Skip to main content
Supabase Security Guide
Q&ASupabase

What is the difference between the Supabase service_role key and the anon key?

The anon key is a public JWT token meant to be used in client-side applications and is restricted by RLS policies. The service_role key bypasses all RLS policies entirely and has full read/write access to every table in the database. Exposing the service_role key in client-side code or public repositories is a critical security vulnerability because it grants unrestricted database access. The service_role key should only be used in secure server-side environments like backend APIs or serverless functions. UNPWNED checks for exposed Supabase keys in your application and alerts you if a service_role key is found in client-accessible code.

Check your Supabase app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

Can Supabase data be accessed without authentication?What are the most common Supabase security mistakes?

More Supabase Security Questions

What is Row Level Security (RLS) in Supabase and why does it matter?Is Supabase secure by default?How do I check if RLS is enabled on my Supabase tables?Can Supabase data be accessed without authentication?How do I secure Supabase Storage buckets?How secure are Supabase Edge Functions?