Why does Supabase auth work in Bolt.new but fail in production?

Production failures occur due to callback URL mismatches, CORS configuration, missing environment variables, or cookie domain issues. Bolt's preview environment uses different settings than production deployments.

How do I fix Supabase auth callback URLs?

Go to Supabase Dashboard → Authentication → URL Configuration. Add your production domain to Site URL and Redirect URLs. Include both https:// and www/non-www variations. Update your environment variables with the correct keys.

Why am I getting CORS errors with Supabase?

CORS errors happen when your production domain isn't whitelisted in Supabase. Go to Database → API → CORS origins and add your Vercel/Netlify domain. Also check if Row Level Security policies are blocking requests.

Fix Bolt.new Supabase Auth in Production

The Complete Fix

4 Steps to Fix Production Auth

Follow these in order. Each step fixes a different layer of the auth stack.

Update Supabase Callback URLs

The Problem: Supabase doesn't know your production domain exists, so auth redirects fail or go to the wrong URL.

The Fix:

Go to Supabase Dashboard → Authentication → URL Configuration
Update Site URL to your production domain (e.g., https://yourapp.vercel.app)
Add your domain to Redirect URLs (whitelist)
Include both www and non-www versions if applicable
Add localhost:5173 for local development testing

Example Redirect URLs:


                https://yourapp.vercel.app

                https://yourapp.vercel.app/auth/callback

                http://localhost:5173

                http://localhost:5173/auth/callback

Result: Auth redirects now go to your actual production domain instead of failing.

Configure CORS Origins

The Problem: Browser blocks requests because your production domain isn't whitelisted in Supabase CORS settings.

The Fix:

Go to Supabase Dashboard → Database → API
Scroll to "CORS Origins" section
Add your production domain: https://yourapp.vercel.app
Add localhost for development: http://localhost:5173
Save changes (takes 1-2 minutes to propagate)

Warning: Using * (allow all) in CORS is insecure for production. Always specify exact domains.

Set Production Environment Variables

The Problem: Your deployment platform doesn't have the Supabase keys, or they're pointing to the wrong project.

The Fix:

Add these to your Vercel/Netlify dashboard:


                VITE_SUPABASE_URL=https://yourproject.supabase.co

                VITE_SUPABASE_ANON_KEY=your_anon_key_here

Find these in Supabase Dashboard → Settings → API
Use the anon public key (not the service_role key)
Verify the URL matches your project
Redeploy after adding variables

Result: App can connect to Supabase API from your production domain.

Check Row Level Security (RLS) Policies

The Problem: Database queries return empty results or 403 errors because RLS policies block production requests.

The Fix:

Go to Supabase Dashboard → Database → Tables
Click on your auth/user table
Go to "Policies" tab
Check if RLS is enabled (it should be for security)
Verify policies allow authenticated users to read their own data
Add policies if missing (see example below)

Example RLS Policy:


                CREATE POLICY "Users can read own data"

                ON public.users

                FOR SELECT

                USING (auth.uid() = id);

Note: Disabling RLS "fixes" auth but removes all security. Always use proper policies instead.

Debug Tool

Auth Debug Checklist

Run through this when auth still doesn't work after the 4 steps above.

Quick Diagnostic Steps

Open browser DevTools → Network tab Try to log in and watch for red (failed) requests Check Console for CORS or 400/403 errors Verify the request URL matches your Supabase project Check if auth token is being sent in request headers Test in incognito mode to rule out cache issues

Most Common Error: If you see CORS error or 403 Forbidden, your CORS origins or callback URLs are misconfigured. Go back to Steps 1 & 2.

Supabase Auth Works in
Preview But Breaks in Production?

The Auth Gap

4 Steps to Fix Production Auth

Update Supabase Callback URLs

Configure CORS Origins

Set Production Environment Variables

Check Row Level Security (RLS) Policies

Auth Debug Checklist

Quick Diagnostic Steps

Platform-Specific Notes

Vercel Deployment

Netlify Deployment

Auth Still Broken?

Supabase Auth Works in Preview But Breaks in Production?

The Auth Gap

4 Steps to Fix Production Auth

Update Supabase Callback URLs

Configure CORS Origins

Set Production Environment Variables

Check Row Level Security (RLS) Policies

Auth Debug Checklist

Quick Diagnostic Steps

Platform-Specific Notes

Vercel Deployment

Netlify Deployment

Auth Still Broken?

Supabase Auth Works in
Preview But Breaks in Production?