twinstack
GitHub
Open source · Local-first · $10/yr for unlimited

Clone the whole Supabase project.

Database, storage files, auth users that still log in, edge functions, RLS, roles, config — moved together. In one command, or one click in the local UI.

pg_dump & co.dbstorageauth usersfunctions
Twinstackdbstorageauth usersfunctions
Get your install command →I already have an account

Free for projects under 100 MB · No card to start

Except the few values Supabase makes unreadable, by anyone — those, we hand you a guided checklist for.

Install

Three steps. Everything else handled.

Sign up free, get a personalized install command, paste it into your terminal. The installer figures out what's missing — Node 18+, pg_dump, psql — installs only what you don't have, then launches Twinstack in your browser.

  1. 1

    Sign up free

    Email + password. Confirm your email. Takes 30 seconds.

  2. 2

    Copy your install command

    Your account page shows a one-liner tied to your email. Pick macOS, Linux, or Windows — we detect your OS by default.

  3. 3

    Paste & run

    Open Terminal (or PowerShell), paste, press Enter. The local UI opens automatically when it's done.

Sign up — get my install commandAlready signed up? Open my account
macOSHomebrew (installs it first if missing) · Node + libpq.
LinuxAuto-detects apt, dnf, or pacman.
WindowsPowerShell + winget. Run as a normal user — no admin.

What it moves

Everything that can be moved, moved together.

The DB is the easy part — every tool does that. The differentiator is the orchestration around it: storage objects, auth schema, function deployments, per-project config, and the secrets checklist for what Supabase keeps write-only.

database

Schema, data, RLS, roles, extensions

Standard pg_dump heart, driven through the engine so you never see the four-flag command. Custom-role passwords get a reset checklist on the target.

auth users

Logins still work on the copy

Bcrypt password hashes transfer with the rest of the auth schema. Sessions don't (per-project JWT secret); users sign in once on the new project.

storage files

Every blob, resumable

Bucket walk → per-object stream with bounded concurrency → completion tracked. Dropped connection at file 9,000 of 12,800 resumes at 9,001.

edge functions

Download + redeploy with config

verify-JWT, import map, entrypoint — all preserved. Function source transfers; secret values belong to the secrets checklist.

config

Project config & auth flags

Site URL, redirect URLs, MFA flags, the things you only notice once a hotfix breaks them.

checklist

Guided secrets handoff

Function secrets, OAuth client secrets, SMTP, Vault — Supabase makes those write-only. The CLI lists every name; you paste each value once, straight to Supabase.

env-sync

Re-sync on demand, drift detection built in

Define a pair once. Run twinstack drift any time for a read-only diff. Run twinstack sync to re-clone — same engine, same resumability, much faster than the first run.

Two ways to drive it

Terminal or browser. Same engine.

Built for backend engineers, accessible to anyone with a Supabase project.

$

CLI

For terminal-native workflows, CI, and scripting. Interactive prompts, --only / --skip filters, resume on a runId.

twinstack clone

Local UI

new

Same engine, browser-rendered. Drag-and-drop your .env, see size estimates before you start, pause/resume mid-run, post-run report you can keep.

twinstack ui

Env-sync

Keep staging current with prod, on demand.

One-time clones cover the migration moment. Env-sync covers the steady state — the times your staging drifted weeks ago and nobody noticed.

  1. 1

    Define the pair once

    twinstack env add prod-to-staging

    Credentials live in your shell env-vars; only the pair name and refs are stored.

  2. 2

    Check drift, safely

    twinstack drift prod-to-staging

    Read-only summary: schema changes, row deltas, new buckets, new functions.

  3. 3

    Re-sync when you're ready

    twinstack sync prod-to-staging

    Full re-clone, much faster than the first — storage resume + skip-unchanged where supported.

The problem

Cloning a Supabase project is a known mess.

  1. Supabase has no one-click “duplicate project.” The team has publicly described full duplication as a medium-to-long-term goal because the platform spans Postgres, the Storage API, the auth schema, and edge functions. GitHub Discussion #5930 →
  2. Database backups don't include your storage files. Supabase's own docs state backups exclude objects you store via the Storage API — only the metadata rows come along. A “cloned” project ends up full of dangling file references. Supabase backup docs →
  3. So you hand-stitch pg_dump, the CLI, and manual fixes — and still hit auth schema collisions, missing function source, and a target project that needs hours of cleanup before it actually works. #708 · #22066

Trust

Trust earned by architecture, not by promises.

You're handing a tool the keys to your entire production backend. The strongest answer to “could you steal my credentials?” is to design the product so we never hold them in a position to.

Local by default

The CLI runs on your machine. Your credentials and data never touch our servers — the tool talks directly to Supabase.

Open source

The engine that touches credentials is open source. Read exactly what it does, line by line. Don't trust us, read the code.

No data retention

We never store the contents of your project. Data streams source → target and is never persisted by us.

No telemetry on credentials

Credential values are never logged, transmitted, or analyzed. The CLI doesn't phone home about your projects.

Least privilege

We use the narrowest access needed, document exactly what each token is for, and you can revoke them from your Supabase dashboard the moment a run finishes.

Auditable, locally

Every action the tool takes is recorded in a local run log. You can see precisely what was read and what was written.

Pricing

Free for small projects. $10/year for the rest.

No card to start. The free tier covers most one-off clones. Paid is a flat $10/year for unlimited runs of any size — the same engine, same trust posture.

Free

$0

forever

  • Projects under 100 MB
  • 1 run total
  • All subsystems: DB, auth, storage, functions
  • Resumable, idempotent, local-first
  • The full guided secrets checklist
  • Local UI included
Sign up free
recommended

Unlimited

$10/year

flat, predictable, no metering

  • Any project size — no upper limit
  • Unlimited runs
  • Env-sync: named pairs, drift, re-sync
  • All current and future paid features
  • Same local-first trust posture
  • Priority response on issues
Upgrade · $10/yr

Cancel any time. Sign in first, then upgrade.

Done-for-you

project-based

we run the clone

  • One-off migrations, complex clones
  • For teams that don't want to self-serve
  • You hold the credentials throughout — we screen-share
Get in touch

FAQ

Questions people actually search for.

How do I duplicate a Supabase project completely?

Install with the one-liner (or npm install -g twinstack if you have Node and psql), then run twinstack clone or twinstack ui. The engine works through the pipeline: schema → data → auth users → storage buckets → storage files → edge functions → config. The end report lists the few values Supabase keeps unreadable so you can paste them on the target.

Can I clone Supabase storage files, not just the metadata?

Yes — this is the differentiator. Database backups only contain the metadata rows; the actual blobs live in S3-backed Storage. Twinstack walks every bucket, streams each object source → target with bounded concurrency, and tracks completion per file so a dropped connection at file 9,000 of 12,800 resumes at file 9,001.

How do I migrate auth users so they can still log in?

Twinstack does a data-only migration of auth.users, auth.identities, and related tables with ON CONFLICT DO NOTHING so the target's pre-seeded auth schema doesn't collide. The encrypted_password column (bcrypt) transfers, so users log in on the copy with their existing passwords. Sessions and refresh tokens do not transfer — the JWT secret is per project, so a one-time re-login is expected.

Can I copy edge functions between projects?

Yes. Twinstack runs supabase functions download against the source for each function, then deploys to the target with supabase functions deploy, preserving per-function config (verify-JWT, import map, entrypoint). Function source code transfers; secret values do not — Supabase makes those write-only on purpose. The checklist tells you exactly which ones to set on the target.

How do I keep my Supabase staging environment in sync with production?

Run twinstack env add prod-to-staging once to define the pair, then twinstack drift prod-to-staging for a read-only summary of what has changed since the last sync, and twinstack sync prod-to-staging to re-clone on demand. Storage files resume per-object, so subsequent syncs are much faster than the first clone.

What does the free plan include? When do I need the $10/year?

Free covers projects under 100 MB, with 1 run to try Twinstack end to end. The full feature set is included on free — no degraded engine, same auth user migration, same storage transfer, same secrets checklist. You upgrade when your project size crosses 100 MB or you've used your 1 free run. Unlimited is a flat $10/year, no per-gigabyte metering.

Does it preserve RLS policies, triggers, and roles?

Yes — they live in the schema dump alongside tables, and come along automatically. Custom-role passwords are not in any backup (security), so Twinstack lists the roles for you to reset on the target.

How do I fix the "already exists" / "multiple primary keys" error when restoring?

Those errors happen when a naive pg_dump includes the auth or storage schemas — both are pre-seeded on every new project. Twinstack avoids the issue entirely by dumping only public and your custom schemas, and migrating the auth schema data-only with ON CONFLICT DO NOTHING.

Is it safe to give Twinstack my service_role key and DB password?

The CLI runs on your machine and talks directly to Supabase — credentials never reach our servers, because the default mode has no server. The engine is open source: read what it does with your keys before you run it. After a run you can revoke every token from your Supabase dashboard in one click. The control plane only sees the project size you report — never the data.

What's in the install one-liner? What does it touch on my machine?

The Mac/Linux script checks for Node 18+ and pg_dump/psql, and uses Homebrew or your distro's package manager to install only what's missing. The Windows script uses winget for the same. Then it runs npx twinstack@latest ui which downloads the CLI on demand. Re-running is idempotent — it skips anything already installed.

Clone the whole project — not just the database.

Get your install command →I already have an account

Runs locally. Credentials never leave your machine. Open source.