SaaSalystSaaSalystBeta
Scan Your App
criticalSecurity & Infrastructure

Supabase Service Role Key Exposure

A Supabase service role key in client-side code bypasses ALL Row Level Security — anyone with this key can read, write, and delete your entire database. SaaSalyst detects this as a critical security vulnerability that requires immediate remediation.

What SaaSalyst Checks

SaaSalyst scans your page's JavaScript bundles for Supabase JWT tokens with a 'service_role' role. These tokens are base64-encoded and identifiable by decoding the JWT payload. Detection is a critical security failure.

Why This Matters

The Supabase service role key is a superuser credential — it bypasses every Row Level Security policy you have configured. If this key is exposed in client-side JavaScript, any visitor to your site can extract it and gain full database access.

This is one of the most severe possible security vulnerabilities for a Supabase-backed application. An attacker can exfiltrate your entire database, delete all records, and impersonate any user.

This key must only be used in server-side code (API routes, Edge Functions, server actions) where it is never exposed to the browser.

How to Fix It

  1. Immediately rotate your Supabase service role key in the Supabase Dashboard (Settings → API). The old key will be invalidated.
  2. Audit all client-side code for uses of the service role key and replace with the anon key or remove entirely.
  3. Move all operations requiring the service role key to server-side API routes, Edge Functions, or Inngest jobs.
  4. Store the service role key only in server-side environment variables (never in NEXT_PUBLIC_* variables in Next.js).
  5. Audit your database for unauthorized access during the exposure window.

Frequently Asked Questions

How does SaaSalyst detect a Supabase service role key?

SaaSalyst scans your page's JavaScript bundles for Supabase JWTs and decodes the base64 payload. A JWT with 'service_role' role in client-side code is immediately flagged as a critical vulnerability.

What should I do if my service role key is detected?

SaaSalyst recommends rotating the key immediately in your Supabase Dashboard. Then audit your client-side code to remove all uses and move service role operations to server-side code only.

How does service role key exposure affect my Business Readiness Score?

SaaSalyst rates this as critical severity in Security & Infrastructure. A service role key in client-side code is an immediate security failure that significantly lowers your score and requires urgent remediation before any enterprise sales process.

Check Your SaaS Now — Free

SaaSalyst scans your website in 30 seconds and checks for Supabase Service Role Key Exposure along with 40+ other business readiness signals.

Scan Your App

Related Checks SaaSalyst Runs