Understanding API Keys

Supabase provides two default keys when you create a project: an anon key, and a service_role key. You can find both keys in the API Settings.

The data APIs are designed to work with Postgres Row Level Security (RLS). These keys both map to Postgres roles. You can find an anon user and a service_role user in the Roles section of the dashboard.

The keys are both long-lived JWTs. If you decode these keys, you will see that they contain the "role", an "issued date", and an "expiry date" ~10 years in the future.

The anon key#

The anon key has very few privileges. You can use it in your RLS policies to allow unauthenticated access. For example, this policy will allow unauthenticated access to the profiles table:

And similarly for disallowing access:

If you are using Supabase Auth, then the anon role will automatically update to authenticated once a user is logged in:

The service_role key#

The "service_role" is a predefined Postgres role with elevated privileges, designed to perform various administrative and service-related tasks. It can bypass Row Level Security, so it should only be used on a private server.

A common use case for the service_role key is running data analytics jobs on the backend. To support joins on user id, it is often useful to grant the service role read access to auth.users table.

We have partnered with GitHub to scan for Supabase service_role keys pushed to public repositories. If they detect any keys with service_role privileges being pushed to GitHub, they will forward the API key to us, so that we can automatically revoke the detected secrets and notify you, protecting your data against malicious actors.