Bolt
storage
Cloud Storage Permissions Misconfigured in Bolt App
Your Bolt.new application fails to upload, read, or delete files from cloud storage. Users get permission denied errors when trying to upload profile pictures, access shared documents, or view images that should be publicly visible.
Cloud storage services like Supabase Storage and AWS S3 use policy-based access control. If these policies are too restrictive, legitimate operations fail. If they're too permissive, anyone on the internet can read or modify your files. Bolt's AI often generates storage code without configuring the bucket policies correctly.
This typically surfaces right after connecting cloud storage: uploads fail with RLS policy violations, images return 403 errors, or users can see other users' private files because the policies are set to public.
Error Messages You Might See
StorageApiError: new row violates row-level security policy
403 Forbidden: Access denied to storage object
Error: Bucket not found
StorageApiError: The resource already exists
Policy check failed for storage.objects
Common Causes
- Supabase RLS not configured — Storage bucket has Row Level Security enabled but no policies defined, blocking all operations
- Bucket set to private without access policies — The bucket is private (correct) but no policies allow authenticated users to upload or read their files
- Public bucket exposing all files — The bucket is set to public, letting anyone access any uploaded file including private user documents
- Wrong storage bucket name — Code references a bucket name that doesn't exist or is misspelled in the Supabase dashboard
- Service role key used on client — The Supabase service_role key bypasses RLS in development but the anon key used in production respects RLS policies
How to Fix It
- Create proper RLS policies — In Supabase dashboard, add storage policies: allow authenticated users to upload to their own folder (auth.uid()::text = (storage.foldername(name))[1])
- Set bucket visibility correctly — Use private buckets for user files and create signed URLs for access: const { data } = await supabase.storage.from('private').createSignedUrl(path, 3600)
- Use folder-based isolation — Store files in user-specific folders: uploads/{userId}/filename.jpg and restrict access by folder ownership
- Test with anon key — Always test storage operations with the anon key, not service_role, to catch RLS issues before production
- Add public bucket for assets — Create a separate public bucket for truly public assets like product images, and keep user uploads in private buckets
Real developers can help you.
Meïr Ankri
Full-stack developer specializing in React / Next.js / Node.js with 6+ years of experience. I've worked across various sectors including automotive (Reezocar/Société Générale), healthcare (Medical Link SaaS), and e-commerce (Glasman). I build web apps end-to-end, from architecture to production, with a focus on scalability, performance, and code quality. I also mentor junior developers and contribute to technical decisions and code reviews.
Anthony Akpan
Developer with 8 years of experience building softwares fro startups
prajwalfullstack
Hi Im a full stack developer, a vibe coded MVP to Market ready product, I'm here to help
PawelPloszaj
I'm fronted developer with 10+ years of experience with big projects. I have small backend background too
Prakash Prajapati
I’m a Senior Python Developer specializing in building secure, scalable, and highly available systems. I work primarily with Python, Django, FastAPI, Docker, PostgreSQL, and modern AI tooling such as PydanticAI, focusing on clean architecture, strong design principles, and reliable DevOps practices. I enjoy solving complex engineering problems and designing systems that are maintainable, resilient, and built to scale.
Milan Surelia
Milan Surelia is a Mobile App Developer with 5+ years of experience crafting scalable, cross-platform apps at 7Span and Meticha. At 7Span, he engineers feature-rich Flutter apps with smooth performance and modern UI. As the Co-Founder of Meticha, he builds open-source tools and developer-focused products that solve real-world problems.
Expertise:
💡 Developing cross-platform apps using Flutter, Dart, and Jetpack Compose for Android, iOS, and Web.
🖋️ Sharing insights through technical writing, blogging, and open-source contributions.
🤝 Collaborating closely with designers, PMs, and developers to build seamless mobile experiences.
Notable Achievements:
🎯 Revamped the Vepaar app into Vepaar Store & CRM with a 2x performance boost and smoother UX.
🚀 Launched Compose101 — a Jetpack Compose starter kit to speed up Android development.
🌟 Open source contributions on Github & StackOverflow for Flutter & Dart
🎖️ Worked on improving app performance and user experience with smart solutions.
Milan is always happy to connect, work on new ideas, and explore the latest in technology.
Luca Liberati
I work on monoliths and microservices, backends and frontends, manage K8s clusters and love to design apps architecture
Jacek Rozanski
Senior PHP/Symfony developer and DevOps engineer with 20+ years of professional experience, running opcode.pl (web development agency, est. 2004).
Day job: I'm the sole backend developer at merketing company where I own and maintain 11 PHP/Symfony microservices on AWS (ECS Fargate, RDS, S3, CloudFront), handle the full CI/CD pipeline (Bitbucket Pipelines, Docker), and manage monitoring with Sentry and CloudWatch. These services handle high request volumes in production every month.
What I bring to AI-built apps:
- I audit and fix security issues (OWASP methodology), performance bottlenecks, and architectural problems in codebases generated by Cursor, Claude Code, Lovable, Bolt, and v0
- I refactor AI-generated prototypes into production-grade applications with proper error handling, testing, and clean architecture (SOLID, DDD, hexagonal architecture)
- I set up the infrastructure AI tools don't touch: AWS hosting, CI/CD pipelines, automated deployments, database optimization, monitoring, and alerting
- I integrate external services: payment providers, email systems, partner APIs, SSO/auth
Tech stack: PHP 8.x, Symfony, React, Next.js, PostgreSQL, MySQL, Docker, AWS (ECS, RDS, S3, SQS/SNS, CloudFront), Terraform, Supabase. I also use AI tools daily (Claude Code, Cursor) in my own workflow, so I understand both the strengths and the gaps in AI-generated code.
Based in Poland (CET timezone). Available for async work and calls during EU/US business hours.
Taufan
I’m a product-focused engineer and tech leader who builds scalable systems and turns ideas into production-ready platforms.
Over the past years, I’ve worked across startups and fast-moving teams, leading backend architecture, improving system reliability, and shipping products used by thousands of users. My strength is not just writing code — but connecting product vision, technical execution, and business impact.
hanson1014
Full-stack developer experienced in fixing and deploying AI-generated apps from Lovable, Bolt.new, Cursor, and Replit. I specialize in debugging Supabase integration issues (auth flows, RLS policies, database connections), fixing broken deployments, resolving routing/blank screen problems, and cleaning up messy React/Vite codebases. I also build production apps with the Claude API and have shipped a Mac desktop dev tool (Nexterm from scratch. Based in Hong Kong, fast turnaround.
You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.
Get HelpFrequently Asked Questions
Should my Supabase Storage bucket be public or private?
Use private buckets for user-uploaded content (profile photos, documents). Use public buckets only for assets that genuinely need to be accessible to anyone (product images, marketing assets). Always configure RLS policies regardless of visibility.
Why does storage work in development but not production?
In development, you might be using the service_role key which bypasses all RLS policies. In production, the anon key is used and respects RLS. Create proper storage policies that allow authenticated users to manage their own files.