Skip to main content
Supabase Security Guide
Q&ASupabase

Can Supabase data be accessed without authentication?

Yes, if RLS is disabled or if RLS policies allow anonymous access, data can be accessed without authentication using only the project URL and anon key. The anon key is a JWT that corresponds to the anon role in PostgreSQL, and it is intended to be public. Any table without RLS enabled is fully readable and writable by anyone who has this key, which is typically exposed in client-side JavaScript. This is one of the most common misconfigurations in Supabase projects. UNPWNED tests for unauthenticated data access and flags any tables that expose data to anonymous users.

Check your Supabase app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

What is the difference between the Supabase service_role key and the anon key?Is Supabase secure by default?

More Supabase Security Questions

What is Row Level Security (RLS) in Supabase and why does it matter?Is Supabase secure by default?How do I check if RLS is enabled on my Supabase tables?What is the difference between the Supabase service_role key and the anon key?How do I secure Supabase Storage buckets?How secure are Supabase Edge Functions?