supabase-extract-jwt_skill

This skill extracts and analyzes Supabase JWTs from client code and storage patterns to uncover exposure, risks, and misconfigurations.

27

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-extract-jwt

  • SKILL.md10.0 KB

Overview

This skill extracts and decodes Supabase-related JSON Web Tokens (JWTs) from client-side code, cookies, and common local/session storage patterns. It identifies API keys, hardcoded user tokens, storage key patterns, and decodes JWT headers and claims to surface sensitive data and misconfigurations. Results are formatted for security triage with severity guidance and remediation suggestions.

How this skill works

The skill scans HTML, JavaScript bundles, cookies, localStorage, and sessionStorage for JWT-looking strings and known Supabase key patterns. It validates token structure, attempts base64 decoding of header and payload, classifies tokens (anon, service_role, access, refresh), and highlights risky findings like hardcoded user tokens or exposed service keys. The output includes locations, decoded claims, perceived severity, and recommended remediations.

When to use it

  • During a client-side security assessment of a Supabase application
  • When hunting for exposed API keys, user tokens, or session storage patterns
  • Before production releases to ensure no hardcoded credentials remain
  • To audit an app after a reported credential exposure
  • As part of automated scanning in a pentest workflow

Best practices

  • Treat service_role keys as immediately critical if found; rotate them and revoke access
  • Flag hardcoded user access or refresh tokens as high-risk and remove them from source
  • Verify decoded claims for PII before sharing findings; redact identifiers and emails in reports
  • Confirm storage patterns at runtime since storage keys may be set dynamically
  • Distinguish anon keys (expected) from service/admin keys (not allowed in client code)

Example use cases

  • Scan a deployed web app to find anon and service role keys embedded in JS bundles
  • Find hardcoded access tokens in debug builds and confirm claim expiration and PII exposure
  • Detect localStorage/sessionStorage keys like 'supabase.auth.token' or 'sb-*-auth-token' and report storage locations
  • Produce a concise extraction report listing decoded claims, file locations, and remediation steps for developers

FAQ

No. It only extracts and decodes token structure and claims. Active validation or using tokens to access APIs is not performed by this skill.

Can it distinguish anon keys from service role keys?

Yes. It classifies keys based on token claims and role fields. Service role keys are flagged as critical if detected in client code.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
supabase-extract-jwt skill by yoanbernabeu/supabase-pentest-skills | VeilStrat