skills/supabase-postgres-best-practices
1
0
Fork 0
mirror of https://github.com/supabase/agent-skills.git synced 2026-03-27 10:09:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: update API key types to table format with 4 key types

Browse Source 
Replace bullet list with proper table showing publishable/secret keys
alongside legacy anon/service_role keys, matching current Supabase docs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Pedro Rodrigues
2026-02-09 17:31:54 +00:00
parent cbfce7ac2a
commit 26b8ecb6e6
1 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
skills/supabase/references/db-security-service-role.md
View File

@@ -56,14 +56,18 @@ NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ... # Safe to expose
SUPABASE_SERVICE_ROLE_KEY=eyJ... # NEVER prefix with NEXT_PUBLIC_
```
## Identifying Keys
## API Key Types
- **Anon key**: `role` claim is `anon` (legacy)
- **Service role key**: `role` claim is `service_role` (legacy)
- **Publishable key**: Safe to expose in client-side code (newer recommended approach)
- **Secret key**: Server-only, replaces service role key (newer recommended approach)
Supabase provides 4 key types:
Decode JWT at [jwt.io](https://jwt.io) to verify legacy keys.
| Type | Format | Privileges |
|------|--------|-----------|
| Publishable key | `sb_publishable_...` | Low — safe to expose in browsers/apps |
| Secret key | `sb_secret_...` | Elevated — bypasses RLS, backend only |
| `anon` (legacy) | JWT | Same as publishable |
| `service_role` (legacy) | JWT | Same as secret key |
The publishable and secret keys are replacing the legacy JWT-based keys. Decode legacy JWTs at [jwt.io](https://jwt.io) to verify: `role` claim is `anon` or `service_role`.
## If Service Key is Exposed