ClearedToShip
Get cleared
critical

How to fix an exposed Supabase key

The problem

There are two cases. The anon key is meant to be public — if that's all that's exposed, RLS is your fix. But if your service-role key reached the client or a public repo, your entire database is exposed and you must rotate it immediately.

Step by step

  1. 1

    Identify which key leaked

    The anon (public) key is fine to expose. The service_role key is not — it bypasses RLS and grants full access.

  2. 2

    If the service-role key leaked, rotate it now

    In Supabase → Project Settings → API, regenerate the service-role key and update it only in server-side environment variables.

  3. 3

    Remove the key from client code and git history

    Strip it from the bundle and purge it from git history (it stays in old commits otherwise).

  4. 4

    Lock down with RLS regardless

    Enable row-level security so a leaked anon key can't read your data even if exposed.

Related:Is Supabase safe?Is Lovable safe?Is Replit safe?Is Bolt safe?

Want it verified, not just fixed?

Fixing it is step one. A ClearedToShip review confirms the fix actually holds and gives you a signed, insured clearance to launch. Join early access:

Free launch-readiness scan
Get my free scan