lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Supabase

Supabasesaas4 credentials

Credentials4 documented
01

Publishable API Key

supabase / publishable-key

Supabase publishable API keys are low-privilege platform keys intended for public clients. Supabase documents publishable keys with an sb_publishable_ prefix and says they are safe to expose in web pages, apps, CLIs, source code, and similar public environments.

generated on installpublic by designAPI key

Looks like

example
example

Supabase publishable API key prefix

sb_publishable_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
SUPABASE_PUBLISHABLE_KEY, NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY, VITE_SUPABASE_ANON_KEY
config file

frontend config, mobile app config, .env files, and build settings

source code

browser bundles, mobile apps, examples, CLIs, and committed Supabase client config

logs

build output and client SDK diagnostics

Notes

Publishable keys identify the project but should be paired with Row Level Security, Auth, and backend authorization controls.

02

Secret API Key

supabase / secret-key

Supabase secret API keys are elevated platform keys for backend components. Supabase documents secret keys with an sb_secret_ prefix and warns that they provide full access to project data and bypass Row Level Security.

generated on installsecretAPI key

Looks like

example
example

Supabase secret API key prefix

sb_secret_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
SUPABASE_SECRET_KEY, SUPABASE_SERVICE_KEY
http header
apikey

Supabase API key header for backend service calls

config file

backend .env files, server config, Edge Function secrets, and deployment manifests

secret store

cloud secret managers, Supabase secrets, CI/CD variables, and Kubernetes Secrets

source code

backend code, serverless functions, scripts, and accidentally committed config

logs

API client debug logs and CI traces

Notes

Secret keys are backend-only credentials. Do not place them in client code or build artifacts.

03

Legacy Service Role JWT

supabase / legacy-service-role-jwt

Supabase legacy API keys include long-lived JWT-based anon and service_role keys. Supabase documents that service_role JWT keys bypass Row Level Security and are only for trusted server environments.

generated on installsecrettoken

Looks like

pattern
pattern

Supabase legacy anon/service_role API keys are JWTs; role claims distinguish anon from service_role

eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+

Location

environment
SUPABASE_SERVICE_ROLE_KEY, SUPABASE_ANON_KEY, NEXT_PUBLIC_SUPABASE_ANON_KEY
http header
Authorization, apikey

legacy JWT API key in Bearer or apikey contexts

config file

Supabase client config, backend .env files, Edge Functions, and deployment manifests

secret store

cloud secret managers, CI/CD variables, and platform app secrets

source code

frontend/backend code, examples, and committed client initialization snippets

logs

request traces, build output, and CI logs

Notes

The anon JWT is low-privilege when RLS is configured correctly; the service_role JWT is secret and bypasses RLS. Context and JWT role claims determine severity.

04

Postgres Database Password

supabase / database-password

Supabase projects include a Postgres database that clients can connect to using project connection strings. Supabase documents direct database connection workflows for Postgres clients and connection poolers.

user definedsecretusername/password

Looks like

pattern
pattern

Supabase Postgres connection URL containing username and password

postgres(?:ql)?://[^\s:@]+:[^\s@]+@[^\s/]+

Location

environment
DATABASE_URL, SUPABASE_DB_URL, POSTGRES_PASSWORD
config file

ORM config, .env files, migration tooling, connection pooler config, and deployment manifests

secret store

cloud secret managers, CI/CD variables, and database password vault entries

source code

migration scripts, seed scripts, tests, and accidentally committed connection strings

logs

ORM debug logs, failed connection traces, and CI output

Notes

Database password blast radius depends on the Postgres role, network access path, and whether the direct connection or pooler endpoint is used.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.