home / skills / jeremylongshore / claude-code-plugins-plus-skills / supabase-security-basics

supabase-security-basics skill

safe

/plugins/saas-packs/supabase-pack/skills/supabase-security-basics

This skill helps you secure Supabase keys and enforce least-privilege access while auditing configurations across environments.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill supabase-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (4)

SKILL.md

1.1 KB

---
name: supabase-security-basics
description: |
  Execute apply Supabase security best practices for secrets and access control.
  Use when securing API keys, implementing least privilege access,
  or auditing Supabase security configuration.
  Trigger with phrases like "supabase security", "supabase secrets",
  "secure supabase", "supabase API key security".
allowed-tools: Read, Write, Grep
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Supabase Security Basics

## Prerequisites
- Supabase SDK installed
- Understanding of environment variables
- Access to Supabase dashboard


See `{baseDir}/references/implementation.md` for detailed implementation guide.

## Output
- Secure API key storage
- Environment-specific access controls
- Audit logging enabled

## Error Handling

See `{baseDir}/references/errors.md` for comprehensive error handling.

## Examples

See `{baseDir}/references/examples.md` for detailed examples.

## Resources
- [Supabase Security Guide](https://supabase.com/docs/security)
- [Supabase API Scopes](https://supabase.com/docs/scopes)

Overview

This skill applies Supabase security best practices for secrets and access control to help harden projects quickly. It guides secure API key storage, environment-specific access rules, and enabling audit logging. Use it to enforce least-privilege and reduce exposure of production credentials.

How this skill works

The skill inspects Supabase configuration and deployment patterns to recommend and apply secure settings for API keys, service roles, and RLS policies. It verifies that secrets are stored in environment variables or a secrets manager, validates API scope usage, and suggests access-control changes. It also checks for audit logging and provides remediation steps and code snippets to implement fixes.

When to use it

Before deploying to production to validate secrets and access controls
When rotating API keys or onboarding new services that need Supabase access
During security audits or compliance reviews of database access
If you detect unexpected reads/writes or suspect over-privileged credentials
When implementing environment-specific separation (dev/staging/prod)

Best practices

Never hard-code Supabase keys in source; use environment variables or a secrets manager
Apply least-privilege: use anon keys for public access and service_role only where absolutely required
Enable Row Level Security (RLS) and define granular policies per table and role
Use scoped API keys and avoid sharing service_role keys in client apps
Rotate keys regularly and automate revocation processes
Enable audit logging and monitor access patterns for anomalies

Example use cases

Audit a project to ensure no API keys are committed in code and all secrets are environment-based
Implement least-privilege role separation and RLS policies for a multi-tenant app
Migrate stored keys to a secrets manager and update deployment pipelines
Configure scoped API keys for third-party integrations with minimal privileges
Enable and verify audit logging to meet compliance or incident response requirements

FAQ

Can I use the service_role key in client applications?

No. The service_role key has elevated privileges and must never be exposed to clients. Use anon or scoped keys for client access and restrict service_role to server-side code only.

How do I rotate Supabase API keys safely?

Create a new key with the same required scope, update server-side deployments and secrets stores, verify operation, then revoke the old key. Automate rotation and include rollout checks to avoid downtime.