Option 1: manual pg_dump
Grab the direct connection string from Project Settings → Database, then run a custom-format dump (compressed, restorable in parallel):
pg_dump "postgres://postgres:[password]@db.[ref].supabase.co:5432/postgres" \ --format=custom --no-owner --file=backup_$(date +%F).dump
Use a pg_dump whose major version matches your server (SHOW server_version;). Store the file somewhere that is not Supabase.
Option 2: built-in backups
On the Pro plan Supabase takes daily backups (7-day retention by default) and offers PITR as an add-on. They restore from the dashboard and are worth keeping on. Two limits: the free tier has none, and they live in the same account they protect — a suspended or compromised account takes its backups with it.
Option 3: automated, independent, restore-tested
A scheduled service connects with a read-only role, streams encrypted dumps off-platform, and — the part almost everyone skips — restores each one on a fresh instance to prove it loads.
Whatever tool made your backup, the only way to know it works is to restore it. Firedrill does that automatically for every backup — or try a one-off free drill on a dump you already have.