Assumption Gapcritical riskhigh confidencemoderator reviewed

The Service Role Key Is in the Frontend Code

The Supabase `service_role` key bypasses all RLS. If it appears in frontend code, any user can extract it and access your entire database.

By Contributor · published 5/30/2026

In plain English

Your "service role key" acts like a master key to your entire database and must never be visible in your website's public code. Check your settings to ensure this key is only used on the server, or any visitor could gain full admin access to your data.

Supabase provides two API keys per project: the `anon` (public) key, which respects RLS policies, and the `service_role` key, which bypasses all RLS entirely. The service role key is designed for server-side admin operations only. When AI tools generate code, they sometimes use the service role key in configurations or client initialization — especially when debugging a situation where the anon key “wasn’t working.” The result: if that key appears anywhere in client-side JavaScript, it is extractable by any user who opens browser developer tools. Per [ModernPentest’s documented Supabase misconfigurations](https://modernpentest.com/blog/supabase-security-misconfigurations): “The `service_role` key bypasses all RLS policies and should NEVER be exposed to the client.” **How to check:** Search your codebase for the string `service_role` or your actual service role key value. It should appear only in server-side files (API routes, Edge Functions) and never in any file that starts with `VITE_`, `NEXT_PUBLIC_`, or any other client-exposed prefix. **Correct pattern:** ```jsx // Client-side: use anon key (respects RLS) const supabase = createClient( process.env.NEXT_PUBLIC_SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY ); // Server-side only: use service role (bypasses RLS, admin operations) const supabaseAdmin = createClient( process.env.SUPABASE_URL, process.env.SUPABASE_SERVICE_ROLE_KEY // never NEXT_PUBLIC_ prefix ); ``` ## Why it matters Exposing the service role key is equivalent to giving every user admin access to your database. No RLS policy, no authentication check, no restriction applies. ## Suggested next action Search your entire codebase for `service_role`. Confirm it never appears in any file accessible to the client.

Discussion

0 comments

Loading comments…

Sign in to join the discussion.

Want the technical version? Switch the detail level at the top of the page toBuilder orTechnical.