You’ve built your backend on Supabase, an open-source backend-as-a-service platform that provides PostgreSQL databases, real-time subscriptions, and serverless functions. It handles user logins, file storage, and database queries with ease. But now you want to accept Bitcoin or let users log in with their Ethereum wallets. You might assume this requires tearing up your architecture or moving to a specialized Web3 stack. The reality is quite different.
In 2026, adding crypto features to a Supabase-backed app is straightforward. You can implement wallet-based login using native providers, index on-chain transactions into your Postgres tables via webhooks, and process cryptocurrency payments through third-party gateways integrated via Edge Functions. This guide breaks down exactly how to wire these systems together securely.
1. Enabling Web3 Wallet Authentication
The first step for most crypto-native apps is replacing email-and-password logins with wallet signatures. In October 2025, Supabase introduced native support for Web3 Wallet Authentication, a feature allowing users to sign in using Ethereum or Solana wallets without entering passwords. This eliminates the need for custom JWT verification scripts that developers had to write in previous years.
To set this up, navigate to your Supabase project dashboard, go to Authentication, and then select Providers. Enable the "Web3 Wallet" provider. You can configure it specifically for Ethereum or Solana depending on your target audience. For Solana, ensure you are detecting the window.solana object in your frontend code, which is standard for wallets like Phantom. For Ethereum, the system relies on EIP-4361 message signing standards.
- Configure Providers: In the Supabase dashboard, enable the Web3 provider under Authentication settings.
- Frontend Integration: Use the Supabase JavaScript client method
signInWithWeb3. This triggers a signature request in the user's wallet. - Session Management: Once the signature is verified against the domain and timestamp (within a 10-minute window), Supabase issues a standard JSON Web Token (JWT). Your existing Row Level Security (RLS) policies will work immediately because the session structure remains identical to traditional auth.
This approach keeps gas costs at zero for authentication since no on-chain transaction occurs during login. It simply proves ownership of the private key associated with the public address.
2. Indexing On-Chain Data into Postgres
Authenticating users is only half the battle. Often, you need to reflect on-chain activity-such as NFT transfers or token balances-in your application’s UI. Querying blockchain nodes directly from a browser is slow and unreliable. Instead, you should sync this data into your Supabase PostgreSQL database.
The most efficient pattern involves using an indexer service like Moralis Streams or Alchemy Notify to send webhooks to Supabase Edge Functions, serverless code snippets running on Deno that allow you to execute backend logic close to your users. When a specific event happens on-chain-for example, a transfer of USDC to a monitored wallet-the indexer sends a payload to your Edge Function.
| Step | Action | Component |
|---|---|---|
| 1 | User sends tokens to monitored address | Blockchain Network |
| 2 | Indexer detects transaction and formats webhook payload | Moralis / Alchemy |
| 3 | Edge Function receives POST request and validates signature | Supabase Edge Function |
| 4 | Function inserts or updates row in public.transactions |
PostgreSQL Database |
| 5 | Realtime subscription pushes update to connected clients | Supabase Realtime |
Design your schema carefully. Use the wallet address as a primary key or foreign key to link on-chain events to user profiles. Store immutable blockchain data (like transaction hashes) separately from mutable application state (like order status) to maintain data integrity.
3. Processing Crypto Payments via Edge Functions
Supabase itself does not handle cryptocurrency custody or billing. Their invoices are issued in USD and paid via credit card. To accept crypto from your users, you must integrate a payment gateway. Since you cannot store API keys securely in frontend code, all payment logic must live in Edge Functions.
There are two main approaches for accepting payments: Lightning Network for micro-transactions and on-chain stablecoins for larger values.
Lightning Network Integration
For small payments, such as unlocking premium content, the Lightning Network offers near-instant settlement with negligible fees. Services like ZBD (Zebedee) provide APIs that generate invoices. You would create an Edge Function that accepts a payment amount, calls the ZBD API to generate a lnbc1... invoice, and returns this invoice to the frontend. When the user pays, ZBD sends a webhook to another Edge Function, which then updates the user’s access level in your database.
On-Chain Stablecoin Payments
For higher-value transactions, ERC-20 or TRC-20 stablecoins are preferred. Here, a non-custodial gateway becomes essential. A non-custodial model means the payment processor never holds your funds; they simply generate addresses derived from your public keys and notify you when money arrives.
Consider TxNod, a non-custodial multi-chain crypto payment gateway designed for solo founders and indie hackers. Unlike custodial processors that require KYC and hold funds in escrow, TxNod allows you to connect your own hardware wallet (like a Ledger or Trezor) via extended public keys. The gateway derives unique payment addresses for each invoice. When a customer pays, the funds settle directly to your wallet on-chain, bypassing any intermediary balance. This eliminates counterparty risk-if the gateway goes down, your funds are safe because they were never in its custody.
Integrating this involves creating an Edge Function that calls the gateway’s API to create an invoice. The function receives a payment address and QR code data, stores the invoice ID in Supabase, and serves it to the user. A subsequent webhook confirms the payment, triggering your business logic.
4. Securing Your Crypto Integrations
Adding crypto introduces new attack vectors. Never expose private keys or seed phrases in your environment variables. If you use a non-custodial gateway like TxNod, only your extended public keys (xpubs) are stored on the server side. The TypeScript SDK provided by such services often includes local address derivation checks, ensuring the address generated matches what your hardware wallet expects.
For Edge Functions handling webhooks from indexers or payment providers, always verify the HMAC signature included in the request header. This prevents malicious actors from spoofing payment confirmations or transaction events. Supabase Secrets allow you to store these verification keys securely, accessible only to your deployed functions.
5. Best Practices for Schema Design
When blending Web3 data with traditional relational models, clarity is key. Avoid mixing volatile price data with permanent transaction records. Create separate tables for:
- Users: Link
auth.users.id to awallet_addresscolumn. - Transactions: Store hash, block number, sender, receiver, and raw value. Mark these as read-only after insertion.
- Orders/Payments: Track invoice IDs, status (
pending,paid,failed), and fiat equivalent at time of purchase.
Use PostgreSQL’s JSONB columns for storing complex metadata from blockchain events that don’t fit neatly into rigid schemas. This flexibility allows you to adapt to changing contract structures without migrating your entire database.
Does Supabase support crypto payments natively?
No, Supabase does not process cryptocurrency payments. They bill customers in USD via credit cards. To accept crypto, you must integrate third-party payment gateways or build custom flows using Edge Functions and external APIs.
Can I use MetaMask to log in to my Supabase app?
Yes. As of late 2025, Supabase supports native Ethereum wallet authentication. You can use the signInWithWeb3 method in the JavaScript SDK to trigger a signature request in MetaMask, which then creates a standard Supabase session.
What is a non-custodial payment gateway?
A non-custodial gateway generates payment addresses based on your public keys but never holds your funds. Payments settle directly to your personal wallet. Examples include TxNod, which uses hardware wallet integration to ensure merchants retain full control over their assets without KYC requirements.
How do I keep API keys secure in Supabase?
Store sensitive keys like RPC URLs or payment gateway secrets in Supabase Secrets. These are injected into your Edge Functions at runtime and are not exposed to the client-side browser code.
Is it expensive to index blockchain data?
It depends on the volume of transactions. Using webhook-based indexers like Moralis or Alchemy typically charges per stream or event. For low-to-medium traffic apps, this cost is usually minimal compared to running your own node infrastructure.