Understanding API Keys
Supabase provides two default keys when you create a project: an anon
key, and a service_role
key. You can find both keys in the API Settings.
The data APIs are designed to work with Postgres Row Level Security (RLS). These keys both map to Postgres roles. You can find an anon
user and a service_role
user in the Roles section of the dashboard.
The keys are both long-lived JWTs. If you decode these keys, you will see that they contain the "role", an "issued date", and an "expiry date" ~10 years in the future.
_10{_10 "role": "anon",_10 "iat": 1625137684,_10 "exp": 1940713684_10}
The anon
key
The anon
key has very few privileges. You can use it in your RLS policies to allow unauthenticated access. For example, this policy will allow unauthenticated access to the profiles
table:
_10create policy "Allow public access" on profiles to anon for_10select_10 using (true);
And similarly for disallowing access:
_10create policy "Disallow public access" on profiles to anon for_10select_10 using (false);
If you are using Supabase Auth, then the anon
role will automatically update to authenticated
once a user is logged in:
_10create policy "Allow access to authenticated users" on profiles to authenticated for_10select_10 using (true);
The service_role
key
The "service_role" is a predefined Postgres role with elevated privileges, designed to perform various administrative and service-related tasks. It can bypass Row Level Security, so it should only be used on a private server.
Never expose the service_role
key in a browser or anywhere where a user can see it.
A common use case for the service_role
key is running data analytics jobs on the backend. To support joins on user id, it is often useful to grant the service role read access to auth.users
table.
_10grant_10select_10 on table auth.users to service_role;
We have partnered with GitHub to scan for Supabase service_role
keys pushed to public repositories.
If they detect any keys with service_role privileges being pushed to GitHub, they will forward the API key to us, so that we can automatically revoke the detected secrets and notify you, protecting your data against malicious actors.