Supabase Anonymous RLS Audit Matrix

Paste redacted Supabase policies or schema notes and check whether anonymous sign-in changes the authorization story before launch. The sharp risk is simple: anonymous users still use the authenticated role, so policies written for real accounts can authorize temporary sessions by accident.

Review order

1
Separate roles from identity stateFind policies that say to authenticated without checking is_anonymous.
2
Stress account-upgrade boundariesReview invites, teams, billing flags, ownership transfer, and onboarding state transitions.
3
Check privileged database pathsLook for broad grants, RLS disabled, and SECURITY DEFINER functions that can bypass normal policy expectations.

Project label Paste redacted policies or schema notes

Use redacted SQL only. Do not paste secrets, private connection strings, real user data, customer records, payment data, private screenshots, full names, private handles, full transaction identifiers, or credential values. This page runs locally in the browser and does not use network requests, browser storage, or a backend.

Ready.

Anonymous-user findings

What to test before launch

Inventory every policy that grants access to authenticated, then decide whether anonymous sessions should pass it.
For actions like accepting invites, joining teams, creating workspaces, editing ownership, or changing billing state, require a non-anonymous account and explicit non-null identifiers.
For policies using auth.uid(), make the intended unauthenticated behavior explicit instead of relying on implicit null behavior.
Review RPC functions separately. Prefer invoker behavior unless definer behavior is intentional, narrow, and covered by tests.
Run a red-team scenario with a fresh anonymous session, then repeat after account upgrade and compare allowed reads/writes.

Check paid report scope Get free launch risk score

npx --package github:kayalopez/ai-agent-launch-tools#v0.1.29 supabase-anonymous-rls-audit --file supabase_anonymous_rls.redacted.sql --fail-on high

Source-backed problem set

Live builder report Current public thread describing an anonymous sign-in RLS authorization hole found during audit. Supabase anonymous sign-ins Official docs say anonymous users use the authenticated role and expose the is_anonymous JWT claim. Supabase RLS docs Official docs for enabling RLS, policy behavior, and explicit auth.uid() checks. Supabase key model Official docs explain publishable keys and the requirement to review anon/authenticated policies.