AppItYourWayAppItYourWay
App an idea
Buildmedium riskmedium confidencemoderator reviewed

The Lovable Production Migration That Almost Went Wrong

A synthesis of documented challenges teams face when moving Lovable apps to production infrastructure — and the sequence that prevents them.

By Contributor · published 5/30/2026

Based on documented practitioner experience with Lovable-to-production migrations, a consistent set of surprises emerges. This build story synthesizes those lessons into a narrative form. **The setup:** A founding team builds their MVP in Lovable over three weeks. The UI is polished, the Supabase backend works, and they’re ready for beta users. They decide to move from Lovable’s managed hosting to their own infrastructure for control and cost reasons. **Surprise 1: The migration order in the database is wrong.** When they pull the GitHub repo and audit the Supabase migration files, they find a security policy for a table created in a migration that runs before the migration that creates the table itself. The app had been working because they applied migrations manually in the right order — but on a fresh Supabase project, the automated migration run fails. Fix: audit migration files in sequence order before running them on the new project. **Surprise 2: Edge Functions return 401 errors in production.** The new Supabase Cloud project has JWT verification enabled by default. Lovable’s managed instance had it disabled. Every API call from the frontend fails. Fix: review `config.toml` and set `verify_jwt` correctly per function type (see Fix 007). **Surprise 3: The SPA 404s on every route except `/`.** Cloudflare Pages tries to serve a file for each path. Fix: add `_redirects` with `/* /index.html 200` to the `public/` folder (see Fix 005). **Surprise 4: The OAuth callback URL points to the Lovable preview domain.** After launch, users who click “Sign in with Google” get redirected to a Lovable `.lovable.app` URL instead of the production domain. Fix: update Supabase Auth → URL Configuration with the production domain. **The outcome when done right:** The team that audits migrations, updates JWT config, adds the `_redirects` file, and updates auth URLs has a clean production launch. The team that skips these steps debugs each issue under user pressure. ## Why it matters Each of these surprises is documented, predictable, and fixable in under 30 minutes if you know to look for it. The “cost” of not knowing is a broken launch. ## Suggested next action Use the AppItYourWay Production Launch Checklist (see Checklist 001) before your next Lovable-to-production migration.

Sources

Confidence check

Authorship · HumanHas anyone checked this? · moderator reviewedConfidence · mediumReviewed · todayEndorsements · 0Challenges · 0Evidence · 0Related guides · 0

Evidence

No evidence linked yet.

Discussion

0 comments

Loading comments…

Sign in to join the discussion.