How to Move Off Lovable Without Breaking Your App

What actually transfers when you leave Lovable?

Your frontend, components, and application code port cleanly through Export to GitHub. Everything that lives in the managed Supabase backend or Lovable's build environment does not: auth password hashes, RLS policies, storage buckets, edge functions, secrets, and scheduled jobs all need deliberate, separate handling. Treating the git export as a complete migration is the single biggest cause of broken cutovers.

Think of it as two layers. The code layer (React, Vite config, Tailwind, your components) is portable and shows up in your repo. The platform layer (managed credentials, database security, background work) is configuration that Lovable injects or Supabase holds — it has to be reconstructed on the target stack before your first live deploy.

Read the What Breaks on Export table below before you start. It is the difference between a one-day move and a week of production firefighting.

Related: What breaks when you export Lovable · Export Lovable code to GitHub

What breaks on export, and what ports cleanly?

Frontend, components, and code port cleanly. The parts that break are the managed-backend pieces: bcrypt password hashes are never exported, RLS policies live in Supabase not your code, storage objects must be copied bucket-by-bucket, edge functions deploy to Supabase separately, secrets are injected at build time and vanish, and any cron schedules have to be recreated on the new host.

Use this table as your migration map. The 'Ports cleanly?' column tells you what you can ignore after a git clone; every 'No' row is a task you must complete before DNS cutover.

Related: Migrate data to your own Supabase · Move secrets to edge functions

What is the correct order of operations for migrating off Lovable?

Stabilise the current build, export to GitHub, clone locally, choose a host, move secrets, migrate data and replicate RLS, mirror edge functions and cron, copy storage, dry-run deploy, then cut over DNS. The sequence matters: doing data and RLS before a dry run lets you catch a 401 on a throwaway URL instead of in front of live users.

1. 1. Stabilise: confirm the Lovable preview works before you touch anything.
2. 2. Export to GitHub: Project Settings to GitHub, link the repository.
3. 3. Clone locally: git clone <repo-url> && cd <project> && npm install, then npm run build to prove it compiles.
4. 4. Choose a host: Vercel for React/Vite SPAs, Cloudflare Pages for global edge latency, Netlify for form-heavy or simpler builds.
5. 5. Move secrets: copy every VITE_ prefixed and server-side variable into the new host's environment settings.
6. 6. Migrate data: keep the same Supabase project, or pg_dump and restore into your own.
7. 7. Replicate RLS: export pg_policies and re-apply CREATE POLICY statements on the target database.
8. 8. Mirror edge functions and cron: supabase functions deploy each function; recreate any pg_cron schedules.
9. 9. Copy storage: move bucket objects and re-apply bucket access policies.
10. 10. Dry-run deploy: ship to a *.vercel.app / *.pages.dev URL and smoke-test auth, reads, writes, and payments.
11. 11. Cut over DNS: update CNAME/A records, verify SSL, then trigger the user password-reset campaign.

Related: Migrate Lovable to Vercel (step by step) · Run a Lovable app locally first

How do I verify the migration is actually complete?

Run a structured completeness checklist before and after cutover. Each row maps to one asset that does not port cleanly, plus a concrete verification you can perform on the throwaway deploy URL. If any row is unchecked, you are not done — that gap is where the production incident comes from. Treat the checklist as a gate, not a suggestion.

Work the checklist top to bottom on your *.vercel.app or *.pages.dev URL while the live domain still points at Lovable. Only when every row passes do you change DNS.

Why can't I export Supabase auth password hashes?

Supabase stores passwords as bcrypt hashes managed by the GoTrue auth server, and exports intentionally omit them for security. If you migrate to a new Supabase project, users cannot log in until they reset their passwords. The safe play is a phased password-reset campaign timed to DNS cutover, so the only user-visible event is one reset email — not a lockout.

If you keep the same Supabase project, hashes never move and no reset is needed — you only update allowed origins. The reset campaign is required only when you move to a fresh Supabase instance, which is also when you copy storage and re-create RLS.

Related: Lovable RLS and auth best practices

How do I make sure RLS policies survive the migration?

Row-Level Security policies live in Supabase, not in your Lovable code, so a git push never carries them. If you move to a new Supabase project, export every policy and re-apply it before the first live deploy. If you keep the same project, you only add the new domain to allowed origins. A missing policy is invisible until a real user reads someone else's data.

1. In the Supabase SQL editor, run: SELECT * FROM pg_policies; and save the output.
2. On the target database, run the corresponding CREATE POLICY statements for every table.
3. Under Authentication to URL Configuration, add the new host's domain to allowed origins/redirect URLs.
4. Sign in as two different users on the dry-run URL and confirm neither can read the other's rows.

Related: Lovable users can see each other's data

What happens to environment variables and secrets when I switch hosts?

Lovable injects VITE_ prefixed and server-side variables at build time from its own secure store, so they vanish the moment you deploy elsewhere. Missing env vars are the most common reason a migrated app returns a blank page or fails its first API call. Re-add every variable on the new host before the dry-run deploy, and confirm the host does not strip the VITE_ prefix.

For Vercel: Project to Settings to Environment Variables. For Cloudflare Pages: Settings to Environment Variables. For Netlify: Site to Site Configuration to Environment Variables.

Keep server-only secrets (service-role keys, Stripe secret keys) out of any VITE_ variable — anything VITE_ prefixed is bundled into the client. Move those into edge functions or server env instead.

Related: Lovable env and secrets best practices

Where should I migrate to, and how much does leaving cost?

Pick a host by app shape: Vercel suits React/Vite SPAs and Next.js, Cloudflare Pages wins on global edge latency and request volume, Netlify fits form-heavy or simpler builds. Cursor is the destination when you want to leave AI-assisted building behind and own the code in a real IDE. The true cost of leaving is mostly engineering time, not hosting — hosting free tiers usually cover small apps.

Related: The real cost of leaving Lovable · Move Lovable to Cursor

When should I hire an engineer instead of doing this myself?

Self-migration is realistic for a simple Vite app with no payments and a handful of Supabase tables. It gets risky once you have edge functions, real-money Stripe webhooks, multi-tenant RLS, storage, or cron. A single misconfigured RLS policy in production can expose user data, and that is expensive to reverse. When the What Breaks table has many 'No' rows for you, get a second pair of hands.

Our Lovable Migration service covers the full move: code review, env-var and secret migration, RLS parity check, storage copy, edge function and cron deployment, password-reset campaign, DNS cutover, and a post-migration smoke test — fixed price, named engineer.

Book a scoping call and we will tell you, before any commitment, whether your app is a safe DIY or a job worth handing off.

Related: Lovable Migration service (fixed price) · Book a scoping call