Skip to main content

Supabase Service Role JWT

Description#

General#

  • Documentation: https://supabase.io/docs/learn/auth-deep-dive/auth-deep-dive-jwts
  • Summary: Supabase provides an assisted solution to deploy a web application backend (database and api). JWT tokens are used as a means of authentication when performing API calls. This detector aims at catching service role JWT tokens, that have admin rights over the whole database.
  • IPs allowlist: This feature is not mentioned in the documentation.
  • Scopes: All service role JWT tokens have admin rights over the account.

Revoke the secret#

There currently isn't an automated way to rotate a JWT. If a JWT has been compromised, support@supabase.io can provide assistance.

Check for suspicious activity#

This feature is not mentioned in the documentation.

Details for Supabase service role jwt#

  • Family: Api

  • Category: Other

  • Company: Supabase

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 1.6

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:  - ^(cs|x|p|s|r|m)?html5?~?$  - ^[aps]?cssc?~?$  - ^lock$  - ^mdx?~?$  - ^storyboard(c|er)?~?$  - ^xib$  banlist_filenames: []  check_binaries: false- type: ContentWhitelistPreValidator  patterns:  - supabase

Examples#

- text: >    supabase_service_role_jwt: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjMzNjIwMTcxLCJleHAiOjIyMDg5ODUyMDB9.pHnckabbMbwTHAJOkb5Z7G7B4chY6GllJf6K2m96z3A  token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjMzNjIwMTcxLCJleHAiOjIyMDg5ODUyMDB9.pHnckabbMbwTHAJOkb5Z7G7B4chY6GllJf6K2m96z3A