Service key exposure occurs when admin-level credentials (like Supabase service_role or Firebase admin SDK) are included in frontend code, giving attackers full database access.
Scan for This VulnerabilityService keys bypass all security rules. The Supabase service_role key ignores RLS, and Firebase admin SDK credentials have unrestricted access. When these appear in frontend code, attackers gain complete control over your database regardless of your security configuration.
Complete database access - bypasses all security
Can read, modify, or delete any data
Create/delete users and authentication
Full administrative control over your backend
Service keys should never be in client-accessible code.
Supabase anon key is safe for frontend use with proper RLS.
// Frontend - use anon key
const supabase = createClient(
process.env.NEXT_PUBLIC_SUPABASE_URL,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY // Safe for frontend
);Use service key only in API routes, Edge Functions, or backend.
// Server-side only
const supabaseAdmin = createClient(
process.env.SUPABASE_URL,
process.env.SUPABASE_SERVICE_ROLE_KEY // Never expose this
);If exposed, generate new keys in your Supabase/Firebase dashboard.
VAS automatically scans for service key exposure and provides detailed remediation guidance.
Run Security Scan