Both give you auth, a database, storage, and a typed client. The real difference is where it runs and who owns it: Supabase hosts your backend on its infrastructure; Flarelink provisions the same kind of bundle on your own Cloudflare account and stays out of the request path. This page is an honest side-by-side — including the things Supabase does that Flarelink doesn't (yet).
Not affiliated with Supabase. Facts below reflect each product's documented behaviour as of mid-2026; check the vendors for current specifics.
pgvector, full-text search.| Flarelink | Supabase | |
|---|---|---|
| Database | Cloudflare D1 (SQLite) | PostgreSQL |
| Data access model | Server-first — your server holds the service key. No row-level security yet. | Client-direct queries gated by Postgres row-level security (RLS). |
| Realtime | Not yet — D1 has no changefeed. | Yes — Postgres changes, broadcast, presence. |
| Auth | Email/password, OAuth, magic links, verification. Source-available + verifiable Worker. Sessions in KV. | Email/password, OAuth, magic links, MFA, more providers. Mature. |
| Storage | Cloudflare R2, presigned URLs, zero egress fees. | S3-compatible storage with image transforms. |
| Built in — Cloudflare Email or Resend, editable templates. | Auth emails built in; transactional via your own SMTP/provider. | |
| Functions / compute | You write Cloudflare Workers (no separate abstraction). | Edge Functions (Deno). |
| Vector search | Not yet (Cloudflare Vectorize exists; not wired in). | pgvector. |
| Where it runs | Your Cloudflare account. | Supabase's infrastructure (AWS). Self-hostable (open source). |
| Pricing model | Flat fee + you pay Cloudflare directly. No usage markup, no pause-on-idle. | Free tier (pauses after inactivity), then $25/mo Pro + usage. |
| Lock-in / exit | Cancel and your backend keeps running — nothing to migrate off. | Postgres dump is portable; the platform layer (RLS, realtime, functions) you'd rebuild. |
| Maturity | Young, in beta. Smaller surface, smaller community. | Mature, large community, years in production. |
If any of these are core to your app, Supabase (or another Postgres platform) is the better call today. We don't think pretending otherwise serves anyone.
Supabase lets the browser query the database directly, with Postgres RLS enforcing who can read which rows. Flarelink is server-first: the browser only calls auth.*; database and storage go through your server, which scopes every query to the signed-in user. Safer-by-default for a lot of apps, but a different mental model — and it means no client-direct data fetching yet. Read the architecture →
No subscriptions, presence, or broadcast. D1 has no changefeed, so realtime would be a different mechanism entirely — we won't promise a date. If your app is chat/collab/live-dashboards, that's a real gap.
D1 is SQLite. No extensions, no pgvector, no advanced Postgres types, and SQLite's type affinity differs from Postgres. For most CRUD apps this is a non-issue; for Postgres-heavy workloads it matters.
Supabase has years of production use, a large community, and a deep feature set (MFA, more OAuth providers, image transforms, branching). Flarelink is in beta with a deliberately narrow, polished surface.
Your D1, R2, KV, and auth Worker are in your Cloudflare account. Flarelink holds a scoped token, never a copy of your data. Cancel and everything keeps running.
The auth Worker is source-available with reproducible builds. npx @flarelink/verify proves the bytes running in your account match the published source. Trust page →
A flat fee for the dashboard; Cloudflare bills you directly at its rates. No per-row or egress markup, and no free-tier pause-on-idle. Pricing →
Free during beta. Connect a scoped token and see a working backend in about a minute — and verify the auth Worker yourself.