Supabase
Supabasesaas4 credentials
Publishable API Key
supabase / publishable-key
Supabase publishable API keys are low-privilege platform keys intended for public clients. Supabase documents publishable keys with an sb_publishable_ prefix and says they are safe to expose in web pages, apps, CLIs, source code, and similar public environments.
Looks like
examplesb_publishable_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
SUPABASE_PUBLISHABLE_KEY, NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY, VITE_SUPABASE_ANON_KEYfrontend config, mobile app config, .env files, and build settings
browser bundles, mobile apps, examples, CLIs, and committed Supabase client config
build output and client SDK diagnostics
Notes
Publishable keys identify the project but should be paired with Row Level Security, Auth, and backend authorization controls.
Secret API Key
supabase / secret-key
Supabase secret API keys are elevated platform keys for backend components. Supabase documents secret keys with an sb_secret_ prefix and warns that they provide full access to project data and bypass Row Level Security.
Looks like
examplesb_secret_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
SUPABASE_SECRET_KEY, SUPABASE_SERVICE_KEYapikeySupabase API key header for backend service calls
backend .env files, server config, Edge Function secrets, and deployment manifests
cloud secret managers, Supabase secrets, CI/CD variables, and Kubernetes Secrets
backend code, serverless functions, scripts, and accidentally committed config
API client debug logs and CI traces
Notes
Secret keys are backend-only credentials. Do not place them in client code or build artifacts.
Legacy Service Role JWT
supabase / legacy-service-role-jwt
Supabase legacy API keys include long-lived JWT-based anon and service_role keys. Supabase documents that service_role JWT keys bypass Row Level Security and are only for trusted server environments.
Looks like
patterneyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+Location
SUPABASE_SERVICE_ROLE_KEY, SUPABASE_ANON_KEY, NEXT_PUBLIC_SUPABASE_ANON_KEYAuthorization, apikeylegacy JWT API key in Bearer or apikey contexts
Supabase client config, backend .env files, Edge Functions, and deployment manifests
cloud secret managers, CI/CD variables, and platform app secrets
frontend/backend code, examples, and committed client initialization snippets
request traces, build output, and CI logs
Notes
The anon JWT is low-privilege when RLS is configured correctly; the service_role JWT is secret and bypasses RLS. Context and JWT role claims determine severity.
Postgres Database Password
supabase / database-password
Supabase projects include a Postgres database that clients can connect to using project connection strings. Supabase documents direct database connection workflows for Postgres clients and connection poolers.
Looks like
patternpostgres(?:ql)?://[^\s:@]+:[^\s@]+@[^\s/]+Location
DATABASE_URL, SUPABASE_DB_URL, POSTGRES_PASSWORDORM config, .env files, migration tooling, connection pooler config, and deployment manifests
cloud secret managers, CI/CD variables, and database password vault entries
migration scripts, seed scripts, tests, and accidentally committed connection strings
ORM debug logs, failed connection traces, and CI output
Notes
Database password blast radius depends on the Postgres role, network access path, and whether the direct connection or pooler endpoint is used.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.