Supabase Service Role JWT

Description

General

• Documentation: https://supabase.io/docs/learn/auth-deep-dive/auth-deep-dive-jwts
• Summary: Supabase provides an assisted solution to deploy a web application backend (database and API). JWT tokens are used as a means of authentication when performing API calls. This detector aims at catching service role JWT tokens, that have admin rights over the whole database.
• IPs allowlist: This feature is not mentioned in the documentation.
• Scopes: All service role JWT tokens have admin rights over the account.

Revoke the secret

There currently isn't an automated way to rotate a JWT. If a JWT has been compromised, support@supabase.io can provide assistance.

Check for suspicious activity

This feature is not mentioned in the documentation.

Details for Supabase service role jwt

• Family: Api

• Category: Data storage

• Company: Supabase

• High recall: False

• Validity check available: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 4.86

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions: []
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: true
  ban_markup: true
- type: ContentWhitelistPreValidator
  patterns:
    - supabase

Examples

- text: |
    supabase_service_role_jwt: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjMzNjIwMTcxLCJleHAiOjIyMDg5ODUyMDB9.pHnckabbMbwTHAJOkb5Z7G7B4chY6GllJf6K2m96z3A
  token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjMzNjIwMTcxLCJleHAiOjIyMDg5ODUyMDB9.pHnckabbMbwTHAJOkb5Z7G7B4chY6GllJf6K2m96z3A

Was this page helpful?