Built for Supabase agencies — 14-day free trial

Cloudflare's proxy on a Supabase custom domain breaks ACME validation silently.
Auth, REST, Realtime, and Storage all start failing through the Supabase JS client while the site keeps loading from Cloudflare's edge.

Supabase agencies building Next.js, SvelteKit, and React client products on Supabase's managed Postgres + Auth + Realtime stack deal with Cloudflare proxy turning on a Supabase custom domain CNAME and silently breaking ACME validation, OAuth redirect URL mismatches when Auth certs renew under different SAN lists, and free-tier project pause/resume IP changes that orphan hardcoded A records. Merlonix monitors SSL and DNS so Supabase JS client calls don't silently fail before you know the cert was wrong.

Start free for 14 days How it works

No credit card for the trial. Cancel any time.

Check cadence (Agency): 5 min
SSL pre-expiry alert: 30 days
Independent DNS resolvers: 3
Vendors watched: 11

Where Supabase agencies get caught out

Three failure modes specific to Supabase deployments with custom domains, OAuth Auth providers, and free-tier project pause/resume cycles.

Supabase agencies deal with Cloudflare proxy turning on a Supabase custom domain CNAME and silently breaking ACME validation while the site keeps loading from Cloudflare's edge cert (Auth, REST, Realtime, and Storage all start failing through supabase-js with TypeError: Failed to fetch), OAuth redirect URL mismatches when Supabase Auth's underlying cert SAN list changes between renewals (Google and GitHub reject with redirect_uri_mismatch), and free-tier project pause/resume IP changes that orphan hardcoded A records pointing at ref.supabase.co.

Supabase's custom domain feature provisions a managed Let's Encrypt cert via ACME http-01 validation against the project's ref.supabase.co — when an agency turns on Cloudflare's proxy (orange-cloud) on the CNAME pointing at ref.supabase.co, Cloudflare terminates TLS at the edge and re-encrypts to Supabase, and the cert renewal silently fails. The site keeps loading because Cloudflare serves its own universal edge cert, but the Supabase JS client's calls to Auth, REST, Realtime, and Storage all start failing because the cert chain Supabase presents is expired

A Supabase agency operates a client SaaS where the Next.js frontend at app.client.com calls api.client.com (Supabase custom domain pointing at ref.supabase.co). The client adds Cloudflare in front of api.client.com to add WAF rules and turns on the orange-cloud proxy. The site keeps loading because Cloudflare's universal cert covers api.client.com. Three weeks later, sign-ins start failing with TypeError: Failed to fetch from supabase-js because the underlying Supabase managed cert silently failed renewal

A Supabase agency operates a client B2B SaaS with a Next.js frontend at app.client.com and Supabase custom domain at api.client.com (CNAME pointing at <ref>.supabase.co). The Supabase managed cert for api.client.com renews automatically every 60 days via ACME http-01 validation. Six months in, the client adds Cloudflare in front of api.client.com to enable WAF rules and turns on the orange-cloud proxy on the CNAME. The site continues working because Cloudflare's universal SSL covers api.client.com end-to-end from the browser perspective. Supabase's next renewal cycle attempts ACME http-01 validation; Cloudflare's proxy intercepts and returns a synthetic response that fails the challenge. Supabase's cert silently expires. The Supabase JS client in the Next.js app continues making requests to api.client.com — Cloudflare accepts them at its edge, then proxies to the Supabase backend, where the TLS handshake at the Cloudflare-to-origin layer now uses the expired Supabase cert. Cloudflare returns 526 (Invalid SSL Certificate) for those requests; supabase-js surfaces these as TypeError: Failed to fetch with no useful diagnostic. Sign-ins start failing. The agency engineer assumes it's a supabase-js version regression and spends four hours rolling back library versions before checking the actual cert chain at the Cloudflare-to-origin layer.

Supabase Auth's OAuth redirect URLs are configured against specific subdomains in the Supabase dashboard — when the cert's SAN list changes between renewals (e.g., Supabase rolling out a new managed cert that covers <ref>.supabase.co but no longer matches the original SAN list configured in OAuth Provider settings), Google and GitHub OAuth providers reject the redirect with redirect_uri_mismatch. The error looks like an OAuth configuration bug but is rooted in an SSL cert change

A Supabase agency runs a client product where users sign in via Google OAuth. The Supabase Auth callback URL is configured as https://api.client.com/auth/v1/callback in both the Supabase dashboard and the Google OAuth client settings. After a Supabase platform-side cert rotation that adjusted the SAN list on the underlying load balancer, Google OAuth starts rejecting the redirect with Error 400: redirect_uri_mismatch — even though the agency hasn't changed any OAuth config

A Supabase agency runs a client product where users sign in via Google OAuth via Supabase Auth (GoTrue). The Supabase Auth callback URL is configured as https://api.client.com/auth/v1/callback in the Supabase dashboard. The Google Cloud Console OAuth client settings have the same callback URL configured. Sign-ins work. A Supabase platform-side cert rotation adjusts the SAN list on the underlying load balancer that fronts the project — the new cert correctly covers api.client.com but no longer matches the SAN entries that Google's OAuth strict-validation logic expects from the original cert presented at the redirect URL. Google OAuth starts rejecting the redirect with Error 400: redirect_uri_mismatch. Users hit a Google OAuth error page during sign-in. The agency engineer checks the Supabase dashboard OAuth config (matches), checks the Google Cloud Console (matches), checks the Next.js redirect logic (correct), and spends six hours debugging supabase-js OAuth flow before realizing the cert's SAN list changed. The fix is re-issuing the Supabase managed cert through the dashboard's domain settings; the entire incident maps to a 30-second cert rotation.

Free-tier Supabase projects auto-pause after 7 days of inactivity. When the project is resumed (manual click in the dashboard), the project ref stays the same but the underlying infrastructure IP behind ref.supabase.co changes. CNAMEs pointing at ref.supabase.co continue working because Supabase handles the indirection — but agencies that anti-pattern hardcoded an A record (instead of a CNAME) pointing at the resolved IP keep pointing at dead infra and don't notice until the next deploy

A Supabase agency builds a client MVP on Supabase's free tier. The agency engineer configures api.client.com as an A record pointing at the resolved IP of <ref>.supabase.co (instead of a CNAME) because the registrar UI made A records easier to set up. The MVP launches, gets traffic for a week, then sits idle for 7 days. Supabase auto-pauses the project. The agency resumes it from the dashboard. The project ref stays the same but the underlying IP changes. The hardcoded A record at api.client.com keeps pointing at the now-dead IP. Supabase JS client calls fail with timeout

A Supabase agency launches a client MVP on Supabase's free tier. During DNS setup the agency engineer configures api.client.com as an A record pointing at the IP that <ref>.supabase.co resolved to at setup time, rather than configuring a CNAME to <ref>.supabase.co. (The registrar UI shipped an A-record-first creation form and the engineer didn't notice the CNAME tab.) The MVP launches successfully — traffic flows, supabase-js calls succeed because the IP was correct at the time. After the launch sprint, the project sits idle for 7 days. Supabase auto-pauses the free-tier project. A week later the client asks the agency to demo a feature; the agency engineer logs into the Supabase dashboard and resumes the project. The project ref stays the same; the underlying compute is reassigned to a new IP. The hardcoded A record at api.client.com keeps pointing at the original IP, which now belongs to no Supabase project at all (or another tenant's project). The Supabase JS client calls from the Next.js frontend fail with connection timeout. The agency engineer checks the Supabase dashboard (project healthy), checks the Next.js env vars (correct), checks the Supabase project URL in the browser directly (works), and finally runs `dig +short api.client.com` and `dig +short <ref>.supabase.co` and sees the IPs no longer match. The fix is changing the A record to a CNAME — five minutes including TTL wait — but the diagnostic took the better part of an afternoon.

How it works

SSL and DNS monitoring for Supabase agencies across managed custom-domain cert provisioning, Cloudflare proxy interactions, OAuth Auth callback URL SSL validation, and free-tier project pause/resume cycles.

Merlonix monitors SSL expiry and CNAME integrity across every Supabase-attached subdomain — api.*, auth.*, realtime.*, storage.*, plus per-tenant Server-Side Auth hosts — and catches renewal failures caused by Cloudflare proxy turning on a CNAME pointing at ref.supabase.co, Supabase platform-side cert SAN list rotations that trigger OAuth redirect_uri_mismatch errors, and free-tier project pause/ resume IP changes that orphan hardcoded A records — before supabase-js calls start silently failing with TypeError: Failed to fetch.

Add Supabase project domains — apex, api., auth., realtime., storage., plus per-tenant subdomains — with DNS TXT record verification

Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — api.*, auth.*, realtime.*, storage.*, plus any per-tenant subdomains routed through Supabase Auth Server-Side Auth — are added without additional verification. Monitoring every Supabase-attached subdomain from a single apex registration ensures that custom-domain failure modes (cert renewal silently breaking through Cloudflare proxy) are caught alongside the marketing apex. Under two minutes per client.

CNAME and A record monitoring across ref.supabase.co aliases, Cloudflare proxy interactions, and project pause/resume IP changes

Three independent DNS resolvers check every CNAME delegation on every monitoring interval. When a client switches a Supabase custom-domain CNAME from grey-cloud (DNS-only) to orange-cloud (Cloudflare-proxied), the change shows up in the audit log immediately — alongside the Supabase managed cert renewal failure that follows 30-60 days later when ACME http-01 validation can't complete through Cloudflare's edge. When an agency anti-pattern uses an A record pointing at the resolved IP of ref.supabase.co (instead of a CNAME), the resolved-IP-vs-current-Supabase-IP mismatch is logged when the project resumes from auto-pause and the IP changes.

SSL monitoring 30 days before expiry across Supabase managed certs, Cloudflare universal certs (when proxy is on), and per-subdomain certs for auth.* and realtime.* hosts

Full SSL chain validation on every Supabase-attached subdomain — apex, api.*, auth.*, realtime.*, storage.*, plus per-tenant subdomains. An expiry alert fires 30 days before the cert expires — enough lead time to identify whether the failure is a Cloudflare proxy interaction blocking Supabase's ACME http-01 validation, a Supabase platform-side cert SAN list change about to trigger OAuth redirect_uri_mismatch errors, or a free-tier project that's about to auto-pause and break a hardcoded A record after resume. Catches Supabase managed cert renewal failures while the public site still appears to load from Cloudflare's edge cert and supabase-js calls are silently failing through the JS client.

Vendor status for Supabase, AWS (Supabase's underlying infrastructure), Cloudflare, and typical Supabase frontend hosts (Vercel, Netlify) to distinguish infrastructure incidents from Supabase-specific SSL and project configuration failures

Merlonix monitors Supabase, AWS, Cloudflare, Vercel, Netlify, and other typical Supabase-stack vendors' status pages alongside client SSL and DNS. When a Supabase regional incident causes Auth and REST failures across multiple client deployments simultaneously, you see the vendor event — not a cluster of individual SSL alerts that each require separate investigation to determine whether the root cause is a Supabase regional outage, a Cloudflare proxy interaction blocking ACME validation, or an OAuth redirect_uri_mismatch caused by a Supabase-side cert SAN list rotation.

What the numbers mean for Supabase agencies

Monitoring built for Supabase agencies where one client product means a Next.js frontend on Vercel, a Supabase custom domain at api., an Auth callback at auth., a Realtime subdomain at realtime.*, and per-tenant Server-Side Auth hosts — each a separate SSL surface that fails differently when Cloudflare proxy is on or a SAN list rotates.

Supabase agencies managing custom-domain cert renewal across multi-client deployments, Cloudflare proxy interactions that occasionally break ACME validation, OAuth redirect URL SSL validation across multiple OAuth providers (Google, GitHub, GitLab), and free-tier project pause/resume cycles need monitoring that covers every Supabase-attached subdomain — because a Cloudflare-proxy CNAME flip is silent until the next 60-day Supabase renewal cycle and the production site keeps loading from Cloudflare's edge cert while supabase-js calls are silently failing with TypeError: Failed to fetch.

< 10 min

Time from DNS change to alert — catches the Cloudflare proxy flip from grey-cloud to orange-cloud on a Supabase custom domain CNAME, free-tier project pause/resume IP changes that orphan hardcoded A records, and the silent A-vs-CNAME setup mistake that breaks immediately after a resume

30 days

SSL expiry warning lead time — enough time to identify a Cloudflare proxy interaction blocking Supabase's ACME http-01 validation, a Supabase platform-side cert SAN list rotation about to trigger OAuth redirect_uri_mismatch errors, or a free-tier project that's about to auto-pause, and correct it before supabase-js calls start failing through the JS client

11 vendors

Upstream services monitored — Supabase, AWS, Cloudflare, Vercel, Netlify, and Google OAuth provider included to distinguish provider outages from Supabase-specific SSL and project configuration failures

200 assets

Maximum monitored domains on the Agency plan — covers Supabase project apex, api.*, auth.*, realtime.*, storage.*, and per-tenant Server-Side Auth subdomains across a full Supabase client portfolio

Pricing

Flat monthly fee. Every Supabase project subdomain and per-tenant Server-Side Auth host included.

No per-subdomain charges. No per-Supabase-project fees. Pick the tier that fits your Supabase client and project count and monitor every api.*, auth.*, realtime.*, storage.*, and per-tenant subdomain without billing surprises.

See full feature comparison →

Starter

For individual Supabase developers managing a small client portfolio with single-project Supabase custom domains.

$29/ month

10 monitored assets
1 seat
15-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Starter

Most chosen

Team

For Supabase agencies managing multi-project client deployments with separate api.*, auth.*, and realtime.* subdomains.

$79/ month

50 monitored assets
5 seats
10-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Team

Agency

For agencies with a full Supabase client roster including per-tenant Server-Side Auth hosts and multi-OAuth-provider redirect URL coverage.

$199/ month

200 monitored assets
15 seats
5-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Agency

Know when a Supabase managed cert is about to fail because Cloudflare's proxy is on the CNAME.

Add your first Supabase client domain in under two minutes. api.*, auth.*, realtime.*, storage.*, and per-tenant Server-Side Auth hosts across every Supabase project for that client are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 days Read the agency SSL checklist →

Cloudflare's proxy on a Supabase custom domain breaks ACME validation silently.Auth, REST, Realtime, and Storage all start failing through the Supabase JS client while the site keeps loading from Cloudflare's edge.