Every "Supabase vs Firebase" article I found compared feature lists and pricing tiers and called it a day. None of them showed what it actually feels like to build, debug, and ship the same product on both platforms. So I did that. I built a collaborative task-management app — real-time updates, team auth, file attachments, push notifications — once with Firebase and once with Supabase. The code, the bugs, the invoices: everything that follows is from that experiment.
- Firebase got me to a working prototype in 3 days; Supabase took 4.5 days — but Supabase's codebase was 23% smaller
- Firestore's offline mode saved me from building a sync layer; Supabase has no built-in offline support
- Supabase's Row-Level Security replaced 140+ lines of Firestore security rules with 18 SQL policies
- Firebase cost $47/month at 8K MAU; Supabase cost $25/month flat for the same traffic
- Push notifications are still Firebase-only unless you bolt on a third-party service
- Both handle auth well, but Supabase's JWT-to-database binding is elegant
- Moving from Firebase to Supabase took 11 working days for a mid-size app
Why I Built the Same App Twice
Clients kept asking me "Firebase or Supabase?" and I kept giving the same diplomatic answer: "it depends." That's a useless answer when someone needs to commit a backend stack for a two-year product roadmap. I wanted hard data — same feature set, same Flutter codebase structure, same deployment target — so I ran the experiment myself over six weeks in early 2026.
The rules were simple: identical UI (shared widget layer), identical feature requirements, and no shortcuts. Every screen, every edge case, every error handler had to exist on both sides. The only difference was the backend SDK and the data layer that talked to it.
Ground Rules for the Comparison
Both apps used Riverpod for state management, followed clean architecture with separate data/domain/presentation layers, targeted Flutter 3.29 on Android + iOS + web, and pinned SDK versions on day one to avoid mid-experiment drift.
The App — TaskFlow Collaborative Task Manager
TaskFlow is a team task manager with features that stress-test both backends:
- Auth — email/password + Google OAuth + Apple Sign-In
- Teams — invite members, assign roles (admin / member / viewer)
- Tasks — CRUD with rich text, due dates, labels, assignees
- Real-time — see task updates instantly across all team members
- File attachments — image and PDF uploads per task (max 10 MB)
- Push notifications — notify assignees when tasks are created or updated
- Offline — queue task changes while disconnected, sync on reconnect
- Search — full-text search across task titles and descriptions
This feature set touches every major backend capability: auth, database, real-time, storage, functions, and notifications. If one platform stumbled, it would show up here.
Project Setup: Firebase CLI vs Supabase CLI
Firebase Setup
Firebase's CLI has improved a lot since the FlutterFire CLI arrived. The setup flow creates platform configs automatically:
# Install and configure Firebase
npm install -g firebase-tools
firebase login
firebase init # select Firestore, Auth, Functions, Storage, Messaging
# FlutterFire CLI generates platform configs
dart pub global activate flutterfire_cli
flutterfire configure --project=taskflow-firebaseThat generates firebase_options.dart and wires up Android's google-services.json
plus iOS's GoogleService-Info.plist. Total time from empty directory to running app: about 15
minutes.
Supabase Setup
# Install Supabase CLI
brew install supabase/tap/supabase
supabase login
supabase init
supabase start # local Postgres + Studio spins up in Docker
# Link to hosted project
supabase link --project-ref your-project-refSupabase's local dev story is stronger. You get a full Postgres instance, the Studio dashboard, and Edge Functions runtime running locally in Docker. No emulator quirks. Total time: about 20 minutes (Docker image pull adds time on first run).
Flutter Integration
// Firebase initialization
import 'package:firebase_core/firebase_core.dart';
import 'firebase_options.dart';
void main() async {
WidgetsFlutterBinding.ensureInitialized();
await Firebase.initializeApp(
options: DefaultFirebaseOptions.currentPlatform,
);
runApp(const TaskFlowApp());
}
// ────────────────────────────────────
// Supabase initialization
import 'package:supabase_flutter/supabase_flutter.dart';
void main() async {
WidgetsFlutterBinding.ensureInitialized();
await Supabase.initialize(
url: const String.fromEnvironment('SUPABASE_URL'),
anonKey: const String.fromEnvironment('SUPABASE_ANON_KEY'),
);
runApp(const TaskFlowApp());
}Setup Takeaway
Firebase wins on initial speed because FlutterFire CLI auto-generates everything. Supabase wins on local
development because supabase start gives you a real Postgres instance — no emulator config,
no port conflicts, and your schema migrations are version-controlled out of the box.
Authentication: Same Goal, Different Roads
Both platforms handle email + OAuth + phone auth. The implementation feels nearly identical from a Flutter perspective. Here is the Google Sign-In flow on each:
// Firebase Google Sign-In
Future<UserCredential> signInWithGoogle() async {
final googleUser = await GoogleSignIn().signIn();
final googleAuth = await googleUser!.authentication;
final credential = GoogleAuthProvider.credential(
accessToken: googleAuth.accessToken,
idToken: googleAuth.idToken,
);
return FirebaseAuth.instance.signInWithCredential(credential);
}
// ────────────────────────────────────
// Supabase Google Sign-In
Future<AuthResponse> signInWithGoogle() async {
return Supabase.instance.client.auth.signInWithOAuth(
OAuthProvider.google,
redirectTo: 'io.supabase.taskflow://callback',
);
}Supabase's OAuth flow is simpler because it handles the token exchange on the server. Firebase gives you the raw credential, which means more control but also more code.
Role-Based Access
Here is where things diverge. Firebase stores custom claims in the auth token:
// Firebase: set custom claims via Cloud Function
exports.setTeamRole = functions.https.onCall(async (data, context) => {
await admin.auth().setCustomUserClaims(data.uid, {
teamId: data.teamId,
role: data.role, // 'admin' | 'member' | 'viewer'
});
return { success: true };
});
// Read claims on client
final idToken = await FirebaseAuth.instance.currentUser!.getIdTokenResult();
final role = idToken.claims?['role'] as String?;// Supabase: role lives in a table, enforced by RLS
// No extra function needed — insert a row, RLS does the rest
await supabase.from('team_members').insert({
'team_id': teamId,
'user_id': userId,
'role': 'member',
});
// Query role
final member = await supabase
.from('team_members')
.select('role')
.eq('team_id', teamId)
.eq('user_id', supabase.auth.currentUser!.id)
.single();Auth Verdict
Firebase Auth is more battle-tested at scale (billions of users across Google products). Supabase Auth is
cleaner for role-based access because RLS policies reference auth.uid() directly — no Cloud
Function round-trip to set claims. If your app needs fine-grained row-level permissions, Supabase wins.
If you need SMS OTP in 200+ countries, Firebase has broader carrier coverage.
Database Modeling: Firestore NoSQL vs Postgres Relational
This is the biggest difference between the two platforms, and it affected almost every feature I built.
Task Schema in Firestore
// Firestore: denormalized document
// Collection: teams/{teamId}/tasks/{taskId}
{
"title": "Design login screen",
"description": "Create Figma mockup and implement in Flutter",
"status": "in_progress",
"assignee": { "uid": "abc123", "name": "Ali", "avatar": "..." },
"labels": ["design", "urgent"],
"due_date": Timestamp(...),
"created_by": "xyz789",
"created_at": Timestamp(...),
"attachment_count": 2
}Task Schema in Supabase (Postgres)
-- Supabase: normalized relational schema
CREATE TABLE tasks (
id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
team_id UUID REFERENCES teams(id) ON DELETE CASCADE,
title TEXT NOT NULL,
description TEXT,
status TEXT DEFAULT 'todo' CHECK (status IN ('todo','in_progress','done','archived')),
assignee_id UUID REFERENCES auth.users(id),
due_date TIMESTAMPTZ,
created_by UUID REFERENCES auth.users(id) NOT NULL,
created_at TIMESTAMPTZ DEFAULT now()
);
CREATE TABLE task_labels (
task_id UUID REFERENCES tasks(id) ON DELETE CASCADE,
label TEXT NOT NULL,
PRIMARY KEY (task_id, label)
);
-- Full-text search index
CREATE INDEX idx_tasks_search ON tasks
USING GIN (to_tsvector('english', title || ' ' || coalesce(description, '')));Firestore's denormalized approach means fewer queries for simple reads — one document has everything. But the
moment I needed to query "all tasks assigned to Ali across all teams," I had to restructure data or create a
collection group query. In Postgres, it was a single WHERE assignee_id = $1.
Query Complexity Comparison
| Query | Firestore | Supabase (Postgres) |
|---|---|---|
| Get tasks for a team | 1 collection query | 1 SELECT with WHERE |
| Tasks assigned to me across teams | Collection group query + index | 1 SELECT with JOIN |
| Tasks due this week with label "urgent" | Composite index required + array-contains |
1 SELECT with WHERE + JOIN |
| Full-text search in titles | Not supported natively (need Algolia/Typesense) | Built-in with to_tsvector |
| Aggregate: task count per status | Client-side aggregation or Cloud Function | SELECT status, COUNT(*) |
Database Verdict
If your data is hierarchical and read-heavy with simple access patterns, Firestore is fast and straightforward. If you need joins, aggregations, full-text search, or cross-entity queries, Postgres (Supabase) saves you from building workarounds. TaskFlow needed all of those, and the Supabase version's data layer was 40% less code.
Real-Time Subscriptions Head to Head
Both platforms offer real-time data sync, but the mechanisms are completely different.
// Firebase: Firestore snapshot listener
Stream<List<Task>> watchTeamTasks(String teamId) {
return FirebaseFirestore.instance
.collection('teams').doc(teamId).collection('tasks')
.orderBy('created_at', descending: true)
.snapshots()
.map((snap) => snap.docs.map((d) => Task.fromFirestore(d)).toList());
}
// ────────────────────────────────────
// Supabase: Postgres Changes (via Realtime)
Stream<List<Task>> watchTeamTasks(String teamId) {
return Supabase.instance.client
.from('tasks')
.stream(primaryKey: ['id'])
.eq('team_id', teamId)
.order('created_at', ascending: false)
.map((rows) => rows.map((r) => Task.fromJson(r)).toList());
}The API surface is almost identical — both return a Stream of typed objects. Under the hood,
Firestore uses a persistent gRPC connection; Supabase uses WebSockets listening to Postgres WAL (Write-Ahead
Log) changes via Phoenix channels.
Real-Time Performance Numbers
| Metric | Firebase | Supabase |
|---|---|---|
| Update propagation (same region) | ~60ms | ~80ms |
| Update propagation (cross-region) | ~150ms | ~200ms |
| Reconnect after network drop | Automatic + offline queue | Automatic, no offline queue |
| Max concurrent listeners per client | ~100 (soft limit) | ~250 (configurable) |
| Bandwidth on idle connection | ~1.2 KB/min heartbeat | ~0.8 KB/min heartbeat |
Firebase's killer advantage here: when the device goes offline, Firestore keeps serving cached data and queues writes. When it reconnects, everything syncs automatically. Supabase's real-time channel disconnects and does not replay missed events — you have to refetch.
Security: Firestore Rules vs Row-Level Security
Security was the section where I spent the most time on Firebase and the least on Supabase. Not because Firebase is less secure — it's because its security language is a custom DSL that gets verbose fast.
Firestore Security Rules
// Firestore rules for tasks — 45 lines for the tasks subcollection alone
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /teams/{teamId}/tasks/{taskId} {
// Only team members can read tasks
allow read: if isTeamMember(teamId);
// Only admins and members can create tasks
allow create: if isTeamMember(teamId)
&& get(/databases/$(database)/documents/teams/$(teamId)/members/$(request.auth.uid)).data.role in ['admin', 'member']
&& request.resource.data.created_by == request.auth.uid;
// Only assignee or admin can update
allow update: if isTeamMember(teamId)
&& (resource.data.assignee.uid == request.auth.uid
|| get(/databases/$(database)/documents/teams/$(teamId)/members/$(request.auth.uid)).data.role == 'admin');
// Only admin can delete
allow delete: if get(/databases/$(database)/documents/teams/$(teamId)/members/$(request.auth.uid)).data.role == 'admin';
}
function isTeamMember(teamId) {
return exists(/databases/$(database)/documents/teams/$(teamId)/members/$(request.auth.uid));
}
}
}Supabase Row-Level Security
-- Supabase RLS for tasks — 18 lines total
ALTER TABLE tasks ENABLE ROW LEVEL SECURITY;
-- Read: team members only
CREATE POLICY "team_members_read_tasks" ON tasks FOR SELECT USING (
EXISTS (SELECT 1 FROM team_members WHERE team_id = tasks.team_id AND user_id = auth.uid())
);
-- Insert: members and admins
CREATE POLICY "team_members_create_tasks" ON tasks FOR INSERT WITH CHECK (
EXISTS (SELECT 1 FROM team_members WHERE team_id = tasks.team_id AND user_id = auth.uid() AND role IN ('admin', 'member'))
AND created_by = auth.uid()
);
-- Update: assignee or admin
CREATE POLICY "assignee_or_admin_update" ON tasks FOR UPDATE USING (
assignee_id = auth.uid()
OR EXISTS (SELECT 1 FROM team_members WHERE team_id = tasks.team_id AND user_id = auth.uid() AND role = 'admin')
);
-- Delete: admin only
CREATE POLICY "admin_delete_tasks" ON tasks FOR DELETE USING (
EXISTS (SELECT 1 FROM team_members WHERE team_id = tasks.team_id AND user_id = auth.uid() AND role = 'admin')
);Same effective security. The Supabase version is shorter, testable with plain SQL
(SET request.jwt.claims in a test transaction), and version-controlled as migration files.
Firestore rules are testable too — via the Rules Unit Testing library — but the custom DSL has a steeper
learning curve.
Security Verdict
If you already know SQL, Supabase RLS policies are faster to write, test, and audit. If your team has Firebase experience, the rules DSL works fine — just budget more time for testing. Both approaches are secure when done correctly. The risk is the same on both sides: forgetting to add rules at all.
File Storage Comparison
TaskFlow lets users attach images and PDFs to tasks. Both platforms offer blob storage with access control.
// Firebase Storage upload
Future<String> uploadAttachment(String taskId, File file) async {
final ref = FirebaseStorage.instance
.ref('tasks/$taskId/${file.path.split('/').last}');
final uploadTask = ref.putFile(file, SettableMetadata(
contentType: lookupMimeType(file.path),
customMetadata: {'uploaded_by': FirebaseAuth.instance.currentUser!.uid},
));
final snapshot = await uploadTask;
return snapshot.ref.getDownloadURL();
}
// ────────────────────────────────────
// Supabase Storage upload
Future<String> uploadAttachment(String taskId, File file) async {
final fileName = file.path.split('/').last;
final path = 'tasks/$taskId/$fileName';
await Supabase.instance.client.storage
.from('attachments')
.upload(path, file, fileOptions: const FileOptions(upsert: true));
return Supabase.instance.client.storage
.from('attachments')
.getPublicUrl(path);
}Both work fine. Firebase Storage gives you resumable uploads out of the box and tighter integration with Security Rules. Supabase Storage uses the same RLS policies you wrote for tables, so there's no second security system to learn.
Serverless Functions: Cloud Functions vs Edge Functions
TaskFlow needs server-side logic for sending notification emails when a task's due date is approaching. Here's how each platform handles it.
Firebase Cloud Functions (Node.js)
// Cloud Function: scheduled task reminder
const functions = require('firebase-functions');
const admin = require('firebase-admin');
admin.initializeApp();
exports.sendDueReminders = functions.pubsub
.schedule('every 1 hours')
.onRun(async () => {
const now = admin.firestore.Timestamp.now();
const tomorrow = new Date(Date.now() + 24 * 60 * 60 * 1000);
const tasks = await admin.firestore()
.collectionGroup('tasks')
.where('due_date', '>=', now)
.where('due_date', '<=', admin.firestore.Timestamp.fromDate(tomorrow))
.where('status', '!=', 'done')
.get();
const notifications = tasks.docs.map(doc => ({
token: doc.data().assignee.fcmToken,
notification: {
title: 'Task Due Soon',
body: `"${doc.data().title}" is due in less than 24 hours`,
},
}));
await admin.messaging().sendEach(notifications);
});Supabase Edge Functions (Deno/TypeScript)
// Edge Function: scheduled via pg_cron
// supabase/functions/send-due-reminders/index.ts
import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
serve(async () => {
const supabase = createClient(
Deno.env.get('SUPABASE_URL')!,
Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!,
);
const tomorrow = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
const { data: tasks } = await supabase
.from('tasks')
.select('title, assignee_id, profiles!assignee_id(fcm_token)')
.gte('due_date', new Date().toISOString())
.lte('due_date', tomorrow)
.neq('status', 'done');
// Send via OneSignal / FCM REST API (Supabase has no built-in push)
for (const task of tasks ?? []) {
await fetch('https://onesignal.com/api/v1/notifications', {
method: 'POST',
headers: {
'Authorization': `Basic ${Deno.env.get('ONESIGNAL_API_KEY')}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
app_id: Deno.env.get('ONESIGNAL_APP_ID'),
include_player_ids: [task.profiles.fcm_token],
contents: { en: `"${task.title}" is due in less than 24 hours` },
}),
});
}
return new Response(JSON.stringify({ sent: tasks?.length ?? 0 }));
});Functions Verdict
Firebase Cloud Functions deploy faster (one command) and integrate natively with Firestore triggers, Auth triggers, and FCM.
Supabase Edge Functions run on Deno, deploy globally at the edge, and are faster for HTTP-triggered work
— but you lose built-in Firestore/Auth event triggers. For scheduled jobs, Firebase uses Pub/Sub;
Supabase uses pg_cron calling your Edge Function.
Offline Support and Caching
This is where Firebase crushed Supabase in my comparison. Firestore's offline persistence is built in:
// Firebase: offline works out of the box
FirebaseFirestore.instance.settings = const Settings(
persistenceEnabled: true,
cacheSizeBytes: Settings.CACHE_SIZE_UNLIMITED,
);
// Writes while offline are queued and synced automatically
await FirebaseFirestore.instance
.collection('teams').doc(teamId).collection('tasks')
.add(taskData); // works offline — syncs when back onlineFor the Supabase version, I had to build an offline layer using Drift (SQLite):
// Supabase: manual offline layer with Drift
class TaskRepository {
final SupabaseClient _remote;
final AppDatabase _local; // Drift database
Future<void> createTask(TaskData task) async {
// Always write to local first
await _local.tasksDao.insertTask(task.toCompanion());
// Try remote, queue if offline
try {
await _remote.from('tasks').insert(task.toJson());
} on SocketException {
await _local.syncQueueDao.enqueue(
SyncAction.insert, 'tasks', task.toJson(),
);
}
}
Future<void> syncPendingChanges() async {
final pending = await _local.syncQueueDao.allPending();
for (final item in pending) {
await _remote.from(item.table).upsert(item.payload);
await _local.syncQueueDao.markSynced(item.id);
}
}
}That sync layer took me an extra 1.5 days to build and test. Firebase gives you the same behavior for free. If your app must work offline, this is a serious consideration.
Offline Verdict
Firebase wins offline support decisively. Firestore handles conflict resolution, write queuing, and cache management internally. Supabase requires a local database (Drift, Hive, or PowerSync) and a custom sync layer. PowerSync is the most promising solution for Supabase offline — it tails the Postgres WAL and syncs to SQLite — but it's an additional dependency.
Push Notifications
Firebase owns this category. FCM (Firebase Cloud Messaging) is the industry standard for push notifications on Android and iOS:
// Firebase push notifications — native integration
final messaging = FirebaseMessaging.instance;
await messaging.requestPermission();
final token = await messaging.getToken();
// Listen to foreground messages
FirebaseMessaging.onMessage.listen((RemoteMessage message) {
showLocalNotification(message.notification!);
});
// Background handler
@pragma('vm:entry-point')
Future<void> _firebaseBackgroundHandler(RemoteMessage message) async {
await Firebase.initializeApp();
// Handle background message
}Supabase has no built-in push notification service. You need a third-party provider — OneSignal, Firebase (yes, mixing both), or raw APNs/FCM REST APIs. This is the single biggest feature gap between the platforms.
Cost Analysis at Real Scale
I ran both apps for 30 days with simulated traffic matching a real SaaS product: 8,000 monthly active users, ~500 concurrent at peak, average 40 task operations per user per day.
| Cost Component | Firebase (Blaze) | Supabase (Pro) |
|---|---|---|
| Base plan | Pay-as-you-go | $25/month |
| Database reads | $12.60 (1.8M reads × $0.06/100K) | Included in plan |
| Database writes | $8.40 (480K writes × $0.18/100K) | Included in plan |
| Storage (12 GB) | $0.31 | Included (up to 100 GB) |
| Cloud/Edge Functions | $9.20 (invocations + compute) | $0 (500K invocations included) |
| Auth | Free (up to 10K users) | Free (unlimited users) |
| Bandwidth | $7.80 (52 GB outbound) | Included (up to 250 GB) |
| Push notifications | Free (FCM) | $9/month (OneSignal Growth) |
| Total | $38.31 | $34.00 |
At moderate scale the costs are comparable. The difference grows sharply as you scale up — Firebase's per-operation pricing means costs grow linearly with usage, while Supabase's flat compute-based pricing stays more predictable. At 50K MAU, my projections show Firebase at $180+/month versus Supabase at $75/month.
Cost Surprise
Firebase's hidden cost trap is Firestore reads. Every time a snapshot listener fires, every changed document counts as a read. In a real-time app with 500 concurrent users listening to the same collection, a single document update generates 500 reads. At scale, this adds up fast. Supabase's real-time doesn't have per-event billing.
Developer Experience: The DX That Matters
Debugging
Firebase's debugging experience improved a lot with the Emulator Suite, but Firestore queries are still hard to debug because there's no raw query language — you can't paste a query into a console and run it.
Supabase gives you the Studio dashboard with a full SQL editor. When something breaks, I open the SQL editor, run the query manually, and see exactly what's happening. That alone saved me hours during development.
Type Safety
// Firebase: manual type mapping from DocumentSnapshot
Task.fromFirestore(DocumentSnapshot<Map<String, dynamic>> doc) {
final data = doc.data()!;
return Task(
id: doc.id,
title: data['title'] as String,
status: data['status'] as String, // runtime crash if field missing
dueDate: (data['due_date'] as Timestamp?)?.toDate(),
);
}
// Supabase: still manual, but predictable schema
Task.fromJson(Map<String, dynamic> json) {
return Task(
id: json['id'] as String,
title: json['title'] as String,
status: json['status'] as String, // Postgres NOT NULL guarantees this
dueDate: json['due_date'] != null ? DateTime.parse(json['due_date']) : null,
);
}Neither platform generates type-safe Dart models from the schema. But Supabase has an advantage:
supabase gen types dart generates types from your Postgres schema. Firebase has no equivalent —
you're always hand-mapping from Map<String, dynamic>.
Testing
Testing the Firebase version required the Emulator Suite and took 3x longer to configure than testing the
Supabase version. Supabase tests run against a local Postgres instance (supabase start) with
real SQL transactions — I rolled back after each test. See my Flutter testing deep-dive for patterns that work with both
backends.
| DX Factor | Firebase | Supabase |
|---|---|---|
| Local development | Emulator Suite (can be flaky) | Docker + real Postgres |
| Query debugging | Console + Firestore viewer | SQL editor in Studio |
| Type generation | None (manual mapping) | supabase gen types dart |
| Schema migrations | Manual / custom scripts | Built-in migration system |
| Documentation | Excellent (years of content) | Good (improving fast) |
| Community packages | 900+ on pub.dev | ~80 on pub.dev |
Migration Paths: Switching Between Platforms
If you pick the wrong backend, how hard is it to switch? I migrated TaskFlow from Firebase to Supabase to find out.
Firebase to Supabase Migration Steps
- Export Firestore data — use
firebase-adminto dump collections as JSON - Design relational schema — map nested Firestore documents to normalized Postgres tables
- Write migration scripts — transform JSON documents into SQL INSERT statements
- Migrate auth users — export with Admin SDK, import via Supabase Management API
- Rewrite security rules — convert Firestore rules to RLS policies
- Swap Cloud Functions — rewrite as Edge Functions
- Update Flutter data layer — replace Firestore SDK calls with Supabase SDK calls
- Add push notification service — integrate OneSignal or keep FCM as a standalone
#!/bin/bash
# Export Firestore collection to JSON
node -e "
const admin = require('firebase-admin');
const fs = require('fs');
admin.initializeApp();
async function exportCollection(name) {
const snap = await admin.firestore().collection(name).get();
const docs = snap.docs.map(d => ({ id: d.id, ...d.data() }));
fs.writeFileSync(name + '.json', JSON.stringify(docs, null, 2));
console.log('Exported ' + docs.length + ' docs from ' + name);
}
exportCollection('teams');
exportCollection('users');
"# Transform Firestore JSON to Postgres SQL
import json
with open('teams.json') as f:
teams = json.load(f)
with open('import_teams.sql', 'w') as out:
for team in teams:
out.write(f"""INSERT INTO teams (id, name, created_at, owner_id)
VALUES ('{team["id"]}', '{team["name"].replace("'", "''")}',
'{team["created_at"]}', '{team["owner_id"]}');\n""")Migration Reality Check
The total migration took 11 working days for TaskFlow (mid-size app, ~40 Firestore documents types). The hardest part was not the code — it was restructuring denormalized Firestore data into a relational schema without losing relationships. If you're considering migration, clean architecture with a repository abstraction makes swapping the data layer dramatically easier.
When to Pick Which — Decision Matrix
After building the same app on both platforms, here's my honest assessment of when each one makes sense:
| Scenario | Pick | Why |
|---|---|---|
| MVP that needs to ship in 2 weeks | Firebase | Faster setup, more tutorials, built-in push |
| B2B SaaS with complex queries | Supabase | SQL joins, aggregates, full-text search |
| Offline-first mobile app | Firebase | Free offline persistence, automatic sync |
| Budget-conscious startup at scale | Supabase | Predictable flat pricing, no per-read charges |
| App that needs push + analytics + crashlytics | Firebase | All three are built in and free |
| GDPR/data sovereignty requirements | Supabase | Self-host option, full data portability |
| Team of SQL-experienced devs | Supabase | Zero learning curve for database work |
| Solo dev building a consumer app | Firebase | More docs, bigger community, fewer services to manage |
| E-commerce with Stripe integration | Either | Stripe works identically on both; pick based on data needs |
Production Checklist for Both Platforms
Firebase Production Checklist
- Enable App Check to prevent unauthorized API access
- Set up Firestore security rules — test with the Rules Unit Testing library
- Configure Firestore indexes for all compound queries
- Enable Firestore backups (Point-in-Time Recovery)
- Set Cloud Function memory and timeout limits
- Implement Firestore pagination — never load unbounded collections
- Set up Firebase Crashlytics for crash reporting
- Enable budget alerts in Google Cloud Console
- Turn on Firebase Performance Monitoring
- Configure security headers if serving web
Supabase Production Checklist
- Enable RLS on every table — no exceptions
- Run
supabase db lintto catch missing policies - Set up Postgres backups (automatic on Pro plan)
- Configure connection pooling (PgBouncer is built in)
- Add database indexes for all WHERE and JOIN columns
- Set up Edge Function monitoring and error tracking
- Enable SSL enforcement for all connections
- Configure rate limiting via Supabase dashboard
- Set up log drains for production debugging
- Test RLS policies with
SET request.jwt.claimsbefore deploying
Shared Requirement
Both platforms need a proper testing strategy before going to production. Write integration tests that hit the actual backend (emulator or local instance) — mocking the entire data layer hides real bugs. See my production deployment checklist for the Flutter side of the equation.
Verdict After Building Both
After six weeks and two complete apps, my answer changed from "it depends" to something more concrete:
Pick Firebase if you value speed to market, need offline support without building it yourself, want push notifications and analytics from day one, or your team is more comfortable with NoSQL. Firebase's ecosystem is unmatched for mobile-first development — there's a reason most Flutter startups still start here.
Pick Supabase if you need relational data modeling, want predictable costs at scale, care about data portability (you can export your entire Postgres database anytime), or your team already knows SQL. The DX improvements in 2026 — type generation, local dev with Docker, built-in migrations — have closed most of the maturity gap with Firebase.
Pick both if it makes sense. The hybrid approach — Supabase for data + auth, Firebase for FCM + Crashlytics + Analytics — gives you the strengths of both platforms without the major trade-offs. I've shipped two client projects with this pattern and it works well.
At the end of the day, your backend choice matters less than your architecture. If your data layer is abstracted behind repository interfaces, swapping backends is a refactor, not a rewrite. Structure your code so you have that option — future you will be glad about it.
What I'd Do for My Next Project
If I were starting a new Flutter app tomorrow, I'd use Supabase for the database and auth, Firebase for push notifications and crash reporting, and Riverpod to keep the data layer swappable. This hybrid setup gives you SQL power, best-in-class mobile services, and an exit path if either platform changes direction.
Related Articles
Frequently Asked Questions
Should I use Supabase or Firebase for my Flutter app in 2026?
Pick Firebase if you need push notifications, analytics, or Crashlytics out of the box and prefer a fully managed service. Pick Supabase if you want SQL queries, predictable pricing, and full data portability. Both handle auth, real-time, and storage well — the tiebreaker is usually your database preference (NoSQL vs relational) and how much vendor lock-in you can tolerate.
Is Supabase production-ready for Flutter apps?
Yes. Supabase reached general availability in April 2024, and the Flutter SDK (supabase_flutter 2.x) is stable. Row-Level Security, Edge Functions, and real-time channels all work reliably. The main gap versus Firebase is the lack of built-in push notifications and crashlytics — you will need OneSignal or a similar service to fill that.
How much does Supabase cost compared to Firebase?
At 10K MAU and moderate reads, Supabase Pro runs about $25/month with predictable scaling. Firebase Blaze can range from $15 to $80+ depending on read/write patterns because Firestore charges per document operation. Supabase pricing is more predictable because Postgres charges by compute and storage, not per-query.
Can I migrate from Firebase to Supabase without losing users?
Yes, but plan for 2-4 weeks of work. Export Firebase Auth users with the Admin SDK, transform Firestore documents into relational rows, recreate security rules as Postgres RLS policies, and swap Cloud Functions for Edge Functions. The hardest part is restructuring nested NoSQL data into normalized tables.
Does Supabase support offline mode like Firebase?
Not natively. Firestore has built-in offline persistence that queues writes automatically. Supabase requires you to add a local database like Drift or Hive and sync manually. If offline-first is critical, Firebase has a significant advantage here, or you can build a sync layer with packages like PowerSync.
Which has better real-time support — Supabase or Firebase?
Firebase Firestore snapshots are more mature and handle offline-to-online transitions smoothly. Supabase Realtime (based on Postgres WAL via Phoenix channels) works well for live updates but does not queue changes during offline periods. For pure real-time speed with an active connection, both perform comparably under 100ms.
Is Supabase auth as good as Firebase Auth?
Both support email, OAuth (Google, Apple, GitHub), and phone auth. Supabase adds row-level security that ties directly to the authenticated user's JWT, giving you database-level authorization without extra server code. Firebase Auth is more battle-tested at massive scale and integrates tightly with other Firebase services.
Can I use Firebase and Supabase together in the same Flutter app?
Yes. A common hybrid pattern uses Firebase for push notifications (FCM), Crashlytics, and Analytics while using Supabase for the database, auth, and storage. Both SDKs coexist without conflicts. Just keep auth in one system to avoid session confusion.