Sync Supabase via OAuth with Codeless Sync, no full PostgreSQL connection string to paste, no database password on your clipboard. Here's how it works.
By Ilshaad Kheerdali · 25 May 2026
If you want to sync data into Supabase without handing a third-party tool your full PostgreSQL connection string, Supabase OAuth is now the safer default. Almost every "connect your database" form on the internet asks for the same thing, a single connection string with the username, host, port, database name, and password mashed together, and you paste it in and hope for the best.
That string is your database. Anyone who reads it has full access, there's no scope, no expiry, and the only way to invalidate it is to rotate the database password (which immediately breaks every other place that string was being used). For most developers it's not a deal-breaker, but it's the part of the setup that tends to feel wrong, especially when the target is a production Supabase project sitting behind everything else you've built.
Codeless Sync now supports a Supabase OAuth flow that skips the full connection string altogether. You sign in to Supabase, pick the project you want to sync into, and paste your database password separately, never alongside the rest of your credentials. This guide walks through why Supabase OAuth matters, how the flow works step by step, and exactly what Codeless Sync can and can't see on your Supabase account.
What's Actually in a Supabase Connection String
A typical Supabase pooler connection string looks like this:
postgresql://postgres.abcxyz123:Sup3r$ecretP4ss@aws-0-eu-west-1.pooler.supabase.com:6543/postgres
That single line bundles:
- Username — your Postgres role
- Database password — the one you set when you created the project
- Pooler host and port — your region's pooler endpoint
-
Database name — usually
postgres
Whoever holds that string can run arbitrary SQL against your project. There's no fine-grained scope ("read invoices only"), no per-app permission, no expiry. If it leaks into a log file or a misconfigured screenshot, the only way to invalidate it is to rotate the database password, which immediately breaks everywhere else that string is in use.
For most developers, pasting it into a trusted SaaS isn't the end of the world. But there's a small wince every time you do it, especially when most of the string (host, port, user, database name) is non-sensitive and could be looked up automatically. The password is the only secret bit. The OAuth flow leans into that distinction.
Supabase OAuth vs Connection String: At a Glance
Before walking through the flow, here's how the two paths compare on the things that usually matter when you're deciding which way to connect:
| Supabase OAuth (Codeless Sync) | Manual Connection String | |
|---|---|---|
| What you paste | Database password only | Full connection string (user + host + port + password) |
| Where credentials come from | Supabase fills host, port, user, database via OAuth | You copy and paste every part yourself |
| Project picker | Dropdown of your authorised projects | None — you build the string per project manually |
| Scope of OAuth grant | Read project list + pooler config only | N/A |
| Sync-time dependency | None — sync uses stored connection string, not OAuth tokens | None — sync uses the string you pasted |
| Revoke without re-syncing? | Yes — revoking the grant doesn't stop existing syncs | Same — rotate the password to revoke |
| Works with self-hosted? | No — Supabase OAuth is hosted-only | Yes |
| Best for | Hosted Supabase users who want minimal credential surface area | Self-hosted Supabase or teams that block OAuth apps |
Both produce the same end state: an encrypted PostgreSQL connection string Codeless Sync uses to run syncs. The OAuth path just narrows what you have to type and where each piece of the credential comes from.
The OAuth Alternative: What Codeless Sync Pulls from Supabase
Supabase exposes a Management API and an OAuth flow that lets approved third-party apps act on a user's behalf — the same way you'd authorise a GitHub app or a Google Workspace integration. Codeless Sync uses that API to handle everything except the database password.
When you click Connect Supabase, you're redirected to Supabase's authorisation page (not ours). You approve the integration once, against the specific organisation you choose. Supabase returns Codeless Sync to your wizard with a short-lived access token plus a refresh token.
From there, Codeless Sync uses the OAuth token to:
- Fetch your list of Supabase projects so you can pick one from a dropdown
- Read the pooler config for that project — region, host, port, pool mode
- Auto-fill the username and database name from the project's metadata
The one thing the OAuth flow does not give Codeless Sync is your database password. That stays your responsibility, and you paste it into a separate password field — not alongside the rest of the credentials in a single string.
The 3-Step Flow in Practice
Here's what the setup actually looks like from your side once you're in the Codeless Sync project wizard:
1. Click "Connect Supabase". You're sent to Supabase's standard OAuth screen. Sign in if you aren't already, then approve the integration for the organisation you want to grant access to. Supabase shows you exactly what scopes are being requested before you confirm.
2. Pick your project. Codeless Sync now has read access to your project list. You'll see a dropdown of every project in the organisation you authorised. Choose the one you want to sync data into. Pooler host, port, user, database, and pool mode auto-fill from the project's metadata.
3. Paste your database password and connect. This is the only credential you type in. Find it under Project Settings → Database in your Supabase dashboard. Paste it into the password field, click Test & Connect, and Codeless Sync builds, encrypts, and stores the resulting connection string. From here on out, the wizard hands you off to the rest of the configuration flow — picking a provider (Stripe, QuickBooks, Xero, Paddle), auto-creating the destination table, and scheduling syncs. The full step-by-step walkthrough with screenshots lives in the database setup guide.
If you ever switch organisations or revoke access on Supabase's side, the next time you open the wizard Codeless Sync detects the expired token and surfaces a reconnect prompt — no silent failures during setup.
What Codeless Sync Does With the OAuth Access
Honest, point-by-point:
What CLS uses the OAuth token for:
- Fetching your project list so you can pick one from a dropdown
- Fetching the pooler configuration for the project you pick (host, port, user, database name, pool mode)
That's it. The OAuth token isn't used during sync runs at all — once your connection string is built and saved, syncs talk to Postgres directly. The OAuth side of the integration is a setup-time convenience, not a sync-time dependency.
How the database password is handled:
- You paste it into a password field in the wizard
- The password is combined with the pooler details to form a connection string in your browser, before anything is sent to CLS's API
- The resulting connection string is then sent over HTTPS to CLS, where it's encrypted at rest
- The raw password is not stored as a separate field, not logged, and never travels to CLS on its own
Revoking access:
- Open the authorised applications area of your Supabase dashboard
- Remove the Codeless Sync integration
There's a useful property of this design worth knowing: revoking the OAuth grant does not stop your existing syncs, because syncs don't depend on the OAuth tokens. To actually stop a sync, you delete the project (or pause the schedule) inside Codeless Sync. To rotate the credential at the database level, you change your Supabase database password — at which point you'd reconnect from the CLS wizard anyway.
In other words: the OAuth grant has a deliberately small blast radius. It's only powerful enough to fetch project metadata so the wizard can pre-fill fields. The actual database access lives in the encrypted connection string, fully under your control.
When the Manual Connection String Is Still the Right Call
OAuth isn't always the better choice. Codeless Sync keeps the manual paste option in the wizard for a few legitimate cases:
- You don't have admin access to authorise OAuth apps on the Supabase organisation (common in larger teams)
- Your organisation restricts third-party OAuth integrations as a policy
- You're using self-hosted Supabase rather than the hosted product (OAuth is hosted-only)
- You just prefer the manual flow — you already have the connection string saved, and pasting it once is faster than the OAuth roundtrip
If any of those apply, the manual path is identical to what it always was: paste the pooler connection string from Project Settings → Database, replace [YOUR-PASSWORD] with your actual password, hit Test & Connect.
The two flows produce the same end state — an encrypted connection string Codeless Sync uses for syncing. The only difference is how much of the string came from you versus from Supabase.
Getting Stripe, QuickBooks, Xero, or Paddle Data Into Supabase
Once your Supabase project is connected — via OAuth or manual paste — the rest of Codeless Sync works the same way for everyone. Authorise a source provider, pick which records you want, and Codeless Sync auto-creates the table and keeps it in sync on the schedule you choose.
A few worked examples for popular setups:
- How to Sync Stripe Data to PostgreSQL — Stripe customers, invoices, subscriptions
- How to Sync QuickBooks Data to PostgreSQL — accounting data with OAuth on both ends
- How to Sync Xero to PostgreSQL — Xero invoices, contacts, transactions
- Supabase vs Neon vs Railway: Which PostgreSQL for SaaS Data? — if you're still choosing where to host your Postgres
For the full setup walkthrough, the database setup guide covers both the OAuth and manual paths step by step.
Try the New OAuth Flow
If you've been sat on a Codeless Sync trial because the connection-string step felt off, this is the part of the product that changed. The OAuth flow is live for every Supabase user — no special access, no waitlist.
Start a project: codelesssync.com/stripe-to-supabase
Frequently Asked Questions
What is Supabase OAuth?
Supabase OAuth is an authorisation flow built on Supabase's Management API that lets approved third-party apps act on your behalf — fetching things like your project list and pooler configuration — without you ever pasting a full database connection string. You approve the integration once, against the Supabase organisation of your choice, and the third-party tool (in this case Codeless Sync) gets a short-lived access token and a refresh token. The OAuth grant never includes your database password, which stays your responsibility.
Is OAuth more secure than pasting a connection string?
It reduces the amount of secret material flowing into a third-party tool. The non-sensitive parts of the connection (host, port, user, database name) come from Supabase via OAuth instead of being copy-pasted by you. The only thing you actually type is the database password, and the full connection string is assembled in your browser before being sent to CLS. With a manual paste, the entire string — password included — is on your clipboard and sitting in whatever field you saved it to.
Does Codeless Sync store my database password?
Not as a standalone field. It's combined with the pooler details into a connection string client-side, the assembled string is sent to CLS over HTTPS, and CLS encrypts it at rest before storing it. To rotate the password, you reconnect through the wizard — there's no edit-the-stored-password field.
What permissions does Codeless Sync request from Supabase?
In practice it uses the OAuth grant for two things: listing the projects in the organisation you authorise, and reading the pooler configuration for the project you pick. The exact scopes are shown on Supabase's authorisation screen before you confirm — review them there if you want the canonical list.
Can I revoke Codeless Sync's access later?
Yes — open the authorised applications area of your Supabase dashboard and remove the Codeless Sync integration. Worth knowing: this does not stop your existing syncs, because syncs use the stored connection string rather than the OAuth tokens. To stop a sync, delete the project (or pause its schedule) inside CLS. To kill database access entirely, rotate your Supabase database password.
Does the OAuth flow work with self-hosted Supabase?
No. The OAuth flow uses Supabase's hosted Management API, which isn't available on self-hosted installations. If you're running self-hosted Supabase, use the manual connection string option in the wizard — everything else in the product works identically.
What if I'm not the admin on my Supabase organisation?
You can still use Codeless Sync, but you'll need to either ask an admin to authorise the OAuth app once for the organisation, or use the manual connection string path. The manual path doesn't require any OAuth permissions on the Supabase side.
Can I connect multiple Supabase projects to Codeless Sync?
Yes. One OAuth authorisation gives Codeless Sync access to the project list for that organisation, and you can create separate Codeless Sync projects for each Supabase project you want to sync into. If you have projects across multiple Supabase organisations, authorise each organisation separately.
Related:
Top comments (0)