Critical: act in the next 60 seconds

Supabase service_role key leaked? It bypasses RLS — act now

Your Supabase service_role key may be exposed. Here is the fastest possible recovery — three steps, no theory.

  1. Step 01

    Open the Supabase project → Settings → API. Click "Reset service_role key". The old key dies instantly.

  2. Step 02

    Update the new key in your server env vars only. It must never reach the browser.

  3. Step 03

    Audit your auth.users, public schema, and storage buckets for unfamiliar rows or files.

Step 01 — Revoke

Kill the leaked credential first

Settings → API → "service_role" row → "Reset" button. Confirm with your password. Copy the new key once. Then update SUPABASE_SERVICE_ROLE_KEY in Vercel/Railway/etc. — never on the client.

Open Supabase API settings

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

lib/supabase-server.ts — service role NEVER ships to browser
import { createClient } from '@supabase/supabase-js';
// SERVER ONLY. Use only inside Route Handlers, Server Actions, or cron jobs.
export const supabaseAdmin = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.SUPABASE_SERVICE_ROLE_KEY!,  // NOT NEXT_PUBLIC_
  { auth: { persistSession: false } },
);

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan to confirm no other service-role JWTs are floating in your bundle, and that RLS is enabled on every public table.

How this usually leaks

  • 01Used in a client component because the developer was confused between anon and service_role.
  • 02Pasted into NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY — exposed to every page view.
  • 03.env file pushed to GitHub on first deploy.
  • 04Logged to a public server log endpoint.

FAQ

Frequently asked questions

Anyone could read all my data with this key, right?
Yes — service_role bypasses every RLS policy. The leaker can read auth.users (including email + hashed passwords), every table in public, and every Storage bucket. Treat the data as exfiltrated.
Do I need to notify users?
If the leaked key was live for any meaningful window AND your tables contain personal data, you likely have a breach disclosure obligation under GDPR/CCPA. Consult counsel.
Can I roll back database access using Supabase audit logs?
Pro and Team plans expose Postgres logs in Logs → Postgres. Look for queries from the service_role within the leak window. Free tier has shorter retention; check what you can.

Deeper dive

Long-term fixes for this leak class

Exposed Supabase service key

The service role key bypasses all security in Supabase. If it is in your client code, an attacker has full database access. Here is how to find and fix it.

Read more

Supabase RLS disabled

A Supabase table without RLS is readable (and often writable) by anyone with your anon key. Here is exactly how to turn on RLS and write your first policy.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

Concepts

Background

Row Level Security

RLS is a Postgres feature that Supabase uses to enforce per-row access control. With RLS off, the anon key gives anyone full table access.

Read more

Supabase

An open-source backend-as-a-service built on Postgres. Popular with AI tools for its simple API, but RLS misconfigurations are common.

Read more

See what else leaked in the same deploy

Free scan. 70+ checks. Results in 60 seconds.