Skip to content


Repository files navigation

Neon RLS Authorize + Supertokens Example (SQL from the Backend)

A demo showcasing the integration of Supertokens for authentication and Neon RLS Authorize for secure backend data access with Drizzle ORM in a NestJS and SolidJS application. This example demonstrates how to use Neon RLS Authorize to enforce row-level security policies when querying your Neon database from the backend.

The Stack

  • NestJS backend for API development
  • SolidJS frontend for a reactive user interface
  • User authentication powered by Supertokens
  • Row-level security using Neon RLS Authorize
  • Database interactions with Drizzle ORM


  • Neon account with a new project
  • Supertokens account
  • Node.js installed locally

Important: This setup uses localtunnel to expose your local backend API for Neon RLS Authorize configuration. Be aware that your backend will be publicly accessible as long as the tunnel is active. Remember to shut down the tunnel when you are finished.

Local Development Setup

Supertokens Setup

  1. Sign up or log in to your Supertokens dashboard.
  2. Create a new project.
  3. Obtain your Core URI and API Key from the Supertokens dashboard. Supertoken Core URI and API Key

Local Installation

  1. Clone the repository:

    git clone
    cd supertokens-nestjs-solidjs-drizzle-neon-rls-authorize
  2. Install dependencies for the frontend, backend and localtunnel:

    npm i && cd backend && npm i && cd ../frontend && npm i && cd ..
  3. Create .env file in the backend directory with the following variables:

    cp backend/.env.example backend/.env
    DATABASE_URL="" # Leave this empty for now
    DATABASE_AUTHENTICATED_URL="" # Leave this empty for now
  4. Start the services:

    npm run start

    This command will start the frontend, backend, and the localtunnel service.

  5. Copy JWKS URL

    • Once the npm run start command is running, a localtunnel URL will be generated and displayed in your terminal, along with the Supertokens JWKS URL. Localtunnel JWKS URL
    • Copy this JWKS URL.
    • Return to the "RLS Authorize" section in your Neon Console (Project Settings).
    • Paste the copied JWKS URL into the "JWKS URL" field when adding a new authentication provider Neon Authorize JWKS URL
    • Follow the steps in the UI to setup the roles for Neon Authorize. You should ignore the schema related steps if you're following this guide.
    • Note down the connection strings for both the neondb_owner role and the authenticated, passwordless role. You'll need both. The neondb_owner role has full privileges and is used for migrations, while the authenticated role will be used by the application and will have its access restricted by RLS. Neon Authorize Connection Strings
  6. Stop the services by pressing Ctrl + C in the terminal.

  7. Update the .env file in the backend directory to include the connection strings:

  8. Apply Database Migrations:

    cd backend
    npm run drizzle:migrate
    cd ..
  9. Start the services again

    npm run start

    This command will start the frontend, backend, and the localtunnel service.

  10. Open your browser to http://localhost:3000 to see the application running. Application Screenshot

Important: Production Setup

Note: Before deploying to production, ensure you transition your Supertokens project from development to live in the Supertokens dashboard. This will involve setting up the required DNS records for your domain. Update your environment variables in both the frontend and backend with your production Supertokens configuration.

Supertokens Production Setup

Learn More



Contributions are welcome! Please feel free to submit a Pull Request.


Supertokens + Drizzle + Nest.js + Solid.js Neon RLS Authorize example app





