Supabase fraud prevention

Most articles about Supabase fraud prevention stop at the front door. Add Turnstile. Enable rate limits. Block disposable emails. Good advice. Incomplete picture.

Here is what nobody is saying: the fake users who slip through your auth layer do not stay in your auth table. They trigger onboarding sequences. They fire conversion events. They enter your HubSpot as qualified leads. They show up in your Meta CAPI as purchase signals, and Meta's algorithm trains on them, looking for more people just like them. The garbage enters at signup. It compounds at every layer downstream.

PillarlabAI ran this experiment: 4,560 signups over four weeks. Only 730 were real. 84% fraudulent. 650 accounts came from a single laptop. Every one of those fake signups was a real entry in the database. Every one had the potential to fire downstream events. If even 10% triggered a CAPI conversion event, that is roughly 380 bot "conversions" training Meta's Lookalike Audiences. The math on wasted ad spend writes itself.

That is the actual problem. Not "can you block bots at the form." The question is: what happens to the ones that get through, and are your downstream systems clean enough to not learn from them?

This guide covers the full stack. The front-door tools first, because you need them. Then the deeper layer: what to do about signal quality after the bot gets in.

---

Quick answers

Does Supabase have built-in fraud prevention? Partially. Supabase Auth ships with rate limiting, CAPTCHA integration (hCaptcha and Cloudflare Turnstile), a Before User Created hook for custom logic, and leaked password detection. It does not ship with IP reputation scoring, disposable email detection out of the box, or any downstream signal hygiene. You assemble the rest.

What is the most common Supabase signup abuse pattern? Three recurring patterns dominate. First, bots exhausting the email sending quota on the free tier (3 per hour) within minutes of launch. Second, anonymous sign-in endpoints being hammered to inflate database size. Third, disposable email addresses bypassing email confirmation because the inbox exists long enough to click the link, then disappears. Rate limiting stops the first. CAPTCHA helps the first and third. Only IP reputation plus email intelligence stops the third reliably.

Will adding Cloudflare Turnstile stop all bot signups? No. Turnstile is excellent at stopping automated HTTP clients that do not render JavaScript. Playwright, Puppeteer, and Selenium all render JavaScript. Sophisticated bot operators run headless browsers that solve Turnstile. It raises the cost of attack significantly. It does not eliminate it.

Does IP rate limiting protect against distributed attacks? Only partially. A 30-requests-per-hour token bucket per IP is bypassed trivially by a botnet rotating across thousands of residential IPs. The Fraudlogix 2026 report puts global invalid traffic at 20.64% of all digital traffic. Most of that traffic comes from residential IPs that look legitimate to any IP-based rate limiter.

What is the Before User Created hook and why does it matter? It is a Supabase Auth hook that fires before a new user row is written to your database. You can call an HTTP endpoint or a Postgres function, inspect the incoming user object, and reject the signup if it fails your criteria. This is the correct layer to plug in disposable email detection, domain allowlisting, IP reputation scoring, or custom fraud logic. It runs server-side, before any email is sent, before any row is written.

How do fake signups affect Meta CAPI and ad performance? If your application fires a Lead or CompleteRegistration event on signup, every fake signup that completes the flow sends that event to Meta. Meta's Conversions API trains on whatever signal you send. Feed it bots and it optimizes to find more bot-like users. EMQ (Event Match Quality) scores drop. CPA rises. This is the Layer 5 problem: the pipe works, but the water is contaminated.

What does good Supabase fraud prevention actually look like? Four layers working together. CAPTCHA at the form (Turnstile, first choice). IP reputation check at the Before User Created hook or Edge Function. Email intelligence at the same hook. Downstream signal filtering before anything hits CAPI, HubSpot, or your analytics. Most teams have layer one. Almost none have layer four.

---

The Supabase fraud surface, mapped

Supabase Auth gives you a solid foundation and deliberately leaves fraud prevention extensible. The rate limiting is real but narrow. The Before User Created hook is powerful but requires you to wire it up. CAPTCHA is supported but opt-in. Here is what that means in practice.

The Anonymous Sign-In endpoint is the most abused surface in 2026. Supabase stores every anonymous user as a real row in your database. Bots can hammer the endpoint to inflate your database size toward quota limits. Supabase documentation explicitly recommends enabling Turnstile for anonymous sign-ins, and an IP-based rate limit of 30 requests per hour applies by default. The problem: automatic cleanup of anonymous users is not yet available. Rows accumulate. Costs grow.

The email confirmation flow is the second surface. Without CAPTCHA, a single bot script can exhaust the free tier's 3-per-hour sending quota in seconds. Developers launching on a Vercel-Supabase template have reported waking up to a completely spent email quota from a single overnight bot run. The fix is Turnstile at the form, plus a custom SMTP provider so you are not bottlenecked by Supabase's own sending limits.

The Before User Created hook is the surface almost nobody is using correctly. It is your cleanest intervention point. Email, IP, domain, behavioral signals all land here before any database write. Most teams either skip the hook entirely or use it only for email domain allowlisting, which handles exactly one attack vector.

What you need is a defense-in-depth stack. Here is every tool worth knowing about, from the front door to the downstream signal layer.

---

Front-door tools: CAPTCHA and bot protection

Cloudflare Turnstile

The default first recommendation for any Supabase project facing signup abuse. Turnstile is a CAPTCHA alternative that verifies users by analyzing browser characteristics, JavaScript execution, and Cloudflare's network-level threat intelligence. Most legitimate users are verified without visible interaction. Supabase natively supports Turnstile in its Auth API, which means the token verification happens server-side without extra infrastructure.

What works: invisible verification, zero friction for legitimate users, native Supabase integration, free up to enormous traffic volumes. Cloudflare's global network gives it better threat intelligence than any standalone CAPTCHA product.

What does not work: headless browsers running Puppeteer or Playwright bypass Turnstile. Sophisticated fraud operations run exactly those tools. For high-value targets or SaaS products with attractive free tiers, Turnstile is necessary but not sufficient.

Right for: every Supabase project as a baseline. If you are doing nothing else, add this first. Value 9/10. Price: free.

hCaptcha

The other natively supported option in Supabase Auth. hCaptcha uses visual challenges, which means users see the "click all images with buses" experience. It collects labeled training data as a byproduct of verification, which funds the service. Privacy-conscious in that it does not track users across the web the way older reCAPTCHA versions did.

What works: well-established, wide enterprise adoption, tunable difficulty.

What does not work: visible challenges kill conversion. The average completion rate on a visible hCaptcha challenge is meaningfully lower than a frictionless Turnstile check. For any consumer-facing signup flow, the drop in conversions will exceed whatever you save from blocked bots. GDPR compliance is also more complex than Turnstile given the data labeling model.

Right for: high-security applications where friction is acceptable: government portals, financial services, admin tools. Value 6/10. Price: free basic; enterprise custom.

Arcjet

The developer-first security SDK that has gained real traction in 2025-2026. Arcjet ships as a JavaScript or Python SDK you drop into your route handlers. Signup form protection is a pre-built product that bundles bot detection, email validation, and rate limiting in one call. The local attack detection model runs AI-powered threat analysis inside your request handler, so it has business context that a network-level WAF never gets.

What works: three protections bundled out of the box. Works on Vercel, Netlify, and edge-deployed apps that break traditional WAF rules. Rate limiting that applies per-user based on auth state, not just per-IP. Blocks Puppeteer, Selenium, and Playwright in its bot detection model. The SDK integrates well with Next.js and has a documented pattern for use alongside Supabase Auth.

What does not work: JavaScript and Python only, so if you are on a different stack you are out. Newer company with a still-building enterprise track record. Adds a dependency to your application code rather than a configuration change.

Right for: Next.js and Node.js teams who want defense-in-depth without assembling tools from scratch. Value 8/10. Price: free up to 5 rules and 3 developers; Pro $25/month; Enterprise custom.

Google reCAPTCHA v3

Not natively supported in Supabase Auth and not a recommended path in 2026. Google's tracking across domains creates GDPR risk. The v3 scoring model is opaque. The developer experience of wiring it into Supabase Auth hooks is entirely manual. Turnstile is better in every dimension except brand recognition.

Right for: teams locked into Google infrastructure contracts where Cloudflare is blocked. Value 4/10. Price: free.

---

Email intelligence: the gap most teams leave open

CAPTCHA stops bots that do not render JavaScript. It does not stop a human running a disposable email service who signs up for your free trial manually. It does not stop Gmail dot-tricks that let one person register fifty accounts. It does not stop catch-all domain signups that look real until they never engage.

email_guard (Supabase TLE)

A Trusted Language Extension for PostgreSQL that wires directly into Supabase Auth's Before User Created hook. It blocks disposable email domains using an auto-updated list, normalizes Gmail addresses to catch dot and plus-tag abuse ([email protected], [email protected], and [email protected] all resolve to the same canonical address), and runs entirely inside your database with no external API call.

What works: installs in Postgres, no latency from an external API, normalizes Gmail aliases which virtually nothing else does by default. For a Supabase-native solution, this is the cleanest integration.

What does not work: static blocklists decay. A benchmark study testing 17 disposable email detection services found an average detection rate of 59%, with blocklist accuracy falling from 100% to 43% over time as new disposable domains emerge. email_guard's blocklist requires active maintenance.

Right for: Supabase projects wanting a simple, in-database, no-external-dependency email filter. Excellent first layer. Value 7/10. Price: free (open source TLE).

DataCops SignUp Cops

Purpose-built for exactly this problem. DataCops runs signups against a 361-billion-IP database covering 146.4 billion datacenter and cloud IPs, 202 billion residential and mobile IPs, 11.9 billion VPN endpoints, 620 million proxy and anonymizer IPs, and 160,000 fraud email domains. The check happens before any row enters your database.

What makes this different from pure email filtering: most disposable email services have rotated to real-looking domains by 2026. The signal that matters is IP reputation. A user arriving via a datacenter IP with a freshly registered email domain and a headless browser fingerprint is a different risk profile than the same email from a residential address on a known ISP. DataCops fraud traffic validation combines both signals in a single API call that integrates into the Before User Created hook pattern.

The PillarlabAI case: 650 fraudulent accounts from one laptop. That laptop had a datacenter IP. The email addresses looked legitimate. IP reputation alone would have flagged it. Email filtering alone would not.

What works: IP reputation at 361 billion IPs, fraud email domain blocking at 160K+ domains, VPN and proxy detection, Puppeteer and Playwright fingerprint detection. One script tag and one CNAME sets up the full stack including first-party analytics, CAPI, and CMP. The signup filtering is one component of a broader first-party data architecture.

What does not work: DataCops is a newer brand. SOC 2 Type II is in progress. If your procurement requires existing certification, that matters. Narrower integration catalog than enterprise platforms like Sift or IPQS.

Right for: SaaS teams running Supabase who also care about downstream CAPI signal quality, not just blocking at the auth layer. The only tool on this list that solves both the signup filter and the conversion data problem in one architecture. Value 9/10. Price: Free (2,000 sessions); Growth $7.99/month (5,000 sessions); Business $49/month (50,000 sessions, CAPI starts here); Organization $299/month; Enterprise custom.

AbstractAPI Email Validation

Cloud API for email validation. Checks MX records, detects disposable providers, validates deliverability. Called at signup via Edge Function or Before User Created hook. Coverage is good on obvious disposable services. Misses the sophisticated relay domains that have proliferated since 2024.

What works: simple REST API, fast integration, catches the majority of throwaway services.

What does not work: no IP reputation, no cross-signal correlation. Catches the email problem only. The benchmark data cited above on 59% average disposable detection rates applies to API-based services as a category.

Right for: budget-conscious projects wanting a quick integration with decent coverage. Value 6/10. Price: free up to 100/month; $15/month Starter.

IPQualityScore

One of the most established fraud scoring APIs in the market. Combines IP reputation, email validation, device fingerprinting, and behavioral signals into a single score. Has been in the space long enough to have substantial fraud pattern data.

What works: comprehensive scoring across IP, email, and device signals. Widely supported across enterprise stacks. Has a Supabase Edge Function integration pattern documented in the community.

What does not work: pricing escalates sharply at volume. For a SaaS startup running meaningful traffic, the API cost becomes a line item worth evaluating against the bundled alternatives. The documentation is technically dense, requiring real engineering time to implement cleanly.

Right for: teams with fraud as a dedicated engineering concern and budget to match. Value 7/10. Price: free up to 5,000 lookups/month; Starter $50/month; custom enterprise.

---

IP reputation and network-layer tools

Cloudflare Bot Management

If your Supabase application runs behind Cloudflare, Bot Management applies ML-based bot scoring to every request before it reaches your origin. The score is available in request headers, which you can read in a Supabase Edge Function to gate signups. At 37% of internet traffic coming from automated sources (Arcjet engineering data), having scoring at the CDN layer catches a different category of bots than application-level detection.

What works: the breadth of Cloudflare's network gives it signal quality that no standalone tool can match. Detects known bot operators, JavaScript fingerprinting, behavioral anomalies. No latency added at the origin.

What does not work: Bot Management is an enterprise product. Cloudflare's free Turnstile is the budget version. Bot Management adds meaningful cost that only makes sense at significant scale. Also: this is network-layer only. It does not know your business logic, your user tiers, or what a suspicious signup means in your specific context. Arcjet or DataCops provide that layer.

Right for: high-traffic production applications where the budget justifies CDN-layer scoring. Value 8/10 at scale. Price: included in Enterprise plans; contact sales.

Supabase native rate limiting

The built-in token bucket rate limiter is underutilized and under-configured by most teams. The defaults are reasonable for a cold project and insufficient for anything under active attack. Customization happens in the dashboard under Authentication > Rate Limits. You can tighten limits on the signup endpoint independently from the sign-in endpoint. You can set the anonymous sign-in limit as low as your legitimate use case requires.

What works: zero additional cost, zero additional latency, dashboard-configurable without code changes.

What does not work: IP-based rate limiting is categorically different from IP reputation scoring. A rate limit allows 29 requests per hour from a VPN endpoint running 200 parallel instances. The VPN endpoint is not rate-limited. The attack is distributed.

Right for: every Supabase project as a baseline configuration step. Value 8/10 (it is free and you should use it). Price: free, included in all Supabase plans.

---

Auth platforms with native fraud protection

Some teams reach for a standalone auth platform that includes signup fraud protection as a built-in feature, rather than assembling it themselves on Supabase.

Clerk

Developer-experience-first auth platform with the deepest Next.js integration in the market. Ships bot detection, configurable CAPTCHA, brute-force protection, and device monitoring as native features. SOC 2 Type II certified.

What works: zero assembly required. The signup flow includes fraud controls without any Edge Function or hook configuration. The pre-built components are genuinely excellent and save real engineering hours. For Next.js in particular, the middleware integration is three lines of code.

What does not work: per-MAU pricing becomes expensive at scale. 10,000 MAU free, then per-MAU charges that compound quickly for consumer-facing products with high signup volume. No native Supabase database integration: user records live in Clerk, not in your Postgres schema. If you need to join auth users against application data directly in SQL, that is a problem.

Right for: Next.js B2C SaaS where fast setup outweighs database ownership and per-MAU cost is acceptable. Value 7/10 at startup scale, 5/10 at growth scale. Price: free up to 10,000 MAU; paid plans from $25/month.

Auth0

The enterprise-grade option. Security Center provides real-time monitoring across credential stuffing, MFA bypass attempts, and suspicious session patterns. Attack protection is configurable and has been production-tested across enormous scale.

What works: comprehensive security feature surface. Bot detection on login, breached password detection, adaptive MFA that can trigger on suspicious signals. The fraud prevention story is genuinely built-in rather than bolted on.

What does not work: cost. Auth0 locks SSO and advanced security features behind plans that start at $1,500/month. For the scale of most Supabase users, you are paying enterprise prices for features you will not fully utilize. Also notable: Auth0 is owned by Okta, which has had its own security incidents to reckon with publicly in 2023-2024.

Right for: enterprise SaaS with compliance requirements and dedicated engineering capacity to configure it. Value 6/10 for SMB, 8/10 for enterprise. Price: free up to 25,000 MAU; Machine to Machine and B2B features require Business/Enterprise plans; Enterprise from $1,500/month.

SuperTokens

Open-source auth platform that you self-host on your own infrastructure. The email and phone verification flows are customizable at the code level. Fraud controls require the same assembly work as Supabase Auth but you own the entire stack.

What works: full control, no per-MAU pricing, self-hosted means data never leaves your infrastructure, strong compliance story for certain regulated industries.

What does not work: self-hosting is operational overhead. Security patches, uptime, and auth infrastructure scaling become your problem. The managed cloud option exists but adds cost that narrows the pricing advantage over Clerk.

Right for: teams with specific data residency requirements or compliance mandates that prevent third-party auth. Value 7/10. Price: free self-hosted; Cloud from $0.02/MAU.

---

Signal-layer tools: what most people skip entirely

The front-door tools above stop signups from bots that cannot solve CAPTCHA. Here is the category nobody in the Supabase fraud prevention conversation is discussing: what happens to the fake users who get through, and what do they do to your downstream systems.

DataCops (CAPI and signal filtering)

Once a fake user exists in your database, the problem is downstream. If your application fires a CompleteRegistration or Lead event when a user completes onboarding, that event goes to Meta CAPI. Meta trains on it. Project Andromeda, fully deployed October 2025, acts on contaminated signals within hours. By the time you audit your user base and delete the fakes, the algorithm has already trained on them for weeks.

DataCops filters at the IP layer before any event fires. A signup from a datacenter IP does not generate a CAPI event. A signup from a VPN endpoint does not generate a CAPI event. The 361-billion-IP database decides whether the conversion signal is clean before it reaches Meta, Google, TikTok, or LinkedIn.

The distinction from every other tool on this list: this is not front-door protection. This is signal layer protection. Other tools prevent fake users from entering your database. DataCops ensures that even if a fake user enters your database, they do not corrupt your ad platform's optimization model. The two protections are additive, not competing.

First-party CAPI at the Business tier ($49/month) covers Meta, Google Enhanced Conversions, TikTok Events API, and LinkedIn Insight CAPI from one pipeline. Bot-filtered server-side events. A Supabase team running paid acquisition cannot afford to skip this layer.

Triple Whale, Northbeam, Hyros

Attribution dashboards that receive whatever signal your CAPI sends them. They make the existing data look beautiful. They do not clean it. If 40% of your CAPI events are bot-generated, Triple Whale shows you a beautiful chart of those bot events. Northbeam models on them. Hyros attributes them to campaigns. These tools are excellent at attribution analysis. They are orthogonal to fraud prevention. You need both, and they need to be in the right order: clean the signal first, then analyze it.

Right for: growth-stage ecommerce with a clean upstream data pipe. Value 7/10 if your upstream is clean, 3/10 if it is not. Price: Triple Whale $179/month annual; Northbeam $1,500/month entry; Hyros $1,000-5,000/month.

---

The full Supabase fraud prevention stack, tiered

Pre-launch / free tier: Cloudflare Turnstile at the signup form. Tighten Supabase rate limits in the dashboard. Install email_guard as a Postgres TLE. Add a Before User Created hook that rejects known disposable domains. Total cost: $0. Covers the most common attacks. Does not cover distributed bot networks, VPN signups, or downstream signal corruption.

Early revenue / $50K-500K ARR: Add Arcjet for in-code rate limiting, email validation, and bot detection beyond what Turnstile catches. Integrate DataCops at the Business tier ($49/month) for IP reputation at signup and bot-filtered CAPI events. Your ad platform's optimization model stays clean as you start spending real money on acquisition. Total additional cost: $74/month.

Growth stage / significant paid acquisition: Add IPQualityScore or DataCops Organization tier for the volume. Review your Before User Created hook quarterly: new disposable domain patterns emerge constantly. Audit your existing user base against IP reputation data on a scheduled basis. Events that have already been sent to CAPI from suspect users should trigger a Suppression Event to Meta.

---

Feature comparison

---

When NOT to use DataCops

You are not running paid acquisition. If you are not sending events to Meta CAPI, Google CAPI, or any ad platform, the downstream signal protection is not relevant to you yet. Front-door tools alone make sense. Come back to DataCops when you start spending real money on ads.

You need SOC 2 Type II today. DataCops is in progress. Arcjet, IPQualityScore, and enterprise auth platforms are already certified. If your procurement or compliance team requires existing certification, those are your options while DataCops completes the process.

Your entire fraud surface is one Supabase project with 500 users. email_guard plus Turnstile covers you at no cost. Do not over-engineer a free-tier project.

You need SAML SSO for enterprise customers. WorkOS or Auth0 are the right tools. DataCops is not in the identity management category. These are different problems.

You are building on a non-JavaScript stack. Arcjet is JS and Python. DataCops is SDK-agnostic via a script tag and API. But several front-door tools have limited support for Go, Rust, or PHP in the Supabase Edge Function context. Validate compatibility with your specific stack before committing.

---

The question you should be asking

Supabase makes it easy to launch fast. That speed means most projects go live with the default auth configuration: email confirmation on, rate limits at defaults, no CAPTCHA, no email intelligence, no IP reputation scoring.

The fraud operations that target SaaS free tiers are not sophisticated. A bot that rotates through residential IPs, uses a real-looking email domain, and completes your onboarding flow in under 60 seconds is not a nation-state adversary. It is a commodity tool running against every Supabase project that did not close the obvious doors.

Close those doors. CAPTCHA first, then email intelligence at the hook, then IP reputation. Then, when you start spending money on acquisition, ask the harder question: of the conversion events you have sent to Meta or Google over the last 90 days, how many can you prove came from real humans?

If you cannot answer that with a number, your optimization model is already contaminated.