Social Roster · your app’s data

Where your app’s data can live — your options, explained simply

Here are the realistic ways to store your app’s info and files, plain and simple — no wrong answers, just trade-offs.


You asked

You asked — quick answers 👇

“Could I just use Google Drive or Dropbox to make this easier?”

Great question! Drive and Dropbox are perfect for personal files, but they’re not built to power a live app — your app can’t reliably or securely pull files from them for your users, they hit strict limits as you grow, and for something as sensitive as government ID photos, it’s genuinely risky. Cloudflare R2 is the right tool for this job, and it’s honestly not harder once the token is made — that token is the only fiddly part, and here’s exactly how (below).

“I made an R2 account but I’m stuck making a token — it says I need a token to manage tokens, and I don’t know what to put.”

You’re just on the wrong screen — easy fix. That “need a token to manage tokens” message is Cloudflare’s general account-tokens page. The R2 one is separate and simpler:

  1. In Cloudflare, click R2 in the left menu.
  2. On the R2 page, click “Manage R2 API Tokens” (top-right), then “Create API Token.”
  3. Token name: type anything, e.g. social-roster-app.
  4. Permissions: choose “Object Read & Write.”
  5. Buckets: “Apply to all buckets” is fine.
  6. TTL / expiration: leave it Forever.
  7. Click Create API Token.
  8. It shows your Access Key ID and Secret Access Key — copy BOTH now (the Secret is shown only once!).
  9. Your Account ID is on the main R2 page (right-hand side).

Send us those three (Access Key ID, Secret Access Key, Account ID) and you’re done — you don’t need to create a bucket or touch anything else; we handle the rest.

Recommended for now

Stay on Supabase (what you have now)

Supabase is a managed cloud service — a company that runs the computers for you. It stores your database (all your users’ and campaigns’ info) plus your files, and handles backups, security, and scaling automatically.

👍Works today, nothing to babysit, secure-capable out of the box.
👎Monthly cost grows as usage grows; the free tier is limited.

Best for: keeping things simple — the easy, proven path.

Good next step, later

Supabase for the database + Cloudflare R2 (or Amazon S3) for the photos and videos

You keep your database right where it is, but move the big image and video files — including ID photos — to storage built specifically for files. Cloudflare R2 stands out because it charges nothing for bandwidth (the data used whenever someone views or downloads a file).

👍Gets cheaper as your photos and videos pile up; pages load faster.
👎Takes a little technical setup to connect the two systems.

Best for: later — once you’re storing a lot of media.

Not recommended right now

Self-host everything on your own server

You’d run the database and files on a machine you own or rent yourself, instead of paying someone else to manage it.

👍Cheapest option over time; you have full control.
👎You become responsible for uptime (keeping the site running), security, backups, and updates — and since you store people’s government ID photos, a mistake here could mean a serious data breach.

Best for: only if you have real technical help on hand.

Backups only — not for the live app

A hard drive plugged into your computer

To be clear and kind: this isn’t a way to run a live website’s storage. A plugged-in drive can’t reliably or securely serve your app to the public, and it’s unavailable whenever your computer is off or asleep.

👍Great as an encrypted (locked with a digital key, so only you can read it) offline backup copy of your data — cheap insurance.
👎Can’t run your live app; no access whenever the computer is off.

Best for: backups only, never the live app.

Our recommendation

Keep it simple, add a safety net

  1. Stay on Supabase for now — it’s working, and it’s simple.
  2. Add an encrypted offline backup copy on a drive, as cheap insurance.
  3. Move the big photo and video files to Cloudflare R2 once they start to add up.
  4. Don’t run the live app off a local hard drive.

Questions about any of this? Just ask — happy to walk through it with you.

One reply and you’re set

Like this plan? Here’s all we need from you — reply once and we handle the rest.

Great news — your app has no users or files yet, so there’s nothing to move. We just connect new uploads to the new storage and write all the code. You won’t touch anything technical.

  1. A Cloudflare account with “R2” turned on. Cloudflare is free to start; R2 is their file-storage. Create an account at cloudflare.com, turn on R2, then make an R2 API token (in the dashboard under R2 → Manage API Tokens, choose “Object Read & Write”) and send us the Access Key ID, Secret Access Key, and your Account ID. Why: this is your storage, in your name — you own it and the bill (R2’s free tier is generous). Not sure how? Say the word and we’ll either walk you through it on a quick call, or get you started on our setup and move it to your account later.
  2. Access to your Supabase. From your Supabase dashboard, either Account → Access Tokens (a token starting sbp_) or Project Settings → Database (the password). Why: we need this to finish locking down your data security and to connect the new storage — it’s the same access our security fixes need.
  3. How you want photo/file links to look. A custom address like media.yoursite.com (looks polished, needs a domain you own) or the default Cloudflare address (works instantly, zero setup). Why: just tell us your preference — either way works great.
  4. A thumbs-up to proceed. We set everything up and test it before it’s live. Why: nothing on your current setup is deleted until you say so.

Reply to this with any questions, or with the items above, and we’ll take it from there — end to end.