{"slug": "your-ai-built-app-works-in-the-builder-but-breaks-on-deploy-with-a-supabase-here", "title": "Your AI-built app works in the builder but breaks on deploy with a Supabase \"permission denied\" error. Here is why, and how to fix it.", "summary": "A developer explains why AI-built apps that work in preview often fail on deploy with a Supabase 'permission denied' error. The root cause is that Row Level Security (RLS) is active but the production request lacks the user's authenticated identity, causing auth.uid() to be null. The fix involves ensuring requests carry the user's session, not disabling RLS or using the service role key in client code.", "body_md": "You built an app in Lovable, Bolt, v0, or Cursor. It worked perfectly in the preview. You deployed it, opened the live URL, and now half the screen is empty or you see something like:\n\n```\npermission denied for table profiles\ncode: 42501\n```\n\nor your data loads as `null`\n\nand the console shows `getUser()`\n\nreturned nothing. The frustrating part is that nothing changed in your code between the working preview and the broken deploy. So what happened?\n\nThis is one of the most common failures we see, and it is not random. AI app builders generate a working front end fast, but they often leave the security boundary between your app and your database half finished. Two things are usually true at once:\n\nRow Level Security (RLS) is on. Supabase enables RLS so a table can only be read or written by the right user. That is correct and you want it. Your policy probably says something like \"a row is visible when `auth.uid() = user_id`\n\n\".\n\nThe request reaching Supabase in production is anonymous. In the builder preview, the request often carried your session, or ran with elevated access, so RLS let it through. In the real deploy, the server is calling Supabase without the logged-in user's identity attached. So `auth.uid()`\n\nis null, the policy does not match, and Supabase correctly refuses with `42501 permission denied`\n\n.\n\nIn plain terms: your security rules are working, but your app is knocking on the door without showing its ID.\n\nBefore changing anything, keep the exact error text. Then check, in order:\n\n`SUPABASE_URL`\n\nand the anon key, produces the same symptom.The real fix is to make the request carry the user's identity, so `auth.uid()`\n\nis populated when RLS checks it. In a Next.js and Supabase app that usually means:\n\n`auth.uid()`\n\nto the row's user column. Do not \"fix\" this by turning RLS off.Then rerun the exact user action that failed and confirm it works against the same Supabase project and domain that broke.\n\nThe tempting shortcut is to disable RLS or to use the service role key in the browser so the error disappears. Please do not. Disabling RLS makes every row in that table readable and writable by anyone on the internet, and putting the service role key in client code hands a stranger full control of your database. The error is annoying, but it is protecting you.\n\nIf you are non-technical and this already reads like another language, that is normal. This is exactly the kind of thing an AI builder cannot finish for you, because it lives in the boundary between auth, the database, and the deploy.\n\nWe run a service for this called Vibe-Code Rescue. You paste the error and get a free, plain-language diagnosis of what is wrong and what it takes to fix. If you want it fixed, it is a flat rate, you pay only after the fix is verified working, and you keep clean code you own. No subscription, no retainer.\n\nFree diagnosis here: [https://rescue.ticassociation.com](https://rescue.ticassociation.com)\n\nA TIC Association creation.", "url": "https://wpnews.pro/news/your-ai-built-app-works-in-the-builder-but-breaks-on-deploy-with-a-supabase-here", "canonical_source": "https://dev.to/toritic/your-ai-built-app-works-in-the-builder-but-breaks-on-deploy-with-a-supabase-permission-denied-45ik", "published_at": "2026-07-13 05:08:10+00:00", "updated_at": "2026-07-13 05:13:46.822561+00:00", "lang": "en", "topics": ["developer-tools", "ai-tools", "ai-products"], "entities": ["Supabase", "Lovable", "Bolt", "v0", "Cursor", "Next.js", "Vibe-Code Rescue", "TIC Association"], "alternates": {"html": "https://wpnews.pro/news/your-ai-built-app-works-in-the-builder-but-breaks-on-deploy-with-a-supabase-here", "markdown": "https://wpnews.pro/news/your-ai-built-app-works-in-the-builder-but-breaks-on-deploy-with-a-supabase-here.md", "text": "https://wpnews.pro/news/your-ai-built-app-works-in-the-builder-but-breaks-on-deploy-with-a-supabase-here.txt", "jsonld": "https://wpnews.pro/news/your-ai-built-app-works-in-the-builder-but-breaks-on-deploy-with-a-supabase-here.jsonld"}}