Is supabase.co a scam?

Our automated security review found no threat indicators on supabase.co. The site appears legitimate based on the signals we checked, but always stay alert for phishing emails that spoof real domains.

Is supabase.co safe to use?

supabase.co passed our automated security checks with a trust score of 77/100. No antivirus engines or major blacklists flagged the site at the time of the last scan.

Does supabase.co have a valid SSL certificate?

Yes. supabase.co presents a valid TLSv1.3 certificate issued by Let's Encrypt · R13, expiring in 75 days. Note that SSL only encrypts the connection — it does not guarantee that the site itself is trustworthy.

Is supabase.co on any phishing or malware blacklists?

No. supabase.co is not currently listed on the major browser blocklist feeds that modern browsers use.

Where is supabase.co hosted?

supabase.co resolves to an IP operated by Vercel, Inc in US (usage type: Content Delivery Network). Hosting location alone doesn't make a site good or bad, but unusual geography for a brand's claimed country is one of many signals we weigh.

How often is the supabase.co report updated?

We cache results for 24 hours. Signed-in MalwareTips members can trigger a manual rescan at any time using the "Rescan" button on the report page, which re-runs every check from scratch and refreshes this page.

SAFE

No threats detected

All checks passed. This site appears legitimate — but always stay alert for phishing even on trusted domains.

Security Review

Is supabase.co legit or a scam?

Name: Is supabase.co legit or a scam?
Item: supabase.co
Rating: 4
Author: MalwareTips

Our verdict:Safe· 77/100

SafeSuspiciousDangerous

Official Supabase Postgres platform domain hosting project APIs with clean security scans and no scam indicators.

Why we trust it

Browser blocklist feeds returned clean with no detections.Visual analysis confirms fully rendered legitimate Supabase homepage.Valid SSL certificate with no homoglyph or IDN tricks detected.

supabase.coScanned 4d ago

Post Facebook

Trust score

SAFE

Heuristics 69·MT 82

Category tags

developer platform85% MT confidence

Technical red flags (1)

Impersonates OpenAI / ChatGPT

Warning signals (1)

Redirects to another domain

Positive signals (3)

Not on major blacklists Encrypted connection Clean server reputation

View density

Analysis Summary

Threat Intelligence

—

Data unavailable

Domain Age

—

Registration date unknown

MT Intelligence

Safe

Low likelihood · 85% confidence

MT Intelligence

Advanced threat intelligence

MT Security Analyst

Low scam likelihoodengineMT · Guardiantrust82/100

MT AgentLive web researchVisual inspection

Confidence

The page renders the full legitimate Supabase homepage describing their Postgres database, auth, and API features. Browser blocklists returned clean and the hosting IP shows a low abuse score. Evidence confirms supabase.co is the official domain used for project endpoints like project-ref.supabase.co rather than a fake site. One Reddit mention notes third-party spam abuse of Supabase auth emails, but no reports flag the domain itself as fraudulent. Visual analysis confirms professional design matching the real platform with no clone or scam elements present.

Full dossier

Analysis complete

Page Content

The loaded page matches Supabase's official marketing site promoting their Postgres platform, authentication, APIs, and integrations including our AI engine. No login forms, countdowns, or data-harvesting elements appear.

Infrastructure

Valid SSL certificate from Let's Encrypt, low abuse score on the hosting IP, and clean browser blocklist results. Two cross-domain redirects occurred but stayed within the Supabase ecosystem.

Domain History

supabase.co functions as the official hosting domain for Supabase customer projects and APIs, while the primary marketing site sits at supabase.com. No recent creation flags or suspicious registration patterns noted.

Web Reputation

Our research located platform discussions on Reddit with one report of third-party spam abuse via Supabase auth and some general complaints, but no direct scam reports against supabase.co itself.

Risk Factors

No contact email or postal address visible on the page.
Global traffic index shows the domain is not widely indexed.
31 abuse reports exist on the hosting IP despite a zero abuse score.

Positive Signals

Browser blocklist feeds returned clean with no detections.
Visual analysis confirms fully rendered legitimate Supabase homepage.
Valid SSL certificate with no homoglyph or IDN tricks detected.

AI Recommendation

Continue using supabase.co only for verified Supabase project subdomains. Always double-check the exact project reference in your account dashboard before entering credentials.

Next-gen fraud intelligence

Evidence-backedCross-checked

Website Preview

LIVE RENDER

supabase.co

1Impersonates OpenAI / ChatGPT

Automated page render — captured in a safe sandbox. What an ordinary visitor would see when loading the site. See full visual analysis →

Visual Screenshot Analysis

We capture a fresh screenshot of the live page and ask a vision model to look for scam visual patterns — fake trust badges, countdown timers, overlay pop-ups, and visual clones of legitimate brands.

/ 100

No visual red flags

No scam visual patterns detected

This is the fully rendered, legitimate Supabase homepage with professional design and no scam indicators visible.

Visual risk0/100

Brand Impersonation

medium confidence

The page mentions or styles itself as OpenAI / ChatGPT, but is hosted on a domain that is not an official OpenAI / ChatGPT property.

Web Research Findings

Our live research agent queries scam-report databases, consumer-review sites, news coverage, and general web search for supabase.co, then cross-checks business-registration records and look-alike domain patterns. Everything below is pulled from what it actually found.

Business registration

No public record found

Could not match the site to a registered company — common for small sites.

Clone check

Not a clone

No well-known site's layout or branding detected here.

Typosquat check

No look-alike match

The domain doesn't resemble any well-known brand's spelling.

Web mentions

1 scam report · 5 complaints · 1 positive

Key findings

6 headline facts from open-web research

Official Supabase website and docs are at supabase.com; supabase.co hosts project-specific endpoints like <ref>.supabase.co/rest/v1/
GitHub repo and LinkedIn list supabase.com as primary site
Reddit discussions reference supabase.co URLs in context of legitimate Supabase projects and auth
Trustpilot reviews exist for supabase.com with mixed feedback including billing complaints
No direct scam reports targeting supabase.co as a fraudulent domain; some mentions of platform abuse by third parties
API documentation explicitly uses supabase.co domains for hosted services

Scam reports (1)

Direct quotes from public scam databases, forums, and news.

Redditopen
"Scammers using Supabase auth email to send spam - I just got a pretty typical scam email pretending to be Poshmark and wanting me to click a phishing link. The interesting thing is that the ..."

Positive reviews (1)

Quotes indicating the site is legitimate.

Redditopen
"I love the product and the platform so far. Robust battle tested auth system with tokens, the auth data is integrated into every other part of app's data ..."

Research summary

Narrative write-up from our AI analyst, grounded on the facts above

Our research found one Reddit discussion about scammers abusing Supabase auth for spam emails, but no reports of supabase.co itself being fraudulent. Positive user feedback on the platform appears on Reddit, with some complaints noted on review sites. No business registration details were located in searches.

Security Scans

Blacklist Check

Not flagged on major threat lists

Checked against the major public blocklists used by browsers and security tools — no hits.

Contact Verification

We fetched the page and looked for real-world contact details. Legitimate businesses almost always publish an email on their own domain, a phone number, and a postal address. Scam shops usually don't.

What We Found

No clear contact details on the page

Emails on site's domainNone

Phone numbers66799141

Postal addressNot listed

Linked social profiles10

Signal Summary

Several contact red flags

No contact email found anywhere on the page.
No postal address visible on the page.
Page impersonates OpenAI / ChatGPT on a non-official domain.

Phone number listed (66799141).
Links to 81 social profiles.

Domain & Encryption

Encryption Certificate

StatusValid

ProtocolTLSv1.3

IssuerLet's Encrypt · R13

ExpiresAug 15, 2026 (75d)

Self-signedNo

Hosting & Technology

HostingVercel, Inc

Server locationUS

Web serverVercel

Redirect Chain

Hops

Cross-domain

Yes

Lookalike

Punycode

1308http://supabase.co/
2307https://supabase.co/
3200https://supabase.com/cross-domain

Server Reputation

Abuse Intelligence

Confidence score0%

Reports on file31

ISPVercel, Inc

Usage typeContent Delivery Network

Scam-Type Likelihood

1 scam-type patterns detected

Scam-Type Likelihood

0 of 13 categories showed signals

We check every URL against 13 distinct scam categories so the verdict tells you not just how risky the page is, but what kind of risk it carries. Each meter pulls from page signals, web reports, our AI analyst, vision, and the scam-network cluster — not from raw AV labels.

Top match: Brand Impersonation

Brand Impersonation

Low-level signals

0/100

Page mentions OpenAI / ChatGPT (non-official domain).

Scam-Type Likelihood

0 of 13 categories showed signals

Top match: Brand Impersonation

Brand Impersonation

Low-level signals

0/100

Page mentions OpenAI / ChatGPT (non-official domain).

Still, stay alert

No major threat indicators — but a clean scan does not guarantee every page is safe, and phishing emails routinely spoof real domains.

Double-check the exact URL in your address bar
Confirm you are actually on supabase.co and not a lookalike like s-upabase.co.com or an IDN homoglyph.
Use a password manager
Password managers only auto-fill on the exact domain they were saved for — they refuse to fill lookalike domains, which is the single best phishing defence.
Discuss this site on the forum
If you have first-hand experience with this site — good or bad — share it with the MalwareTips community.
Open

Reputation Sources

How this domain rates across independent threat-intelligence and blocklist providers.

Google Safe Browsing

Not listedCheck ↗

AbuseIPDB

Not listedCheck ↗

Also verify:Spamhaus ↗DNSBL / SURBL ↗PhishTank ↗

Referenced Domains

Outbound domains this page links to or loads resources from. Each links to its own security scan.

supabase.com frontend-assets.supabase.com github.com discord.supabase.com twitter.com x.com youtube.com tiktok.com instagram.com status.supabase.com forms.supabase.com dev.to

Safety FAQ

Common questions about this site, answered from the scan data on this page. These are auto-generated — not hand-written — so they always match the underlying report.

Our automated security review found no threat indicators on supabase.co. The site appears legitimate based on the signals we checked, but always stay alert for phishing emails that spoof real domains.

Final Verdict

Trust / 100

Final Verdict·supabase.co

SAFE

Supabase.co serves as the official domain for Supabase project APIs and hosting endpoints. Our analysis shows clean blocklist status, valid SSL, and no malicious indicators on the page. Use it normally for legitimate Supabase projects but confirm the exact subdomain matches your account.

Continue using supabase.co only for verified Supabase project subdomains. Always double-check the exact project reference in your account dashboard before entering credentials.

AV engines

—

MT passes

Net signals

Scan another URL

Security review completemalwaretips.com/url-scan

Recently scanned

Other Safe reports

woocommerce-1093796-5896757.cloudwaysapps.com

Community review

User reviews & comments(0)

Share your experience — "Lost $200 on a fake checkout" is more useful than "Scam". Your review helps others avoid traps.

Loading…

Loading comments…

This report is generated automatically by combining threat intelligence, domain signals, and an AI security analyst. It is informational, not legal advice. Always use your own judgement before sharing personal information or money online.