Supabase Storage Deep Dive — Bucket Design, Signed URLs, Image Transforms, and RLS Supabase Storage is S3-compatible object storage that integrates directly with PostgreSQL Row Level Security. It's not just a file bucket — it handles access control, on-the-fly image transformations, and CDN delivery all in one place. Bucket Design -- Public bucket: anyone can read via URL, no signature needed INSERT INTO storage . buckets ( id , name , public ) VALUES ( 'avatars' , 'avatars' , true ); -- Private bucket: requires a signed URL to read INSERT INTO storage . buckets ( id , name , public ) VALUES ( 'user-documents' , 'user-documents' , false ); Enter fullscreen mode Exit fullscreen mode Rule of thumb : Avatars, OG images → Public (maximize CDN cache efficiency) User uploads, invoices → Private (time-limited signed URLs) Admin-only data → Private + RLS that excludes all users RLS for Storage Objects -- avatars: users upload/delete only their own; anyone reads (public bucket) CREATE POLICY "User can upload own…