VITE_SUPABASE_SERVICE_ROLE_KEYorNEXT_PUBLIC_...paired with service-role wording.sb_secret_in frontend code or public build notes.- Supabase client initialized in a browser file with admin credentials.
Lovable Service-Role Exposure Check
Paste redacted client snippets, env variable names, generated Supabase client code, or migration notes and get a local-only exposure packet for service-role misuse, browser-bundled secret keys, permissive RLS shortcuts, and incomplete rotation steps.
Local scanner
Do not paste actual keys, JWTs, cookies, database URLs, private rows, private screenshots, payment data, full names, private handles, or account records. If a real service-role value was ever public, rotate it from Supabase directly.
Ready.
Exposure packet
USING (true), missing owner checks, or broad authenticated-role policies.- Fixes that swapped RLS errors for service-role bypass.
- No wrong-owner or wrong-tenant smoke tests.
- No note proving key rotation happened.
- No chat/repo/bundle cleanup checklist.
- No local replay test after removing the bypass.
Use the result
If the packet reports high severity, fix rotation and client/server boundaries before launch. Then run the generated-app and grants checkers. The paid report is only for one redacted packet after scope is clear.
Source-backed problem set
Supabase API keysSupabase distinguishes publishable browser keys from secret/server-side keys and legacy service-role keys.
RLS and service keysSupabase documents that service keys bypass Row Level Security and should not be exposed to customers.
Lovable backend ownershipSupabase documents how to distinguish Lovable Cloud from a directly managed Supabase project.
Lovable Supabase integrationLovable documents storing third-party credentials in Supabase Edge Function secret management instead of client code.