BaseDeck Documentation
BaseDeck is a Progressive Web App that gives you a full Supabase management interface on your phone. No terminal. No laptop. No waiting until you are back at a desk.
This document covers every feature, the security model, and the architecture behind the app.
If you prefer hands-on walkthroughs, the Guides section has step-by-step instructions for the most common tasks.
Installing BaseDeck
BaseDeck is a PWA — install it directly from your browser, no app store required.
Android (Chrome): open basedeck.netlify.app/dashboard, tap the three-dot menu, and select Add to Home Screen. The app launches full-screen from your home screen just like a native app.
iOS (Safari): open basedeck.netlify.app/dashboard in Safari, tap the Share button, and select Add to Home Screen. Chrome on iOS does not support PWA installation due to Apple restrictions — Safari is required.
Signing In
BaseDeck authenticates via your Supabase Personal Access Token — the same long-lived token the CLI uses. It authorises access to the Supabase Management API on your behalf.
To generate one: go to supabase.com → Dashboard → Account → Access Tokens and create a token. Paste it into BaseDeck's login screen. It is encrypted server-side immediately and stored only as ciphertext on your device.
Edge Functions
The Functions tab is the core of BaseDeck. Write, deploy, and manage Supabase Edge Functions without leaving your phone.
Single-file deployment
Write your Deno/TypeScript function in the built-in CodeMirror editor, set its name, and tap Deploy. BaseDeck bundles and uploads it to Supabase automatically.
Multi-file deployment
Use multi-file mode when your function imports shared utility files. Add your entry point and any shared modules — BaseDeck resolves import paths automatically before sending the bundle to Supabase's edge runtime.
Deploy log
Every deploy streams a timestamped log in real time. You see exactly what the server is processing, including any errors from the Supabase bundle endpoint.
Database Browser
The Database tab lists every table in your project's public schema. Tapping a table loads its rows via PostgREST, paginated at 50 rows per page with forward and back navigation.
The database browser is read-only. It does not write or delete rows. Use the SQL Editor for data modification.
SQL Editor
A full CodeMirror editor with SQL syntax highlighting, connected directly to your Supabase project via the /api/db proxy. You can run any valid Postgres query and results appear in a scrollable table.
Snippets let you save frequently used queries by name. History stores the last 20 queries you ran so you can reload them with a tap. Queries containing DROP, DELETE, TRUNCATE, or ALTER TABLE trigger a confirmation dialog before execution.
Invoking Functions
Tap any deployed function in the Functions list to open its detail view. Set the HTTP method, request body, and custom headers, then invoke the function and inspect the full response — status code, body, and round-trip time in milliseconds.
Token Security
Your Personal Access Token has full management access to your Supabase account. BaseDeck handles it as follows:
- Your token is sent over HTTPS to a Netlify serverless function on login.
- That function encrypts it with AES-256-GCM using a server-side
ENCRYPTION_KEYenvironment variable that never leaves the server. - The encrypted ciphertext is returned to your device and stored in
localStorage. - Every API call sends the ciphertext. The server decrypts it on demand and proxies the request — the raw token is never accessible to the browser after initial login.
PIN Lock
Every cold start requires your 4-digit PIN before any project data or controls become visible. You set the PIN during first launch and can change it from Settings at any time.
After 5 wrong attempts, the app wipes the stored encrypted token and returns to the login screen — protecting against brute-force access on a lost device.
Tech Stack
BaseDeck is intentionally lean — no frameworks, no build tools, no frontend dependencies beyond CodeMirror loaded via CDN.
| Layer | Technology |
|---|---|
| Frontend | Vanilla HTML / CSS / JavaScript, ES modules |
| Serverless functions | Netlify Functions (Node.js) |
| Deploy engine | Netlify Edge Function (Deno / TypeScript) |
| Hosting | Netlify |
| Code editor | CodeMirror 5 (CDN) |
| Email relay | Google Apps Script |
API Proxying
All Supabase API calls go through Netlify serverless functions — never directly from the browser. This keeps your decrypted token entirely server-side and out of browser network inspection tools.
/api/auth— encrypts or decrypts tokens with AES-256-GCM/api/proxy— forwards calls to the Supabase Management API/api/db— handles SQL execution and PostgREST row reads/api/bundle— edge function that packages and deploys functions to Supabase/api/contact— relays contact form submissions via Google Apps Script