Skip to content

Supabase JWT Secret

Service Name: Supabase

Service Description: Supabase is an open-source Firebase alternative providing a PostgreSQL database, authentication, instant APIs, real-time subscriptions, and storage.

Service Address: https://supabase.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the project level through Supabase dashboard

Secret Access Scope: The JWT secret is used to sign and verify JSON Web Tokens (JWTs) for authentication in Supabase projects. It grants the ability to create valid authentication tokens for accessing Supabase services.

Secret Revokement URL: https://app.supabase.com/project/[project-id]/settings/api

Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Inhtd WlreHBsc2Nub3Ztc2J0dHRkIiwicm9sZSI6ImFub24iLCJpYXQiOjE2NTI3NjkwMTEsImV4cCI6 MTk2ODM0NTAxMX0.0UiJ_6jC4wAhxITbYn-CnPvwdXQfvbq0O-VwxIQ8UQQ

Suspicious Activity Investigation Instructions:

  • Review authentication logs in the Supabase dashboard for unusual login patterns or unauthorized access
  • Check for unexpected database queries or API calls that might indicate compromised credentials
  • Monitor for unusual traffic patterns or access from unexpected geographic locations

  • Review user creation events to identify potentially unauthorized account

creation

  • Examine storage access logs for unusual file uploads or downloads

Mitigation Instructions:

  • Rotate the JWT secret immediately through the Supabase dashboard (Settings > API)
  • Update the JWT secret in all legitimate application environments
  • Review and revoke any suspicious user sessions
  • Enable additional security features like RLS (Row Level Security) if not already enabled
  • Consider implementing IP allow lists for your Supabase project
  • Update any environment variables or configuration files containing the old JWT secret
  • Monitor for any continued unauthorized access after secret rotation