Skip to content

Supabase Service Role JWT

Service Name: Supabase

Service Description: Supabase is an open-source Firebase alternative providing all the backend services developers need to build a product: a Postgres database, authentication, instant APIs, edge functions, realtime subscriptions, and storage.

Service Address: https://supabase.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the project level through Supabase dashboard

Secret Access Scope: Service role JWT tokens grant full administrative access to your Supabase project, including unrestricted access to all database tables, bypassing Row Level Security (RLS) policies.

Secret Revokement URL: https://app.supabase.com/project/[YOUR_PROJECT_ID]/settings/api

Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InNvb WVwcm9qZWN0aWQiLCJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjk5OTk5OTk5LCJleHAi OjIwMTQ3NDgzOTl9.exampleSignatureValue1234567890abcdefghijklmnopqrst

Suspicious Activity Investigation Instructions:

  • Review database logs for unusual queries or data access patterns
  • Check API usage logs for unexpected endpoints being accessed
  • Monitor for large data transfers or bulk operations
  • Review authentication logs for unusual access patterns or locations
  • Check for unauthorized schema changes or table modifications

Mitigation Instructions:

  • Immediately rotate the service role JWT by navigating to your Supabase

dashboard

  • Go to Project Settings > API > Project API keys
  • Click "Regenerate" next to the service_role key
  • Update all legitimate applications with the new key
  • Review and strengthen Row Level Security (RLS) policies
  • Implement IP restrictions for API access if not already in place
  • Consider implementing additional monitoring for sensitive operations
  • Review application code to ensure service role tokens are not exposed in client-

side code