SaaSalystSaaSalystBeta
Scan Your App
mediumSecurity & Infrastructure

Supabase Anon Key Exposure

Supabase anon keys in client-side code are expected for frontend applications — but their presence confirms Supabase as your backend and requires that Row Level Security (RLS) is properly configured on all tables. SaaSalyst detects Supabase anon keys as a stack detection and security signal.

What SaaSalyst Checks

SaaSalyst scans your page's JavaScript bundles for Supabase JWT tokens with an 'anon' role. These JWT tokens are base64-encoded and can be decoded to reveal the token role. Detection triggers a warning prompting verification of RLS configuration.

Why This Matters

Supabase anon keys are designed for client-side use and are expected to be public. However, they only provide safe access if Row Level Security is enabled on every table. An anon key without RLS allows any user to read and write your entire database.

When SaaSalyst detects your Supabase anon key, it signals two things: your stack uses Supabase, and your application's security model depends entirely on your RLS policies being correct.

This check is informational for well-configured deployments but becomes a critical finding if RLS has been disabled on any production table.

How to Fix It

  1. Verify that Row Level Security (RLS) is enabled on ALL Supabase tables in your production database.
  2. Use the Supabase Dashboard to audit each table's RLS policies — every table should have explicit policies, not just enabled RLS with no policies.
  3. Test your RLS policies by querying the database with an anon key from a context that should be restricted.
  4. Never use the service role key in client-side code — it bypasses all RLS and is a critical security vulnerability.

Frequently Asked Questions

How does SaaSalyst detect Supabase anon keys?

SaaSalyst scans your page's JavaScript bundles for Supabase JWT tokens. These tokens contain a base64-encoded payload with a 'role' field. Detection of an 'anon' role triggers this check.

Is exposing my Supabase anon key a security issue?

Supabase anon keys are designed to be public and are safe when Row Level Security is properly configured. SaaSalyst flags their presence as medium severity to prompt verification of your RLS setup.

How does Supabase anon key detection affect my Business Readiness Score?

SaaSalyst rates this as medium severity in Security & Infrastructure. It's primarily a stack detection and RLS verification prompt — not necessarily a vulnerability, but it requires confirmation that RLS is correctly configured.

Check Your SaaS Now — Free

SaaSalyst scans your website in 30 seconds and checks for Supabase Anon Key Exposure along with 40+ other business readiness signals.

Scan Your App

Related Checks SaaSalyst Runs