supabase-security-basics

Solid

Apply Supabase security best practices: anon vs service_role key separation, RLS enforcement, policy patterns, JWT verification, and API hardening. Use when securing a Supabase project, auditing API key usage, implementing Row Level Security, or running a production security checklist. Trigger with phrases like "supabase security", "supabase RLS", "secure supabase", "supabase API key", "supabase hardening", "row level security", "service role key".

AI & Automation 2,266 stars 315 forks Updated today MIT

Install

View on GitHub

Quality Score: 99/100

Stars 20%

100

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Supabase Security Basics ## Overview Supabase exposes a Postgres database directly to the internet via PostgREST. Every table without Row Level Security enabled is fully readable and writable by anyone with your project URL and anon key — both of which are public. This skill covers the three pillars of Supabase security: key separation (anon vs service_role), RLS policy enforcement, and API surface hardening. ## Prerequisites - Supabase project created (local or hosted) with Dashboard access - `@supabase/supabase-js` installed (`npm install @supabase/supabase-js`) - `SUPABASE_URL` and `SUPABASE_ANON_KEY` environment variables configured - Basic understanding of SQL and Postgres ## Instructions ### Step 1 — Understand the Two API Keys Supabase issues two keys per project. Confusing them is the most common security mistake: | Key | Environment Variable | Exposed to Client? | RLS Behavior | |-----|---------------------|-------------------|--------------| | **Anon key** | `SUPABASE_ANON_KEY` | Yes — browser-safe | Respects all RLS policies | | **Service role key** | `SUPABASE_SERVICE_ROLE_KEY` | **NEVER** expose | Bypasses ALL RLS | The anon key is a JWT that PostgREST uses to determine which RLS policies apply. It is safe to include in client-side bundles — it can only access data that RLS policies explicitly allow. The service role key bypasses every RLS policy and should only ever exist in server-side code (API routes, Edge Functions, cron jobs, migration scripts). ...

Details

Author: jeremylongshore
Repository: jeremylongshore/claude-code-plugins-plus-skills
Created: 7 months ago
Last Updated: today
Language: Python
License: MIT

Integrates with

Anthropic · AI Supabase · Cloud PostgreSQL · Database npm · DevTools

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Listed

supabase

Supabase platform standards — Row-Level Security, publishable/anon and secret/service_role key boundaries, Postgres and Edge functions, Storage, Realtime, and the CLI migration workflow. Use when working with RLS policies, Supabase clients, Edge Functions, or supabase/ migrations. Loads alongside the database (Postgres) domain.

1 Updated 2 days ago

ndisisnd

API & Backend Listed

010115-supabase-platform

Supabase platform — Row Level Security, Edge Functions, Realtime patterns, Storage signed URLs, PostgreSQL schema design, and anti-patterns.

1 Updated 3 days ago

natuleadan

AI & Automation Solid

supabase-known-pitfalls

Avoid and fix the most common Supabase mistakes: exposing service_role key in client bundles, forgetting to enable RLS, not using connection pooling in serverless, .single() throwing on empty results, missing .select() after insert/update, not destructuring { data, error }, creating multiple client instances, and not using generated types. Use when reviewing Supabase code, onboarding developers, auditing an existing project, or debugging unexpected behavior. Trigger with phrases like "supabase mistakes", "supabase anti-patterns", "supabase pitfalls", "supabase code review", "supabase gotchas", "supabase debugging", "what not to do supabase", "supabase common errors".

2,266 Updated today

jeremylongshore

API & Backend Listed

supabase-patterns

Generic Supabase best practices for Row Level Security, realtime subscriptions, storage, and edge functions. Framework-agnostic.

335 Updated today

aiskillstore

API & Backend Listed

supabase-security-audit

Audit Supabase project security including Row-Level Security (RLS) policies, SECURITY DEFINER functions, anon/authenticated role grants, service_role key exposure, edge function authentication, and JWT verification on edge endpoints. Use this skill whenever the user mentions Supabase, RLS, row-level security, SECURITY DEFINER, anon role exposure, service_role leak, supabase-js client, edge functions auth, or asks "is my Supabase project safe". Trigger on phrases like "audit my Supabase", "review my RLS", "is RLS enabled", "SECURITY DEFINER risk", "anon role grants", "edge function security", "service role exposure", "Postgres function audit". Use this even if only one sub-topic is mentioned.

1 Updated 6 days ago

hlsitechio