April 25, 2025
Lynfolio: one read-only portfolio for every Supabase org
A Supabase portfolio dashboard: OAuth in, then cost estimates, database size, sync health, and cron monitoring across every org you connect—independent of Supabase’s single-org UI.
Context
If you juggle personal side projects, client orgs, and old experiments, Supabase’s dashboard is built for one org at a time. Total spend and operational health are easy to under-observe until something hurts. I built Lynfolio to be the read-only portfolio layer on top: connect accounts with OAuth, then see every project from every org in one place, with per-project cost estimates and health signals—without replacing Supabase or pretending to be an official product.
What we built
Lynfolio answers: “What is my full Supabase footprint, and what is it costing me?” Users authenticate with the official OAuth 2.0 + PKCE flow—no passwords, no personal access tokens to paste. The app rolls up total DB size, regions, per-project spend estimates, sync state, and a cron health view (including 24h success-rate style monitoring). I added org tagging (Owner, Member, Client) and client grouping so agencies and freelancers can see what’s theirs vs. what was shared with them, plus re-auth nudges and an audit trail for connection events. Marketing copy and comparisons are explicit: Lynfolio is an independent product, not affiliated with Supabase.
Stack and architecture
The client is React and TypeScript. On the backend, Supabase (Postgres) with row-level security isolates data per user. Refresh tokens are encrypted at rest (AES-256-GCM) with a key held only on the server; a background job refreshes tokens before expiry so syncs don’t fail mid-run. The mental model is read-only, least privilege, and encrypt what would hurt if exposed—which is how I’d want a third party to treat *my* org tokens.
Decisions and tradeoffs
A spreadsheet can’t auto-refresh OAuth or show live sync; the official dashboard can’t be multi-org without context switching. Lynfolio owns the portfolio problem and deliberately avoids being a second billing system—estimates come from project metadata, not a replacement for the Supabase invoice. That honesty in the product copy (“map of your footprint, not a replacement for your invoice”) sets expectations and reduces support churn from people expecting penny-perfect bills.
Outcomes and learnings
The strongest feedback has been from agencies and heavy Supabase users who finally see “hidden” projects and cumulative monthly exposure. For me, the build validated that OAuth UX + security narrative (PKCE, encrypted tokens, RLS) is a feature, not a footnote—especially when asking users to connect production accounts. The roadmap stays focused: reliability of sync, clearer cost signals, and calmer on-call for client-facing operators.
Back to Work on the homepage, or see all case studies.