diff --git a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql
new file mode 100644
index 000000000..ea7192ae7
--- /dev/null
+++ b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql
@@ -0,0 +1,15 @@
+-- migrate:up
+ALTER ROLE anon SET local_preload_libraries = '$libdir/plugins/safeupdate';
+ALTER ROLE authenticator SET local_preload_libraries = '$libdir/plugins/safeupdate';
+ALTER ROLE authenticated SET local_preload_libraries = '$libdir/plugins/safeupdate';
+ALTER ROLE authenticator RESET session_preload_libraries;
+ALTER ROLE postgres SET local_preload_libraries = '$libdir/plugins/safeupdate';
+
+ALTER ROLE anon SET safeupdate.enabled = 1;
+ALTER ROLE authenticator SET safeupdate.enabled = 1;
+ALTER ROLE authenticated SET safeupdate.enabled = 1;
+ALTER ROLE postgres SET safeupdate.enabled = 0;
+
+
+-- migrate:down
+
diff --git a/nix/ext/pg-safeupdate.nix b/nix/ext/pg-safeupdate.nix
index 97921c9c6..814ec5823 100644
--- a/nix/ext/pg-safeupdate.nix
+++ b/nix/ext/pg-safeupdate.nix
@@ -28,9 +28,9 @@ let
         runHook preInstall
 
         mkdir -p $out/share/postgresql/extension
-
+        mkdir -p $out/lib/plugins
         # Install versioned library
-        install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/${pname}-${version}${postgresql.dlSuffix}
+        install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/plugins/${pname}-${version}${postgresql.dlSuffix}
 
         runHook postInstall
       '';
@@ -64,15 +64,15 @@ pkgs.buildEnv {
   paths = packages;
   nativeBuildInputs = [ makeWrapper ];
   pathsToLink = [
-    "/lib"
+    "/lib/plugins"
     "/share/postgresql/extension"
   ];
   postBuild = ''
-    ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/${pname}${postgresql.dlSuffix}
+    ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/plugins/${pname}${postgresql.dlSuffix}
 
     # checks
     (set -x
-       test "$(ls -A $out/lib/${pname}*${postgresql.dlSuffix} | wc -l)" = "${
+       test "$(ls -A $out/lib/plugins/${pname}*${postgresql.dlSuffix} | wc -l)" = "${
          toString (numberOfVersionsBuilt + 1)
        }"
     )
@@ -83,7 +83,7 @@ pkgs.buildEnv {
     numberOfVersions = numberOfVersionsBuilt;
     inherit pname latestOnly;
     defaultSettings = {
-      shared_preload_libraries = [ "safeupdate" ];
+      local_preload_libraries = [ "safeupdate" ];
     };
     pgRegressTestName = "pg-safeupdate";
     version =
diff --git a/nix/tests/expected/pg-safeupdate.out b/nix/tests/expected/pg-safeupdate.out
index f9100116a..21948552e 100644
--- a/nix/tests/expected/pg-safeupdate.out
+++ b/nix/tests/expected/pg-safeupdate.out
@@ -1,4 +1,4 @@
-load 'safeupdate';
+load '$libdir/plugins/safeupdate';
 set safeupdate.enabled=1;
 create schema v;
 create table v.foo(
diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out
index a457f4029..fc06a2f9c 100644
--- a/nix/tests/expected/roles.out
+++ b/nix/tests/expected/roles.out
@@ -60,11 +60,11 @@ select
 from pg_roles r
 where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
 order by rolname;
-          rolname           |                                    rolconfig                                    
-----------------------------+---------------------------------------------------------------------------------
- anon                       | {statement_timeout=3s}
- authenticated              | {statement_timeout=8s}
- authenticator              | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s}
+          rolname           |                                                           rolconfig                                                           
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------
+ anon                       | {statement_timeout=3s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1}
+ authenticated              | {statement_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1}
+ authenticator              | {statement_timeout=8s,lock_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1}
  dashboard_user             | 
  pg_checkpoint              | 
  pg_database_owner          | 
@@ -83,7 +83,7 @@ order by rolname;
  pgsodium_keyiduser         | 
  pgsodium_keymaker          | 
  pgtle_admin                | 
- postgres                   | {"search_path=\"\\$user\", public, extensions"}
+ postgres                   | {"search_path=\"\\$user\", public, extensions","local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=0}
  service_role               | 
  supabase_admin             | {"search_path=\"$user\", public, auth, extensions",log_statement=none}
  supabase_auth_admin        | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
diff --git a/nix/tests/expected/z_multigres-orioledb-17_roles.out b/nix/tests/expected/z_multigres-orioledb-17_roles.out
index a307b2014..43713224a 100644
--- a/nix/tests/expected/z_multigres-orioledb-17_roles.out
+++ b/nix/tests/expected/z_multigres-orioledb-17_roles.out
@@ -57,11 +57,11 @@ select
 from pg_roles r
 where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
 order by rolname;
-          rolname           |                                    rolconfig                                    
-----------------------------+---------------------------------------------------------------------------------
- anon                       | {statement_timeout=3s}
- authenticated              | {statement_timeout=8s}
- authenticator              | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s}
+          rolname           |                                                           rolconfig                                                           
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------
+ anon                       | {statement_timeout=3s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1}
+ authenticated              | {statement_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1}
+ authenticator              | {statement_timeout=8s,lock_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1}
  dashboard_user             | 
  pg_checkpoint              | 
  pg_database_owner          | 
@@ -77,7 +77,7 @@ order by rolname;
  pg_write_server_files      | 
  pgbouncer                  | 
  pgtle_admin                | 
- postgres                   | {"search_path=\"\\$user\", public, extensions"}
+ postgres                   | {"search_path=\"\\$user\", public, extensions","local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=0}
  service_role               | 
  supabase_admin             | {"search_path=\"\\$user\", public, auth, extensions",log_statement=none}
  supabase_auth_admin        | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
diff --git a/nix/tests/sql/pg-safeupdate.sql b/nix/tests/sql/pg-safeupdate.sql
index 790ec79fa..fe25137a1 100644
--- a/nix/tests/sql/pg-safeupdate.sql
+++ b/nix/tests/sql/pg-safeupdate.sql
@@ -1,4 +1,4 @@
-load 'safeupdate';
+load '$libdir/plugins/safeupdate';
 
 set safeupdate.enabled=1;