Exposed API Keys in Supabase Projects
Supabase uses two main API keys: the anon key (designed to be public) and the service_role key (must remain secret). Confusing the two is one of the most dangerous mistakes in Supabase development.
Scan Your Supabase AppHow It Happens
The Supabase anon key is meant to be embedded in frontend code. It provides access scoped by RLS policies and is safe to expose. The service_role key, however, bypasses all RLS and provides full admin access to the database. Developers expose the service_role key when they need to perform operations that RLS blocks, like admin functions or cross-user queries. Instead of writing proper RLS policies or using Edge Functions, they swap in the service_role key. Some developers don't understand the difference between the two keys and use whichever one "makes the app work." AI code generators compound this problem by not distinguishing between the keys. When a generated query fails due to RLS, the AI's suggestion is often to use the service_role key instead of fixing the policy.
Impact
An exposed service_role key gives attackers complete control over the Supabase database. They can read all data, modify any row, delete tables, and even access Supabase Storage buckets. RLS provides zero protection because the service_role key explicitly bypasses it. The attacker essentially becomes the database administrator. They can export the entire database, create backdoor accounts, or silently modify data without detection. Even after you remove the exposed key from code, attackers who captured it still have access until the key is rotated in the Supabase dashboard. Key rotation requires updating all server-side code that uses the old key.
How to Detect
Search your frontend JavaScript bundle for the service_role key value or the string "service_role". Open DevTools > Sources and search for long JWT-like strings. Check your .env files and deployment platform environment variables. Variables named SUPABASE_SERVICE_ROLE_KEY or similar should not have NEXT_PUBLIC_ or VITE_ prefixes. Vibe App Scanner identifies both anon and service_role keys in your deployed application and reports whether secret keys are exposed in client-side code.
How to Fix
Remove the service_role key from all frontend code immediately. Use only the anon key in the browser and rely on RLS policies for access control. Rotate the service_role key in the Supabase dashboard if it has ever been exposed in frontend code or committed to a public repository. For operations that need elevated privileges, use Supabase Edge Functions. Edge Functions run server-side and can safely use the service_role key. The frontend calls the Edge Function using the anon key. Audit your codebase for any place where createClient() is called with a key other than the anon key. Each instance should either be in server-side code or refactored to use Edge Functions.
Code Examples
Supabase client initialization
// DANGEROUS: service_role key in frontend
const supabase = createClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
'eyJhbGciOiJIUzI1NiIs...service_role_key'
)// Frontend: use anon key only
const supabase = createClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
)
// Server/Edge Function: service_role is OK here
const adminClient = createClient(
Deno.env.get('SUPABASE_URL')!,
Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
)Frequently Asked Questions
Is it safe to expose the Supabase anon key?
Yes. The anon key is designed to be public. It provides only the access that your RLS policies allow. If RLS is properly configured, the anon key is safe in frontend code.
How do I rotate the Supabase service_role key?
Go to your Supabase project dashboard > Settings > API. You can regenerate the service_role key there. After rotating, update the key in all server-side code and Edge Functions that use it.
Can an attacker find my service_role key in Git history?
Yes. Even if you remove a key from code, Git preserves the entire history. Use tools like truffleHog to scan your repository history, and always rotate any key that was ever committed.
Related Security Resources
Is Your App Vulnerable?
VAS automatically scans for exposed api keys and other security issues in Supabase apps. Get actionable results with step-by-step fixes.
Scans from $5, results in minutes.