Supabase anon key vs service_role key: which is safe to expose?
The Supabase anon key is meant to be public. The service_role key must never reach the browser. Here is the difference and how to check your app.
Supabase gives you two API keys, and confusing them is the most common — and most dangerous — mistake in AI-built apps.
The anon (public) key — safe in the browser
The anon key is designed to be public. It’s safe to ship in your frontend as long as you have Row Level Security (RLS) turned on. RLS is what actually protects your data; the anon key only gets the access your policies allow.
The service_role key — NEVER in the browser
The service_role key bypasses Row Level Security entirely. Anyone who finds it can read, modify, or delete your whole database. It must live only on a server (an Edge Function or API route) — never in client code, never in a VITE_/NEXT_PUBLIC_/REACT_APP_ variable.
How to tell which you’ve exposed
Both keys are JWTs. Decode the token and look at the role claim: anon is fine to be public; service_role is a critical leak. Shipshape does this automatically — it ignores anon keys and only raises an alarm for a real service_role exposure.
If you leaked the service_role key
- Remove it from all client code immediately.
- Rotate it in Supabase → Settings → API.
- Turn on RLS for every table.
- Move any admin logic that needs it into a server-side function.
FAQ
Is it safe to put the Supabase anon key in my frontend?
Yes, the anon key is public by design — but only if Row Level Security (RLS) is enabled on your tables. RLS is what protects your data.
What happens if my service_role key is exposed?
It bypasses all Row Level Security, so anyone can read or modify your entire database. Remove it from client code and rotate it immediately.
How do I know which key I exposed?
Decode the JWT and check the role claim: anon is public-safe; service_role is a critical leak.
Related questions
- Is the Firebase apiKey a secret? (No — and here’s why)
- Can I just ask ChatGPT to check my app’s security?
- The vibe-coder’s pre-launch checklist (Lovable, Bolt, Replit, v0)
- How do I know if my Supabase database is exposed?