- Home
- Skills
- Yoanbernabeu
- Supabase Pentest Skills
- Supabase Extract Jwt
supabase-extract-jwt_skill
27
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-extract-jwt- SKILL.md10.0 KB
Overview
This skill extracts and decodes Supabase-related JSON Web Tokens (JWTs) from client-side code, cookies, and common local/session storage patterns. It identifies API keys, hardcoded user tokens, storage key patterns, and decodes JWT headers and claims to surface sensitive data and misconfigurations. Results are formatted for security triage with severity guidance and remediation suggestions.
How this skill works
The skill scans HTML, JavaScript bundles, cookies, localStorage, and sessionStorage for JWT-looking strings and known Supabase key patterns. It validates token structure, attempts base64 decoding of header and payload, classifies tokens (anon, service_role, access, refresh), and highlights risky findings like hardcoded user tokens or exposed service keys. The output includes locations, decoded claims, perceived severity, and recommended remediations.
When to use it
- During a client-side security assessment of a Supabase application
- When hunting for exposed API keys, user tokens, or session storage patterns
- Before production releases to ensure no hardcoded credentials remain
- To audit an app after a reported credential exposure
- As part of automated scanning in a pentest workflow
Best practices
- Treat service_role keys as immediately critical if found; rotate them and revoke access
- Flag hardcoded user access or refresh tokens as high-risk and remove them from source
- Verify decoded claims for PII before sharing findings; redact identifiers and emails in reports
- Confirm storage patterns at runtime since storage keys may be set dynamically
- Distinguish anon keys (expected) from service/admin keys (not allowed in client code)
Example use cases
- Scan a deployed web app to find anon and service role keys embedded in JS bundles
- Find hardcoded access tokens in debug builds and confirm claim expiration and PII exposure
- Detect localStorage/sessionStorage keys like 'supabase.auth.token' or 'sb-*-auth-token' and report storage locations
- Produce a concise extraction report listing decoded claims, file locations, and remediation steps for developers
FAQ
No. It only extracts and decodes token structure and claims. Active validation or using tokens to access APIs is not performed by this skill.
Can it distinguish anon keys from service role keys?
Yes. It classifies keys based on token claims and role fields. Service role keys are flagged as critical if detected in client code.