Help Center
Help & Support/Account

Security basics

Tembrio uses Supabase Auth, Postgres row-level security, and server-only secrets to protect customer feedback data.

Security posture

Dashboard access should be checked on the server. Browser state alone should never grant access to protected data.

Customer portal auth and owner dashboard auth are different product surfaces, even if they share the underlying auth provider.

Step-by-step

  1. 1

    Use server auth checks. Use Supabase getUser on the server for protected routes.

  2. 2

    Keep secrets server-only. Never expose service role, payment, email, or AI keys in client code.

  3. 3

    Rely on RLS. User-owned data needs row-level security policies.

  4. 4

    Separate owner and customer flows. Owners use dashboard auth; customers use portal auth for voting and commenting.

  5. 5

    Use support for data requests. Account and privacy requests need direct support context.

Details to remember

  • Public boards can be readable while private owner data remains protected.
  • Widget identity does not grant dashboard access.
  • Webhook and OAuth callbacks belong in route handlers, not client mutations.

Related guides

Identify widget usersConnect GitHubGet support
Let's have a talk.team@tembrio.com