Supabase Service Key Detection

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.

• Write to .sb-pentest-context.json IMMEDIATELY after each discovery

• Log to .sb-pentest-audit.log BEFORE and AFTER each action

• DO NOT wait until the skill completes to update files

• If the skill crashes or is interrupted, all prior findings must already be saved

This is not optional. Failure to write progressively is a critical error.

This skill detects if the service_role key (admin key) is accidentally exposed in client-side code.

When to Use This Skill

• As part of every security audit (this is critical)

• When reviewing code before production deployment

• After detecting Supabase usage to check for this common mistake

Prerequisites

• Target application accessible

• Supabase detection completed (auto-invokes if needed)

Why This Is Critical

The service_role key bypasses ALL Row Level Security (RLS) policies. If exposed:

Impact Description

🔴 Full DB Access Read/write/delete all data in all tables

🔴 Auth Bypass Access all user data without authentication

🔴 Storage Access Read/write all files in all buckets

🔴 User Impersonation Generate tokens for any user

This is a P0 (Critical) finding that requires immediate action.

Service Key vs Anon Key

Aspect Anon Key Service Key

Role claim "role": "anon"

"role": "service_role"

RLS ✅ Respects RLS ❌ Bypasses RLS

Client-side ✅ Expected ❌ NEVER

Server-side ✅ Can use ✅ Should use

Detection Patterns

The skill searches for:

1. Key with service_role Claim

// Decoded JWT payload contains: { "role": "service_role", // ❌ CRITICAL if in client code "iss": "supabase", "ref": "abc123def" }

2. Variable Names

// Common naming patterns SUPABASE_SERVICE_KEY SUPABASE_SERVICE_ROLE_KEY SUPABASE_ADMIN_KEY SUPABASE_SECRET_KEY SERVICE_ROLE_KEY

3. Accidental Exposure

// Sometimes exposed alongside anon key const keys = { anon: 'eyJ...', service: 'eyJ...' // ❌ Should not be here }

Usage

Basic Check

Check for service key leak on https://myapp.example.com

Deep Scan

Deep scan for service key exposure on https://myapp.example.com

Output Format

No Service Key Found (Good)

═══════════════════════════════════════════════════════════ SERVICE KEY CHECK ═══════════════════════════════════════════════════════════

Status: ✅ No service_role key detected in client code

Scanned: ├── HTML source: Clean ├── JavaScript bundles: 5 files, 2.3MB analyzed ├── Inline scripts: 12 blocks checked └── Source maps: Not exposed (good)

JWT Analysis: └── 1 key found, confirmed role=anon (safe)

Result: PASS - No critical key exposure ═══════════════════════════════════════════════════════════

Service Key FOUND (Critical)

═══════════════════════════════════════════════════════════ 🔴 CRITICAL: SERVICE KEY EXPOSED ═══════════════════════════════════════════════════════════

Severity: P0 - CRITICAL Status: ❌ service_role key found in client-side code!

⚠️ IMMEDIATE ACTION REQUIRED ⚠️

Exposed Key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBh YmFzZSIsInJlZiI6ImFiYzEyM2RlZiIsInJvbGUiOiJzZXJ2aWNlX3 JvbGUiLCJpYXQiOjE2NDAwMDAwMDAsImV4cCI6MTk1NTM2MDAwMH0 .xxxxxxxxxxxxx

Location: └── /static/js/admin.chunk.js (line 89) const SUPABASE_KEY = 'eyJhbG...' // Used in createClient()

Decoded Payload: ├── role: service_role ← CRITICAL ├── ref: abc123def └── exp: 2031-12-20

Impact Assessment: ├── 🔴 Full database access possible ├── 🔴 All RLS policies bypassed ├── 🔴 All user data exposed └── 🔴 All storage buckets accessible

═══════════════════════════════════════════════════════════ IMMEDIATE REMEDIATION STEPS ═══════════════════════════════════════════════════════════

1. ROTATE THE KEY NOW → Supabase Dashboard > Settings > API > Regenerate service_role key

2. REMOVE FROM CLIENT CODE → Delete the key from your source code → Redeploy your application

3. AUDIT FOR ABUSE → Check Supabase logs for unauthorized access → Review database for unexpected changes

4. USE EDGE FUNCTIONS → Move privileged operations to Edge Functions → Client calls Edge Function, which uses service key server-side

Documentation: → https://supabase.com/docs/guides/api/api-keys → https://supabase.com/docs/guides/functions

═══════════════════════════════════════════════════════════

Context Output

Saved to .sb-pentest-context.json :

{ "findings": [ { "id": "SERVICE_KEY_EXPOSED", "severity": "P0", "title": "Service Role Key Exposed in Client Code", "description": "The service_role key was found in client-side JavaScript", "location": { "file": "/static/js/admin.chunk.js", "line": 89 }, "evidence": { "key_prefix": "eyJhbGciOiJIUzI1NiI...", "role": "service_role", "project_ref": "abc123def" }, "remediation": { "immediate": "Rotate key in Supabase Dashboard", "long_term": "Move to Edge Functions", "docs": "https://supabase.com/docs/guides/api/api-keys" } } ], "supabase": { "service_key_exposed": true, "service_key_location": "/static/js/admin.chunk.js:89" } }

Source Maps Check

The skill also checks for exposed source maps that might reveal keys:

Source Maps Analysis: ├── main.js.map: ❌ Exposed (may contain secrets) ├── vendor.js.map: ❌ Exposed └── Recommendation: Disable source maps in production

To check source maps content: → Add .map to JS URLs: /static/js/main.js.map

Common Causes

Cause Solution

Wrong env variable Use NEXT_PUBLIC_ only for anon key

Copy-paste error Double-check which key you're using

Debug code left in Remove before production build

Misconfigured bundler Ensure service key env vars are not included

Remediation Code Examples

Before (Wrong)

// ❌ WRONG - Service key in client import { createClient } from '@supabase/supabase-js'

const supabase = createClient( process.env.NEXT_PUBLIC_SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_KEY // ❌ NEVER DO THIS )

After (Correct)

// ✅ CORRECT - Only anon key in client import { createClient } from '@supabase/supabase-js'

const supabase = createClient( process.env.NEXT_PUBLIC_SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY // ✅ Safe for client )

// For privileged operations, call an Edge Function: const { data } = await supabase.functions.invoke('admin-action', { body: { action: 'delete-user', userId: '123' } })

Edge Function (Server-Side)

// supabase/functions/admin-action/index.ts import { createClient } from '@supabase/supabase-js'

Deno.serve(async (req) => { // ✅ Service key only on server const supabase = createClient( Deno.env.get('SUPABASE_URL'), Deno.env.get('SUPABASE_SERVICE_ROLE_KEY') // ✅ Safe on server )

// Perform privileged operation // ... })

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:

• Before starting any action → Log the action to .sb-pentest-audit.log

• After each discovery → Immediately update .sb-pentest-context.json

• After each significant step → Log completion to .sb-pentest-audit.log

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

Update .sb-pentest-context.json with findings:

{ "supabase": { "service_key_exposed": true/false, "service_key_location": "path:line" }, "findings": [ { "id": "SERVICE_KEY_EXPOSED", "severity": "P0", "title": "Service Role Key Exposed", ... } ] }

Log to .sb-pentest-audit.log :

[TIMESTAMP] [supabase-extract-service-key] [START] Checking for service key exposure [TIMESTAMP] [supabase-extract-service-key] [CRITICAL] Service key EXPOSED at path:line [TIMESTAMP] [supabase-extract-service-key] [CONTEXT_UPDATED] .sb-pentest-context.json updated

If files don't exist, create them before writing.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

MANDATORY: Evidence Collection

📁 Evidence Directory: .sb-pentest-evidence/02-extraction/service-key-exposure/

Evidence Files to Create (if service key found)

File Content

service-key-exposure/location.txt

File path and line number

service-key-exposure/decoded-payload.json

Decoded JWT proving it's service_role

service-key-exposure/code-snippet.txt

Code context (redacted)

Evidence Format (P0 Finding)

{ "evidence_id": "EXT-SVC-001", "timestamp": "2025-01-31T10:10:00Z", "category": "extraction", "type": "service_key_exposure", "severity": "P0", "finding_id": "P0-001",

"key_data": { "key_prefix": "eyJhbGciOiJIUzI1NiI...", "key_suffix": "...xxxx", "role": "service_role" },

"decoded_payload": { "iss": "supabase", "ref": "abc123def", "role": "service_role", "iat": "2021-12-20T00:00:00Z", "exp": "2031-12-20T00:00:00Z" },

"location": { "file": "/static/js/admin.chunk.js", "line": 89, "context": "const SUPABASE_KEY = 'eyJhbG...' // [REDACTED]" },

"impact": { "rls_bypass": true, "full_db_access": true, "auth_users_access": true, "storage_access": true },

"curl_command": "curl -X GET 'https://abc123def.supabase.co/rest/v1/users' -H 'apikey: [SERVICE_KEY]' -H 'Authorization: Bearer [SERVICE_KEY]'" }

Add to timeline.md (P0)

[TIMESTAMP] - 🔴 P0 CRITICAL: Service Role Key Exposed

• Service role key found in client-side code
• Location: [file]:[line]
• Impact: Full database access, RLS bypass
• Evidence: 02-extraction/service-key-exposure/
• IMMEDIATE ACTION REQUIRED

Related Skills

• supabase-extract-anon-key — Extract the (expected) anon key

• supabase-audit-tables-read — Test what data is accessible

• supabase-report — Generate full report including this finding