home / skills / yoanbernabeu / supabase-pentest-skills / supabase-extract-jwt

supabase-extract-jwt skill

safe

This skill extracts and analyzes Supabase JWTs from client code and storage patterns to uncover exposure, risks, and misconfigurations.

npx playbooks add skill yoanbernabeu/supabase-pentest-skills --skill supabase-extract-jwt

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

10.0 KB

---
name: supabase-extract-jwt
description: Extract and decode Supabase-related JWTs from client-side code, cookies, and local storage patterns.
---

# Supabase JWT Extraction

> 🔴 **CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED**
>
> You MUST write to context files **AS YOU GO**, not just at the end.
> - Write to `.sb-pentest-context.json` **IMMEDIATELY after each discovery**
> - Log to `.sb-pentest-audit.log` **BEFORE and AFTER each action**
> - **DO NOT** wait until the skill completes to update files
> - If the skill crashes or is interrupted, all prior findings must already be saved
>
> **This is not optional. Failure to write progressively is a critical error.**

This skill extracts and analyzes JSON Web Tokens (JWTs) related to Supabase from client-side code.

## When to Use This Skill

- To find all JWT tokens exposed in client code
- To analyze token claims and expiration
- To detect hardcoded user tokens (security issue)
- To understand the authentication flow

## Prerequisites

- Target application accessible
- Supabase detection completed (auto-invokes if needed)

## Types of JWTs in Supabase

| Type | Purpose | Client Exposure |
|------|---------|-----------------|
| Anon Key | API authentication | ✅ Expected |
| Service Role Key | Admin access | ❌ Never |
| Access Token | User session | ⚠️ Dynamic only |
| Refresh Token | Token renewal | ⚠️ Dynamic only |

## Detection Patterns

### 1. API Keys (Static)

```javascript
// Supabase API keys are JWTs
const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
```

### 2. Hardcoded User Tokens (Problem)

```javascript
// ❌ Should never be hardcoded
const userToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZW1haWwiOiJ1c2VyQGV4YW1wbGUuY29tIn0...'
```

### 3. Storage Key Patterns

```javascript
// Code referencing where JWTs are stored
localStorage.getItem('supabase.auth.token')
localStorage.getItem('sb-abc123-auth-token')
sessionStorage.getItem('supabase_session')
```

## Usage

### Basic Extraction

```
Extract JWTs from https://myapp.example.com
```

### With Claim Analysis

```
Extract and analyze all JWTs from https://myapp.example.com
```

## Output Format

```
═══════════════════════════════════════════════════════════
 JWT EXTRACTION RESULTS
═══════════════════════════════════════════════════════════

 Found: 3 JWTs

 ─────────────────────────────────────────────────────────
 JWT #1: Supabase Anon Key
 ─────────────────────────────────────────────────────────
 Type: API Key (anon)
 Status: ✅ Expected in client code

 Header:
 ├── alg: HS256
 └── typ: JWT

 Payload:
 ├── iss: supabase
 ├── ref: abc123def
 ├── role: anon
 ├── iat: 2021-12-20T00:00:00Z
 └── exp: 2031-12-20T00:00:00Z

 Location: /static/js/main.js:1247

 ─────────────────────────────────────────────────────────
 JWT #2: Hardcoded User Token ⚠️
 ─────────────────────────────────────────────────────────
 Type: User Access Token
 Status: ⚠️ P1 - Should not be hardcoded

 Header:
 ├── alg: HS256
 └── typ: JWT

 Payload:
 ├── sub: 12345678-1234-1234-1234-123456789012
 ├── email: [email protected]
 ├── role: authenticated
 ├── iat: 2025-01-15T10:00:00Z
 └── exp: 2025-01-15T11:00:00Z (EXPIRED)

 Location: /static/js/debug.js:45

 Risk: This token may belong to a real user account.
       Even if expired, it reveals user information.

 ─────────────────────────────────────────────────────────
 JWT #3: Storage Reference
 ─────────────────────────────────────────────────────────
 Type: Storage Key Pattern
 Status: ℹ️ Informational

 Pattern: localStorage.getItem('sb-abc123def-auth-token')
 Location: /static/js/auth.js:89

 Note: This is the expected storage key for user sessions.
       Actual token value is set at runtime.

═══════════════════════════════════════════════════════════
```

## JWT Claim Analysis

The skill identifies key claims:

### Standard Claims

| Claim | Description | Security Impact |
|-------|-------------|-----------------|
| `sub` | User ID | Identifies specific user |
| `email` | User email | PII exposure if hardcoded |
| `role` | Permission level | `service_role` is critical |
| `exp` | Expiration | Expired tokens less risky |
| `iat` | Issued at | Indicates when created |

### Supabase-Specific Claims

| Claim | Description |
|-------|-------------|
| `ref` | Project reference |
| `iss` | Should be "supabase" |
| `aal` | Authenticator assurance level |
| `amr` | Authentication methods used |

## Security Findings

### P0 - Critical

```
🔴 Service role key exposed (role: service_role)
   → Immediate key rotation required
```

### P1 - High

```
🟠 User token hardcoded with PII (email, sub visible)
   → Remove from code, may need to notify user
```

### P2 - Medium

```
🟡 Expired test token in code
   → Clean up, potential information disclosure
```

## Context Output

Saved to `.sb-pentest-context.json`:

```json
{
  "jwts": {
    "found": 3,
    "api_keys": [
      {
        "type": "anon",
        "project_ref": "abc123def",
        "location": "/static/js/main.js:1247"
      }
    ],
    "user_tokens": [
      {
        "type": "access_token",
        "hardcoded": true,
        "severity": "P1",
        "claims": {
          "sub": "12345678-1234-1234-1234-123456789012",
          "email": "[email protected]",
          "expired": true
        },
        "location": "/static/js/debug.js:45"
      }
    ],
    "storage_patterns": [
      {
        "pattern": "sb-abc123def-auth-token",
        "storage": "localStorage",
        "location": "/static/js/auth.js:89"
      }
    ]
  }
}
```

## Common Issues

❌ **Problem:** JWT appears truncated
✅ **Solution:** May span multiple lines. The skill attempts to reassemble.

❌ **Problem:** JWT won't decode
✅ **Solution:** May be encrypted (JWE) or custom format. Noted as undecodable.

❌ **Problem:** Many false positives
✅ **Solution:** Base64 strings that look like JWTs. Skill validates structure.

## Remediation for Hardcoded Tokens

### Before (Wrong)

```javascript
// ❌ Never hardcode user tokens
const adminToken = 'eyJhbGciOiJIUzI1NiI...'
fetch('/api/admin', {
  headers: { Authorization: `Bearer ${adminToken}` }
})
```

### After (Correct)

```javascript
// ✅ Get token from Supabase session
const { data: { session } } = await supabase.auth.getSession()
fetch('/api/admin', {
  headers: { Authorization: `Bearer ${session.access_token}` }
})
```

## MANDATORY: Progressive Context File Updates

⚠️ **This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.**

### Critical Rule: Write As You Go

**DO NOT** batch all writes at the end. Instead:

1. **Before starting any action** → Log the action to `.sb-pentest-audit.log`
2. **After each discovery** → Immediately update `.sb-pentest-context.json`
3. **After each significant step** → Log completion to `.sb-pentest-audit.log`

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

### Required Actions (Progressive)

1. **Update `.sb-pentest-context.json`** with extracted data:
   ```json
   {
     "jwts": {
       "found": 3,
       "api_keys": [ ... ],
       "user_tokens": [ ... ],
       "storage_patterns": [ ... ]
     }
   }
   ```

2. **Log to `.sb-pentest-audit.log`**:
   ```
   [TIMESTAMP] [supabase-extract-jwt] [START] Beginning JWT extraction
   [TIMESTAMP] [supabase-extract-jwt] [SUCCESS] Found 3 JWTs
   [TIMESTAMP] [supabase-extract-jwt] [CONTEXT_UPDATED] .sb-pentest-context.json updated
   ```

3. **If files don't exist**, create them before writing.

**FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.**

## MANDATORY: Evidence Collection

📁 **Evidence Directory:** `.sb-pentest-evidence/02-extraction/`

### Evidence Files to Create

| File | Content |
|------|---------|
| `extracted-jwts.json` | All JWTs found with analysis |

### Evidence Format

```json
{
  "evidence_id": "EXT-JWT-001",
  "timestamp": "2025-01-31T10:08:00Z",
  "category": "extraction",
  "type": "jwt_extraction",

  "jwts_found": [
    {
      "type": "anon_key",
      "severity": "info",
      "location": "/static/js/main.js:1247",
      "decoded_payload": {
        "iss": "supabase",
        "ref": "abc123def",
        "role": "anon"
      }
    },
    {
      "type": "hardcoded_user_token",
      "severity": "P1",
      "location": "/static/js/debug.js:45",
      "decoded_payload": {
        "sub": "[REDACTED]",
        "email": "[REDACTED]@example.com",
        "role": "authenticated",
        "exp": "2025-01-15T11:00:00Z"
      },
      "expired": true,
      "issue": "Hardcoded user token with PII"
    }
  ],

  "storage_patterns_found": [
    {
      "pattern": "localStorage.getItem('sb-abc123def-auth-token')",
      "location": "/static/js/auth.js:89"
    }
  ]
}
```

## Related Skills

- `supabase-extract-anon-key` — Specifically extracts the anon key
- `supabase-extract-service-key` — Checks for service key (critical)
- `supabase-audit-auth-config` — Analyzes auth configuration

Overview

This skill extracts and decodes Supabase-related JSON Web Tokens (JWTs) from client-side code, cookies, and common local/session storage patterns. It identifies API keys, hardcoded user tokens, storage key patterns, and decodes JWT headers and claims to surface sensitive data and misconfigurations. Results are formatted for security triage with severity guidance and remediation suggestions.

How this skill works

The skill scans HTML, JavaScript bundles, cookies, localStorage, and sessionStorage for JWT-looking strings and known Supabase key patterns. It validates token structure, attempts base64 decoding of header and payload, classifies tokens (anon, service_role, access, refresh), and highlights risky findings like hardcoded user tokens or exposed service keys. The output includes locations, decoded claims, perceived severity, and recommended remediations.

When to use it

During a client-side security assessment of a Supabase application
When hunting for exposed API keys, user tokens, or session storage patterns
Before production releases to ensure no hardcoded credentials remain
To audit an app after a reported credential exposure
As part of automated scanning in a pentest workflow

Best practices

Treat service_role keys as immediately critical if found; rotate them and revoke access
Flag hardcoded user access or refresh tokens as high-risk and remove them from source
Verify decoded claims for PII before sharing findings; redact identifiers and emails in reports
Confirm storage patterns at runtime since storage keys may be set dynamically
Distinguish anon keys (expected) from service/admin keys (not allowed in client code)

Example use cases

Scan a deployed web app to find anon and service role keys embedded in JS bundles
Find hardcoded access tokens in debug builds and confirm claim expiration and PII exposure
Detect localStorage/sessionStorage keys like 'supabase.auth.token' or 'sb-*-auth-token' and report storage locations
Produce a concise extraction report listing decoded claims, file locations, and remediation steps for developers

FAQ

Will this skill attempt to use or validate tokens against Supabase APIs?

No. It only extracts and decodes token structure and claims. Active validation or using tokens to access APIs is not performed by this skill.

Can it distinguish anon keys from service role keys?

Yes. It classifies keys based on token claims and role fields. Service role keys are flagged as critical if detected in client code.