Supabase Service Role JWT
Service Name: Supabase
Service Description: Supabase is an open-source Firebase alternative providing all the backend services developers need to build a product: a Postgres database, authentication, instant APIs, edge functions, realtime subscriptions, and storage.
Service Address: https://supabase.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the project level through Supabase dashboard
Secret Access Scope: Service role JWT tokens grant full administrative access to your Supabase project, including unrestricted access to all database tables, bypassing Row Level Security (RLS) policies.
Secret Revokement URL: https://app.supabase.com/project/[YOUR_PROJECT_ID]/settings/api
Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InNvb WVwcm9qZWN0aWQiLCJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjk5OTk5OTk5LCJleHAi OjIwMTQ3NDgzOTl9.exampleSignatureValue1234567890abcdefghijklmnopqrst
Suspicious Activity Investigation Instructions:
- Review database logs for unusual queries or data access patterns
- Check API usage logs for unexpected endpoints being accessed
- Monitor for large data transfers or bulk operations
- Review authentication logs for unusual access patterns or locations
- Check for unauthorized schema changes or table modifications
Mitigation Instructions:
- Immediately rotate the service role JWT by navigating to your Supabase
dashboard
- Go to Project Settings > API > Project API keys
- Click "Regenerate" next to the service_role key
- Update all legitimate applications with the new key
- Review and strengthen Row Level Security (RLS) policies
- Implement IP restrictions for API access if not already in place
- Consider implementing additional monitoring for sensitive operations
- Review application code to ensure service role tokens are not exposed in client-
side code