Pre-deploy checklist · 40 checks
Next.js + Supabase Production Debugging Checklist
Run through this before every production deployment. Each item links to the detailed fix when something goes wrong.
Auth redirect checks
- Callback URL is /auth/callback (not /dashboard directly)
- Callback URL added to Supabase Dashboard → Auth → URL Configuration
- All preview + production URLs listed as allowed redirect URLs
- OAuth redirectTo points to /auth/callback?next=...
- Magic link emailRedirectTo points to /auth/callback?next=...
- Email/password sign-in calls router.push() + router.refresh()
Cookie / session checks
Middleware checks
RLS / security checks
- RLS enabled on every public-facing table
- Policies tested as authenticated / anon role — not service_role
- auth.uid() used correctly in row-level policies
- service_role key is server-only — never in NEXT_PUBLIC_
- No infinite recursion: policies do not SELECT the same table they guard
- Storage bucket policies on storage.objects — not just on the bucket
Vercel environment variable checks
- NEXT_PUBLIC_SUPABASE_URL set for correct environment (dev / preview / prod)
- NEXT_PUBLIC_SUPABASE_ANON_KEY set for correct environment
- Server-only vars (SUPABASE_SERVICE_ROLE_KEY) NOT prefixed with NEXT_PUBLIC_
- Env vars scoped correctly: Build + Runtime vs Runtime only
- Supabase connection pooler (port 6543) used — not direct connection — on serverless
Server Components checks
Cache / stale data checks
Realtime checks
Pre-deploy final checks
- npm run build passes locally with the production env vars
- No NEXT_PUBLIC_ variable containing secret keys
- All redirect URLs for all environments listed in Supabase Auth settings
- Database migrations applied to production before deploying
Subscribe for more production fixes
New Next.js + Supabase debugging articles every week. No fluff, no AI spam — only fixes I've verified.