Supabase service_role key: safe usage and exposure checklist
Use this page when a service_role or secret key may have reached browser code, mobile code, a public repo, or committed MCP config. The tool gives an emergency checklist without asking for the actual key.
Privileged key emergency checklist
Contain service_role or secret key exposure first. RLS SQL is secondary because privileged requests can bypass RLS.
Copy in one click
service_role/secret requests can bypass RLS and RLS SQL does not constrain them.
service_role / secret key placement: Never expose these keys in browser JavaScript, mobile apps, public repositories, committed MCP config, or NEXT_PUBLIC_* environment variables. Treat exposure as urgent because privileged keys can bypass RLS or perform elevated operations. RLS SQL does not constrain requests made with service_role or secret keys. Emergency checklist: 1. Remove the key from client/public code. 2. Rotate or delete the exposed key in Supabase. 3. Move privileged operations to a server route or Supabase Edge Function. 4. Replace frontend usage with a publishable or anon key plus RLS. 5. Review logs for unusual reads, writes, exports, or schema changes. 6. Add CI checks for forbidden env names such as NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY. 7. Only then adapt normal-client RLS policies for publishable/anon keys plus authenticated sessions.
Launch Safety Pack
Early-access pack with 15 bundles: AI repair prompts, test scripts, policy templates, MCP guards, and more.