get project legacy api keysSUPABASE_GET_PROJECT_LEGACY_API_KEYS | Checks whether JWT-based legacy API keys (anon, service_role) are enabled for a Supabase project. | All levels |
Get project logsSUPABASE_GET_PROJECT_LOGS | Retrieves analytics logs for a Supabase project. | All levels |
Get project pgbouncer configSUPABASE_GET_PROJECT_PGBOUNCER_CONFIG | Retrieves the active PgBouncer configuration (PostgreSQL connection pooler) for a Supabase project, used for performance tuning, auditing, or getting the connection string. | All levels |
Get project postgrest configSUPABASE_GET_PROJECT_POSTGREST_CONFIG | Retrieves the PostgREST configuration for a specific Supabase project. | All levels |
Get project postgres configSUPABASE_GET_PROJECT_POSTGRES_CONFIG | Retrieves the current read-only PostgreSQL database configuration for a specified Supabase project's ref, noting that some advanced or security-sensitive details might be omitted from the response. | All levels |
Get project readonly mode statusSUPABASE_GET_PROJECT_READONLY_MODE_STATUS | Retrieves the read-only mode status for a specified Supabase project to check its operational state; this action does not change the read-only state. | All levels |
Get project signing keysSUPABASE_GET_PROJECT_SIGNING_KEYS | List all signing keys for a Supabase project. | All levels |
Get project supavisor configSUPABASE_GET_PROJECT_SUPAVISOR_CONFIG | Retrieves the Supavisor (connection pooler) configuration for a specified Supabase project, identified by its reference ID. | All levels |
Get project upgrade eligibilitySUPABASE_GET_PROJECT_UPGRADE_ELIGIBILITY | Checks a Supabase project's eligibility for an upgrade, verifying compatibility and identifying potential issues; this action does not perform the actual upgrade. | All levels |
Get project upgrade statusSUPABASE_GET_PROJECT_UPGRADE_STATUS | Retrieves the latest status of a Supabase project's database upgrade for monitoring purposes; does not initiate or modify upgrades. | All levels |
Get resumable upload base optionsSUPABASE_GET_RESUMABLE_UPLOAD_BASE_OPTIONS | Handles OPTIONS request for TUS Resumable uploads to discover server capabilities. | All levels |
Get resumable upload optionsSUPABASE_GET_RESUMABLE_UPLOAD_OPTIONS | Handles OPTIONS request for TUS Resumable uploads to discover server capabilities. | All levels |
Get security advisorsSUPABASE_GET_SECURITY_ADVISORS | Retrieves security advisor findings and recommendations for a Supabase project. | All levels |
Get sql snippetSUPABASE_GET_SQL_SNIPPET | Retrieves a specific SQL snippet by its unique identifier. | All levels |
Get sso providerSUPABASE_GET_SSO_PROVIDER | Retrieves the configuration details for a specific Single Sign-On (SSO) provider (e.g., SAML, Google, GitHub, Azure AD), identified by its UUID, within a Supabase project. | All levels |
Get table schemasSUPABASE_GET_TABLE_SCHEMAS | Retrieves column details, types, and constraints for multiple database tables to help debug schema issues and write accurate SQL queries. | All levels |
Handle resumable upload sign optionsSUPABASE_HANDLE_RESUMABLE_UPLOAD_SIGN_OPTIONS | Handles CORS preflight OPTIONS request for TUS resumable upload signing. | All levels |
Handle resumable upload sign options with idSUPABASE_HANDLE_RESUMABLE_UPLOAD_SIGN_OPTIONS_WITH_ID | Handles CORS preflight OPTIONS request for TUS resumable upload signing endpoints. | All levels |
Invoke edge functionSUPABASE_INVOKE_EDGE_FUNCTION | Invoke a deployed Supabase Edge Function over HTTPS. | Not currently enabled |
List all organizationsSUPABASE_LIST_ALL_ORGANIZATIONS | Lists all organizations (ID and name only) associated with the Supabase account, excluding project details within these organizations. | All levels |
List all projectsSUPABASE_LIST_ALL_PROJECTS | Retrieves a list of all Supabase projects, including their ID, name, region, and status, for the authenticated user. | All levels |
List backupsSUPABASE_LIST_BACKUPS | Lists all database backups for a Supabase project, providing details on existing backups but not creating new ones or performing restores; availability may depend on plan and configuration. | All levels |
List bucketsSUPABASE_LIST_BUCKETS | Retrieves a list of all storage buckets for a Supabase project, without returning bucket contents or access policies. | All levels |
List database branchesSUPABASE_LIST_DATABASE_BRANCHES | Lists all database branches for a specified Supabase project, used for isolated development and testing of schema changes; ensure the project reference ID is valid. | All levels |
List functionsSUPABASE_LIST_FUNCTIONS | Lists metadata for all Edge Functions in a Supabase project (specified by 'ref'), excluding function code or logs; the project must exist. | All levels |
List migration historySUPABASE_LIST_MIGRATION_HISTORY | Retrieves the list of applied database migration versions for a Supabase project. | All levels |
List organization membersSUPABASE_LIST_ORGANIZATION_MEMBERS | Retrieves all members of a Supabase organization, identified by its unique slug, including their user ID, username, email, role, and MFA status. | All levels |
List secretsSUPABASE_LIST_SECRETS | Retrieves all secrets for a Supabase project using its reference ID; secret values in the response may be masked. | All levels |
List sql snippetsSUPABASE_LIST_SQL_SNIPPETS | Retrieves a list of SQL snippets for the logged-in user, optionally filtered by a specific Supabase project if project_ref is provided. | All levels |
List sso providersSUPABASE_LIST_SSO_PROVIDERS | Lists all configured Single Sign-On (SSO) providers for a Supabase project, requiring the project reference ID (ref) of an existing project. | All levels |
List tablesSUPABASE_LIST_TABLES | Lists all tables and views in specified database schemas, providing a quick overview of database structure to help identify available tables before fetching detailed schemas. | All levels |
Patch migrationSUPABASE_PATCH_MIGRATION | [Beta] Patches an existing entry in the project's migration history, updating the name or rollback script. | Read + write |
Patch network restrictionsSUPABASE_PATCH_NETWORK_RESTRICTIONS | Updates project's network restrictions by incrementally adding or removing IPv4/IPv6 CIDR blocks. | Read + write |
Push branchSUPABASE_PUSH_BRANCH | Pushes a database branch, applying migrations and changes to the specified branch. | Read + write |
Reset database branchSUPABASE_RESET_DATABASE_BRANCH | Resets an existing Supabase database branch, identified by branch_id, to its initial clean state, irreversibly deleting all its current data and schema changes. | Not currently enabled |
Restore pitr backupSUPABASE_RESTORE_PITR_BACKUP | Restores a Supabase project's database to a specific Unix timestamp using Point-in-Time Recovery (PITR), overwriting the current state; requires a paid plan with PITR and physical backups enabled. | Not currently enabled |
Run read only querySUPABASE_RUN_READ_ONLY_QUERY | [Beta] Run a SQL query as supabase_read_only_user. | All levels |
Select from tableSUPABASE_SELECT_FROM_TABLE | Select rows from a Supabase/PostgREST table. | All levels |
Update a functionSUPABASE_UPDATE_A_FUNCTION | Updates an existing Supabase Edge Function's properties (like name, slug, source code, JWT settings, import map) identified by project ref and function_slug, supporting plain text code or ESZIP for the body. | Read + write |
Update database branch configSUPABASE_UPDATE_DATABASE_BRANCH_CONFIG | Updates the configuration of a Supabase database branch, allowing modification of its name, associated Git branch, reset-on-push behavior, persistence, and status. | Read + write |
Update database passwordSUPABASE_UPDATE_DATABASE_PASSWORD | Updates the database password for a Supabase project. | Read + write |
Update functionsSUPABASE_UPDATE_FUNCTIONS | Bulk update Edge Functions in a Supabase project. | Read + write |
Update jit access configSUPABASE_UPDATE_JIT_ACCESS_CONFIG | [Beta] Update a Supabase project's just-in-time (JIT) access configuration. | Read + write |
Update pgsodium configSUPABASE_UPDATE_PGSODIUM_CONFIG | Critically updates or initializes a Supabase project's pgsodium root encryption key for security setup or key rotation, requiring secure backup of the new key to prevent irreversible data loss. | Not currently enabled |
Update projectSUPABASE_UPDATE_PROJECT | Updates a Supabase project's configuration (currently supports updating the project name). | Read + write |
Update project auth configSUPABASE_UPDATE_PROJECT_AUTH_CONFIG | Update Supabase project Auth configuration via the Management API. | Read + write |
Update project custom hostnameSUPABASE_UPDATE_PROJECT_CUSTOM_HOSTNAME | Updates the custom hostname for a Supabase project, requiring subsequent DNS changes to a user-controlled domain for SSL certificate issuance and domain ownership. | Read + write |
Update project legacy api keysSUPABASE_UPDATE_PROJECT_LEGACY_API_KEYS | Disable or re-enable JWT-based legacy API keys (anon, service_role) for a Supabase project. | Read + write |
Update project postgrest configSUPABASE_UPDATE_PROJECT_POSTGREST_CONFIG | Updates PostgREST configuration settings (e.g., max_rows, db_pool, db_schema, db_extra_search_path) for a Supabase project to fine-tune API performance, data exposure, and database resource usage. | Read + write |
Update project postgres configSUPABASE_UPDATE_PROJECT_POSTGRES_CONFIG | Updates specified PostgreSQL configuration parameters for an existing Supabase project (ref) to optimize database performance; note that unspecified parameters remain unchanged, and caution is advised as incorrect set… | Read + write |
Update project supavisor configSUPABASE_UPDATE_PROJECT_SUPAVISOR_CONFIG | Updates the Supavisor (database pooler) configuration, such as default_pool_size, for an existing Supabase project identified by ref; the pool_mode parameter in the request is deprecated and ignored. | Read + write |
Update ssl enforcement configSUPABASE_UPDATE_SSL_ENFORCEMENT_CONFIG | Updates the SSL enforcement configuration (enable/disable) for a specified Supabase project's database. | Read + write |
Update sso providerSUPABASE_UPDATE_SSO_PROVIDER | Updates an existing SSO provider's SAML metadata, associated email domains, or attribute mappings for a Supabase project, identified by ref and provider_id. | Read + write |
Upsert migrationSUPABASE_UPSERT_MIGRATION | Upsert a database migration without applying it. | Read + write |
Verify custom hostname dnsSUPABASE_VERIFY_CUSTOM_HOSTNAME_DNS | Re-verifies DNS and SSL configurations for an existing custom hostname associated with a Supabase project. | Read + write |
Just ask in plain language: “check Supabase for …”, “create … in Supabase”, “every Monday, … ”, and the agent finds the right tool, runs it, and reports back with a receipt in your Runs ledger. Anything outward-facing (sending, posting, publishing) that a mission didn't clearly authorize comes back to you as a ticket first.
| Agent says | What's happening | Fix |
|---|---|---|
| "Supabase isn't connected" | No active connection (or this agent is denied) | Connect on the Integrations page; check the agent's per-app policy |
| "The connection has expired" | Supabase ended the authorization (they all do periodically) | Click Reconnect on the account, same settings, one click |
| "I'm not allowed to do that" | The action is above the account's access level, or the agent is scoped down | Raise the level under Manage, or adjust that agent's policy |
| It did something unexpected | The ask was ambiguous (e.g. matched an existing item) | Be explicit, "create a NEW …", and give agents a working folder where relevant |