- Home
- Skills
- Yoanbernabeu
- Supabase Pentest Skills
- Supabase Extract Anon Key
supabase-extract-anon-key_skill
27
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-extract-anon-key- SKILL.md9.0 KB
Overview
This skill extracts the Supabase anon (public) API key from client-side code and validates its format and claims. It records discovery context and evidence immediately so findings are preserved during interruption. Use the result to drive RLS testing and further API audits.
How this skill works
The skill scans client assets and build artifacts for common key patterns, createClient calls, and environment variable usages. It validates JWT structure, decodes the payload to confirm the role and project ref, and matches the key to any known Supabase URL. Every discovery is logged and saved progressively to context and evidence files.
When to use it
- After locating a Supabase project URL to obtain the public key for testing
- Before running RLS or table-read audits that need an anon key
- When verifying that only anon (not service_role) keys appear in client code
- When keys may be obfuscated, split across lines, or provided via env variables
- When network-fetched keys need confirmation of origin and claims
Best practices
- Record findings progressively: log actions and update context immediately after each discovery
- Validate key structure and decode payload to confirm role=anon and matching project ref
- Treat anon keys as expected but rely on RLS for actual security testing
- Flag and escalate any non-anon (service_role) keys found in client code
- Collect structured evidence (timestamped JSON) and include file/line context for reproducibility
Example use cases
- Extract anon key from https://myapp.example.com to prepare for RLS tests
- Scan static/js bundles to find createClient(url, 'eyJ...') calls and decode the token
- Search for env var patterns (NEXT_PUBLIC_SUPABASE_ANON_KEY, VITE_SUPABASE_ANON_KEY) in built artifacts
- Confirm that a discovered JWT has role=anon and matches the project ref from the Supabase URL
- Produce a small evidence JSON with decoded payload and source file/line for audit reports
FAQ
No—anon keys are expected in client apps, but they rely on properly configured RLS; test RLS to assess actual risk.
What if the key won't decode?
It may be obfuscated or split. Try deobfuscation and reassembly, or monitor network requests at runtime.
What if multiple keys are found?
Record each key, decode payloads, and flag any non-anon roles (service_role) as critical.