Skip to content

Supabase Service Key

Service Name: Supabase

Service Description: Supabase is an open-source Firebase alternative that provides a PostgreSQL database, authentication, instant APIs, real-time subscriptions, and storage.

Service Address: https://supabase.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the project level through Supabase dashboard.

Secret Access Scope: Grants programmatic access to Supabase services including database, authentication, storage, and functions with service-level permissions.

Secret Revokement URL: https://app.supabase.com/project/[project-id]/settings/api

Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InNhb XBsZXByb2plY3RpZCIsInJvbGUiOiJzZXJ2aWNlX3JvbGUiLCJpYXQiOjE2MTY3NjMwMjIsImV4 cCI6MTkzMjMzOTAyMn0.EXAMPLE_SIGNATURE

Suspicious Activity Investigation Instructions:

  • Review database logs for unusual queries or data access patterns
  • Check authentication logs for unexpected login attempts or user creation
  • Monitor API usage metrics for abnormal request volumes or patterns
  • Examine storage access logs for unauthorized file operations
  • Review function invocation logs for unexpected executions

Mitigation Instructions:

  • Navigate to the Supabase dashboard at https://app.supabase.com/
  • Select your project from the dashboard
  • Go to Project Settings > API
  • Under "Project API keys", locate the compromised service key
  • Click "Regenerate" to invalidate the old key and create a new one
  • Update all legitimate applications with the new service key
  • Consider implementing Row Level Security (RLS) policies to limit data access
  • Review and restrict service role permissions to only what is necessary
  • Enable monitoring and alerts for suspicious activities