Database Setup

A²D uses Supabase for PostgreSQL database and authentication. This guide covers both automated and manual setup methods.

Overview

Setting up the database involves:

Creating a Supabase project
Running database migrations
Verifying the setup
Copying API credentials

Time required: ~10-15 minutes

Prerequisites

Before setting up the database, ensure you have:

A Supabase account (sign up at supabase.com)
Supabase CLI installed (for automated setup - optional)
A²D repository cloned and dependencies installed

Step 1: Create Supabase Project

Creating the Project

Go to supabase.com/dashboard
Click “New Project”
Fill in project details:

Name	Type	Description
`Name`required	string	Choose a descriptive name (e.g., `ma2d-production` or `ma2d-dev`)
`Database Password`required	string	Generate a strong password and save it securely in a password manager
`Region`required	string	Choose the region closest to your users for best performance
`Pricing Plan`	string	Free tier is sufficient for development and small production deployments

Click “Create new project”

Project provisioning takes 2-3 minutes. You’ll see a progress indicator.

Step 2: Database Setup Methods

You have two options for setting up the database schema. Choose the method that works best for you:

Option A: Automated Setup (Recommended) ⚡

This method is faster and less error-prone.

1. Install Supabase CLI

If not already installed:

npm install -g supabase

Verify installation:

supabase --version

2. Initialize Supabase

In your A²D project directory:

supabase init

This creates a supabase/ folder with configuration files.

If the supabase/ folder already exists with migrations, you can skip this step.

3. Link to Your Project

Find your project reference in the Supabase dashboard URL:

https://app.supabase.com/project/[your-project-ref]
                                      ^^^^^^^^^^^^^^^^^
                                      This is your project ref

Link your local project:

supabase link --project-ref your-project-ref

You’ll be prompted for:

Database password (entered during project creation)

4. Push Migrations

Run all migrations at once:

supabase db push

What gets created:

11 multi-tenant tables
Row Level Security (RLS) policies
Database functions and triggers
Indexes for performance
Default design rules

The push command runs all .sql files in supabase/migrations/ in chronological order.

Expected output:

Applying migration 20240101000000_initial_schema.sql...
Applying migration 20240101000001_rls_policies.sql...
... (8 more migrations)
Finished supabase db push.

Option B: Manual Setup 📝

If you prefer manual control or can’t use the CLI:

1. Open SQL Editor

Go to your Supabase project dashboard
Navigate to SQL Editor in the left sidebar
Click “New Query”

2. Run Migrations in Order

You MUST run each migration file in chronological order. Running out of order will cause errors.

Copy the contents of each file from supabase/migrations/ and execute them one by one:

Migration Order:

20240101000000_initial_schema.sql - Core tables
20240101000001_rls_policies.sql - Security policies
20240101000002_fix_organization_insert.sql - Organization fixes
20240101000003_fix_user_insert.sql - User fixes
20240101000004_add_agent_cards_and_status.sql - Agent cards
20240125000001_add_user_auto_create_trigger.sql - Auto-create trigger
20240126000001_fix_signup_trigger.sql - Signup trigger fix
20240127000001_remove_signup_trigger.sql - Remove signup trigger
20260127000001_add_mcp_auth.sql - MCP authentication
20260128000001_add_design_rules.sql - Design rules

For each migration:

# Open in your code editor
code supabase/migrations/20240101000000_initial_schema.sql

-- Copy entire SQL file contents
-- Example from initial_schema.sql:
CREATE TABLE organizations (
  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
  name TEXT NOT NULL,
  ...
);

# Paste into Supabase SQL Editor
# Click "Run"
# Wait for "Success" message

Repeat for all 10 migrations in order

Step 3: Database Schema Overview

After successful setup, your database will have these tables:

Core Tables

Name	Type	Description
`organizations`	table	Multi-tenant organizations - parent entity for all data isolation
`users`	table	User profiles linked to organizations via `organization_id`

MCP Server Tables

Name	Type	Description
`mcp_servers`	table	MCP server definitions (name, description, type, config)
`mcp_tools`	table	Tools with input/output schemas and mock scenarios
`mcp_resources`	table	Resources with URIs and mock content
`mcp_resource_templates`	table	Resource templates for dynamic resources
`mcp_prompts`	table	Prompts with argument schemas and templates
`openapi_specs`	table	OpenAPI specifications for import functionality

Agent Card Tables

Name	Type	Description
`agent_cards`	table	Agent-to-Agent interaction cards (A2A protocol)
`agent_skills`	table	Skills associated with agent cards

Compliance Tables

Name	Type	Description
`design_rules`	table	Organization-level design and compliance rules

Database Diagram:

Step 4: Row Level Security (RLS)

All tables implement RLS for automatic multi-tenant data isolation.

How RLS Works

RLS policies filter all database queries based on organization membership: the table organization_members defines which users belong to which organizations (and their role). Helper functions such as get_user_organization_ids() and get_user_org_role(org_id) are used in policies. The app also uses a cookie for the current organization context (which org the UI is scoped to).

Benefits:

Complete isolation: Organizations cannot see each other’s data
Database-enforced: Cannot be bypassed in application code
Automatic filtering: No manual WHERE clauses needed
Defense in depth: Security at the database level

Policies use get_user_organization_ids() (and, where relevant, get_user_org_role()) rather than JWT claims. See Multi-Tenancy for the full RLS design and policy patterns.

Step 5: Verify Installation

After running migrations, verify the setup was successful:

1. Check Tables

Go to Table Editor in Supabase dashboard
Verify all 11 tables are listed:
- organizations
- users
- mcp_servers
- mcp_tools
- mcp_resources
- mcp_resource_templates
- mcp_prompts
- openapi_specs
- agent_cards
- agent_skills
- design_rules

2. Check RLS Policies

Go to Authentication → Policies
Each table should have 4 policies:
- select_own_org - View own organization data
- insert_own_org - Create in own organization
- update_own_org - Update own organization data
- delete_own_org - Delete own organization data

3. Enable Email Authentication

Go to Authentication → Providers
Verify “Email” provider is enabled
(Optional) Customize email templates:
- Settings → Auth → Email Templates

Step 6: Get API Keys

You’ll need these credentials for the next step (Configuration):

Copy API Credentials

Go to Settings → API
Copy these three values:

https://your-project-ref.supabase.co

# Used for database connections

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

# Safe for client-side use
# RLS policies still apply

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

# CRITICAL: Full admin access
# NEVER expose in browser or commit to git

The service_role key has full database access and bypasses RLS. Store it securely in environment variables and never commit it to version control.

Database Connection String

If you need to connect with external tools (psql, database GUIs):

Go to Settings → Database
Find Connection string:

postgresql://postgres:[YOUR-PASSWORD]@db.xxxxx.supabase.co:5432/postgres

Connection Pooling (for serverless):

postgresql://postgres:[YOUR-PASSWORD]@db.xxxxx.supabase.co:6543/postgres?pgbouncer=true

Troubleshooting

Migration fails with “relation already exists”

Cause: Migrations were run partially or out of order

Solution:

Go to Database → Reset database in Supabase dashboard
Confirm reset (WARNING: This deletes all data!)
Run all migrations again in correct order

”permission denied” errors

Cause: RLS policies not applied correctly

Solution:

Verify 20240101000001_rls_policies.sql ran successfully
Check RLS is enabled on tables:
- Table Editor → Select table → RLS toggle should be ON
Re-run RLS policies migration if needed

Can’t connect from application

Cause: Incorrect API keys or project URL

Solution:

Double-check API keys in Supabase Settings → API
Ensure no extra spaces when copying keys
Verify project URL format: https://[ref].supabase.co (no trailing slash)
Test connection in browser - should show Supabase page

Tables missing after setup

Cause: Not all migrations ran successfully

Solution:

Check SQL Editor → History for errors
Identify which migrations failed
Fix errors and re-run failed migrations
Verify each migration shows “Success"

"Database password required” when linking

Cause: CLI can’t access database

Solution:

Ensure you’re using the database password (not account password)
Check project is not paused (free tier auto-pauses after 7 days inactivity)
Wake up project: Settings → General → Unpause project

Security Best Practices

DO ✅

Store service_role key in .env.local (gitignored)
Use anon key in client-side code
Keep database password secure in password manager
Use separate Supabase projects for dev/staging/production
Enable database backups (Pro tier)

DON’T ❌

Commit service_role key to git
Use service_role key in browser/client code
Share keys publicly or in screenshots
Use production credentials in development
Disable RLS policies (breaks multi-tenancy)

Next Steps

Database is ready! Proceed to:

Configuration - Set up environment variables with API keys
Quick Start - Create your first MCP server
Architecture: Multi-Tenancy - Deep dive into RLS

Need Help? See Database Troubleshooting or open an issue.

Configuration Dashboard Overview