Supabase RPC Exposure Packet Builder

Create a redacted launch-review packet for the exact default EXECUTE risk: function ACL evidence, REST/RPC smoke-test result, revoke/grant intent, and the next denial tests to run before exposing an API schema.

Build packet Run free audit

Redacted inputs onlyNo database credentials, service-role keys, customer rows, private screenshots, payment data, or account records.

Matches the live issue shapeBuilt around unexpected callable RPCs after default EXECUTE revocation and browser-role REST smoke tests.

Short path to paid reviewThe generated packet is the exact safe intake shape for the fixed-scope Supabase report.

Project label

Exposed schema

Function or RPC name Redacted ACL or grants evidence Redacted REST/RPC smoke-test evidence Callable-role intent

Default EXECUTE was revoked for the exposed schema owner. Function-specific REVOKE was added after creation. Anon expected-deny REST/RPC test exists. Authenticated expected-deny or allowlist REST/RPC test exists. Callable RPCs have positive allowlist grants. AI-generated migrations are checked for new exposed functions.

This page runs locally in the browser. It does not use browser storage, network requests, analytics, or a backend. Keep all evidence redacted before copying it into public issues or paid intake.

Ready.

Redacted review packet

What this packet proves

Whether an exposed-schema function stayed callable after ALTER DEFAULT PRIVILEGES ... REVOKE EXECUTE.
Whether a function-specific REVOKE EXECUTE ON FUNCTION exists after creation.
Whether anon and authenticated REST/RPC smoke tests prove expected-deny behavior.
Whether every public RPC has a positive allowlist instead of broad role access by accident.
Whether AI-generated migrations introduced new exposed functions without explicit execute intent.

Check paid report scope Read sample report

Source-backed problem set

Supabase issue #43884 Public issue reports functions in a custom API schema remaining callable by browser-facing roles after default EXECUTE revocation. Supabase API security docs Official docs cover exposed schemas, function execution, and Data API hardening. Supabase database functions docs Official docs cover database functions, SECURITY DEFINER review, and function execution context.