Comparison
PgBeam vs Supabase agent features
Supabase ships agent and MCP integrations for the databases it hosts. PgBeam is a policy and audit gateway that secures agent access to any Postgres, including a Supabase database, over the wire.
Supabase agent features: Supabase ships native agent and MCP integrations that govern access to the Postgres databases it hosts.
Supabase and PgBeam are not the same kind of product, and they are not exclusive. Supabase is a place to host Postgres that also ships agent and MCP features. PgBeam is a gateway that governs how an agent reaches Postgres, on any host, including a Supabase database. If your data lives on Supabase and you want one policy across every host you run, you use both.
PgBeam vs Supabase agent features, side by side
| Capability | PgBeam | Supabase agent features |
|---|---|---|
| Hosts the database | No (gateway) | Yes (managed Postgres) |
| Agent policy (read-only, allowlists, budgets) | Yes, at the wire | Partial, on Supabase-hosted DBs |
| PII masking (redact / null / hash) | Yes | Partial |
| Query budgets / max rows | Yes | No |
| Per-statement audit trail | Yes | Partial |
| Instant revoke / kill-switch | Yes, per credential | Per-platform |
| Hosted MCP endpoint with policy | Yes | Some |
| Connection pooling | Yes | Yes (Supavisor) |
| Query caching | Yes (TTL + SWR) | No |
| Works with non-Supabase Postgres | Yes (any host) | Supabase-hosted only |
A gateway, not a platform
Supabase governs access to the databases it hosts. PgBeam governs what an agent is allowed to do with a database on any host. It parses every statement and enforces read-only, table and column allowlists, masking, and budgets at the wire, then records each one in an audit trail. A platform's native controls guard its own hosting; they do not reach a database you run on RDS, Aurora, or your own hardware.
That is the wedge: PgBeam's enforcement reaches databases a database vendor cannot, because it sits in the Postgres wire protocol rather than inside one provider's platform. The same policy covers a Supabase database, an RDS instance, and a self-hosted Postgres at once, with one set of rules and one audit trail.
Use them together
Point PgBeam at your Supabase connection string, issue a scoped agent credential, and the agent reaches Supabase through a policy engine with masking and audit. Your application keeps connecting to Supabase directly. Repeated agent reads can be cached at the proxy to keep load off the database.
When Supabase agent features is the better fit
Supabase is a full managed Postgres platform with auth, storage, edge functions, and its own agent and MCP integrations. If all of your Postgres is on Supabase and its native controls cover what you need, using them keeps everything in one platform with no extra hop. PgBeam is for when you need one policy, masking, audit, and a kill-switch that also apply to databases outside Supabase.
Questions
Safe Postgres access for your agents
Start with a 14-day free trial. No credit card required.
Technical preview. For internal testing only.
Get Started