Supabase Anon Key Extraction

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.
Write to
.sb-pentest-context.json
IMMEDIATELY after each discovery
Log to
.sb-pentest-audit.log
BEFORE and AFTER each action
DO NOT wait until the skill completes to update files

If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.

This skill extracts the Supabase anonymous (public) API key from client-side code.

When to Use This Skill

After extracting the Supabase URL, to get the API key for testing
To verify that only the anon key (not service key) is exposed
Before running API audit skills that require authentication

Prerequisites

Supabase URL extracted (or will auto-invoke
```
supabase-extract-url
```
)
Target application accessible

Understanding Anon Keys

The anon key (also called public key) is:

✅ Expected to be in client-side code
✅ Safe when RLS (Row Level Security) is properly configured
⚠️ Risky if RLS is missing or misconfigured
❌ Not the same as the service_role key (which should NEVER be in client code)

Key Format

Supabase anon keys are JWTs:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFiYzEyMyIsInJvbGUiOiJhbm9uIiwiaWF0IjoxNjQwMDAwMDAwLCJleHAiOjE5NTUzNjAwMDB9.xxxx

Key characteristics:

Starts with
```
eyJ
```
(base64 encoded
```
{"alg":
```
)
Contains
```
"role":"anon"
```
in payload
Project reference in
```
"ref"
```
claim

Extraction Patterns

The skill searches for:

1. Direct Key Assignment

javascript

const SUPABASE_KEY = 'eyJhbGci...'
const SUPABASE_ANON_KEY = 'eyJhbGci...'

2. Client Initialization

javascript

createClient(url, 'eyJhbGci...')
createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY)

3. Environment Variable Patterns

javascript

NEXT_PUBLIC_SUPABASE_ANON_KEY
VITE_SUPABASE_ANON_KEY
REACT_APP_SUPABASE_KEY
SUPABASE_KEY

Usage

Basic Extraction

Extract Supabase anon key from https://myapp.example.com

If URL Already Known

Extract anon key for project abc123def

Output Format

═══════════════════════════════════════════════════════════
 ANON KEY EXTRACTED
═══════════════════════════════════════════════════════════

 Key Type: anon (public)
 Severity: ℹ️  Expected (verify RLS configuration)

 Key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJz
      dXBhYmFzZSIsInJlZiI6ImFiYzEyM2RlZiIsInJvbGUiOiJhbm
      9uIiwiaWF0IjoxNjQwMDAwMDAwLCJleHAiOjE5NTUzNjAwMDB9
      .xxxxxxxxxxxxx

 Decoded Payload:
 ├── iss: supabase
 ├── ref: abc123def
 ├── role: anon
 ├── iat: 2021-12-20T00:00:00Z
 └── exp: 2031-12-20T00:00:00Z

 Found in:
 └── /static/js/main.js (line 1253)
     createClient('https://abc123def.supabase.co', 'eyJhbGci...')

 Next Steps:
 ├── Run supabase-audit-rls to test if RLS protects your data
 ├── Run supabase-audit-tables-read to see what's accessible
 └── Run supabase-extract-service-key to check for critical leaks

 Context updated: .sb-pentest-context.json
═══════════════════════════════════════════════════════════

Key Validation

The skill validates the extracted key:

Validation:
├── Format: ✅ Valid JWT structure
├── Decode: ✅ Payload readable
├── Role: ✅ Confirmed "anon" role
├── Project: ✅ Matches extracted URL (abc123def)
└── Expiry: ✅ Not expired (expires 2031-12-20)

Multiple Keys

If multiple keys are found:

═══════════════════════════════════════════════════════════
 MULTIPLE KEYS FOUND
═══════════════════════════════════════════════════════════

 ⚠️  2 potential Supabase keys detected

 1. Anon Key (confirmed)
    └── Role: anon, Project: abc123def

 2. Unknown Key
    └── Role: service_role ⚠️  SEE supabase-extract-service-key
        This may be a CRITICAL security issue!

═══════════════════════════════════════════════════════════

Context Output

Saved to

.sb-pentest-context.json

json

{
  "supabase": {
    "anon_key": "eyJhbGci...",
    "anon_key_decoded": {
      "iss": "supabase",
      "ref": "abc123def",
      "role": "anon",
      "iat": 1640000000,
      "exp": 1955360000
    },
    "anon_key_sources": [
      {
        "file": "/static/js/main.js",
        "line": 1253
      }
    ]
  }
}

Security Assessment

Finding	Severity	Description
Anon key in client	ℹ️ Info	Expected, but test RLS
Anon key expired	⚠️ P2	Key should be rotated
Multiple anon keys	⚠️ P2	May indicate key rotation issues
Role is not "anon"	🔴 P0	Wrong key type exposed!

Common Issues

❌ Problem: Key found but won't decode ✅ Solution: May be obfuscated or split. Try:

Extract anon key with deobfuscation from https://myapp.example.com

❌ Problem: Key doesn't match URL project ✅ Solution: App may use multiple Supabase projects. Both keys are recorded.

❌ Problem: No key found but Supabase detected ✅ Solution: Key may be fetched at runtime. Check network requests:

Monitor network for anon key on https://myapp.example.com

Best Practices Reminder

For developers reading this report:

Anon key in client is normal — It's designed for this
RLS is critical — The anon key relies on RLS for security
Never use service_role in client — Use Edge Functions instead
Rotate keys periodically — Available in Supabase Dashboard

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:

Before starting any action → Log the action to
```
.sb-pentest-audit.log
```
After each discovery → Immediately update
```
.sb-pentest-context.json
```
After each significant step → Log completion to
```
.sb-pentest-audit.log
```

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

Update
.sb-pentest-context.json
with extracted data:

json

{
  "supabase": {
    "anon_key": "eyJhbGci...",
    "anon_key_decoded": { ... },
    "anon_key_sources": [ ... ]
  }
}

Log to
.sb-pentest-audit.log
:

[TIMESTAMP] [supabase-extract-anon-key] [START] Beginning anon key extraction
[TIMESTAMP] [supabase-extract-anon-key] [SUCCESS] Anon key extracted
[TIMESTAMP] [supabase-extract-anon-key] [CONTEXT_UPDATED] .sb-pentest-context.json updated

If files don't exist, create them before writing.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

MANDATORY: Evidence Collection

📁 Evidence Directory:

.sb-pentest-evidence/02-extraction/

Evidence Files to Create

File	Content
`extracted-anon-key.json`	Anon key with decoded JWT payload

Evidence Format

json

{
  "evidence_id": "EXT-ANON-001",
  "timestamp": "2025-01-31T10:07:00Z",
  "category": "extraction",
  "type": "anon_key",
  "severity": "info",

  "key_data": {
    "key_prefix": "eyJhbGciOiJIUzI1NiI...",
    "key_suffix": "...xxxx",
    "full_key_length": 256
  },

  "decoded_payload": {
    "iss": "supabase",
    "ref": "abc123def",
    "role": "anon",
    "iat": "2021-12-20T00:00:00Z",
    "exp": "2031-12-20T00:00:00Z"
  },

  "source": {
    "file": "/static/js/main.js",
    "line": 1253,
    "context": "createClient('https://abc123def.supabase.co', 'eyJhbGci...')"
  },

  "validation": {
    "format_valid": true,
    "role_confirmed": "anon",
    "project_matches": true,
    "expired": false
  }
}

Related Skills

```
supabase-extract-url
```
— Get URL first (auto-invoked if needed)
```
supabase-extract-service-key
```
— Check for critical service key leak
```
supabase-audit-rls
```
— Test if RLS protects your data
```
supabase-audit-tables-read
```
— See what data is accessible with this key

supabase-extract-anon-key

NPX Install

Tags

SKILL.md Content

Supabase Anon Key Extraction

When to Use This Skill

Prerequisites

Understanding Anon Keys

Key Format

Extraction Patterns

1. Direct Key Assignment

2. Client Initialization

3. Environment Variable Patterns

Usage

Basic Extraction

If URL Already Known

Output Format

Key Validation

Multiple Keys

Context Output

Security Assessment

Common Issues

Best Practices Reminder

MANDATORY: Progressive Context File Updates

Critical Rule: Write As You Go

Required Actions (Progressive)

MANDATORY: Evidence Collection

Evidence Files to Create

Evidence Format

Related Skills