A small Bash CLI for switching between multiple Supabase CLI login tokens using human-readable aliases.
Under the hood it runs:
supabase login --token <token>The token itself is hidden during normal usage. You select sessions by alias through an interactive selector inspired by supabase link.
Make the script executable:
chmod +x ./supabase-sessionRun it directly:
./supabase-session helpOptional: move it somewhere on your PATH:
mkdir -p ~/.local/bin
cp ./supabase-session ~/.local/bin/supabase-sessionThen make sure ~/.local/bin is in your shell path.
- Bash
- Supabase CLI installed and available as
supabase - One of these token storage backends:
- macOS Keychain via
security, preferred on macOS pass- plaintext fallback, only after explicit confirmation
- macOS Keychain via
Before adding a session, create a Supabase access token from the Supabase dashboard:
- Open the Supabase dashboard in your browser.
- Go to Account preferences.
- Open Access Tokens.
- Click Generate new token.
- Give the token a descriptive name, copy it once, and keep it private.
Paste that token only into the hidden Access token: prompt from supabase-session add. Do not paste access tokens into chat, issues, commits, or logs.
Add your first Supabase session:
supabase-session addYou will be prompted for:
Alias: Client A Production
Access token: sbp_...
The alias is what you will see in the picker. The token is stored in the selected secret backend.
supabase-session useInteractive controls:
↑/k up • ↓/j down • / filter • q quit • Enter select
After selection, the script runs:
supabase login --token <stored-token>supabase-session listExample:
1. Client A Production
2. Personal Sandbox
3. Agency Shared Dev
supabase-session list --verboseExample:
1. Client A Production token: sbp_****abcd
supabase-session renamesupabase-session removeor:
supabase-session rmsupabase-session currentThis shows the last alias selected through supabase-session use.
Metadata is stored at:
~/.config/supabase-session/config.tsv
This file stores non-secret metadata only:
id<TAB>alias<TAB>created_at<TAB>last_used_at<TAB>backend
Tokens are stored separately in a secret backend.
Backend detection order:
SUPABASE_SESSION_SECRET_BACKEND, if set- macOS Keychain on macOS
pass, if installed- plaintext fallback with confirmation
Force a backend:
export SUPABASE_SESSION_SECRET_BACKEND=keychainSupported values:
keychain
pass
plain
Allow plaintext fallback without an interactive confirmation:
export SUPABASE_SESSION_ALLOW_PLAINTEXT=1Use this only in trusted local/dev environments.
- Use descriptive aliases like
Client A Production,Personal Sandbox, orAgency Shared Dev. - Prefer one token per account/context so switching is obvious.
- Use
supabase-session list --verboseif you need to distinguish similar aliases without exposing the full token. - If the selector has many entries, press
/and type part of an alias to filter. - Keep your Supabase access tokens scoped and rotated according to your team’s security policy.
- Do not commit
~/.config/supabase-sessionor plaintext token storage directories.
This repo includes instruction files and a packaged skill so common AI coding tools know how to use supabase-session safely without exposing tokens:
AGENTS.mdfor OpenAI Codex-style agentsCLAUDE.mdfor Claude CodeGEMINI.mdfor Gemini CLIQWEN.mdfor Qwen Code-style agentsCONVENTIONS.mdplus.aider.conf.ymlfor aider.github/copilot-instructions.mdfor GitHub Copilot.cursor/rules/supabase-session.mdcfor Cursor.windsurf/rules/supabase-session.mdfor Windsurfskills/supabase-session-cli/SKILL.mdas the source skilldist/supabase-session-cli.skillas the packaged installable skill
The shared guidance is: list aliases with supabase-session list, switch with supabase-session use, and never paste Supabase access tokens into AI chat.
Install the Supabase CLI or update your shell PATH so supabase is available.
Check with:
supabase --versionIf neither Keychain nor pass is available, the script asks before storing tokens in plaintext.
For better security, install/configure pass or use macOS Keychain.
Remove the config directory:
rm -rf ~/.config/supabase-sessionIf you used plaintext fallback, also remove:
rm -rf ~/.local/share/supabase-sessionIf you used Keychain or pass, remove stored secrets through those tools as needed.