7 Replies
You use the service role server side only and usually get it from an ,env file depending on your framework.
Thank you for the response. I'd like to create a straightforward website where users can submit their names and view the list of all participants' names. I prefer not to use a framework, but I also want to prevent unauthorized users from modifying my database table. How can I achieve this?
Supabase can work in pure JavaScript only in a browser. You have to expose anon key and url though. Then in RLS policies you block users as desired either anon or authenticated.
I see. So if I'm creating a login-less service where anyone can edit, then exposing anon key & url is not wrong decision, correct?
Yes.
There is no way to do a REST api and keep the apikey and url secret if called from a browser. This is not a Supabase specific limitation.
Thank you for all your support! I appreciate it!
Your prompt and patient response is greatly helpful to me.
One thing to consider. You could lock all tables from anon access with RLS. Then have rpc calls to postgres functions do what you want which gives you ability to limit what the anon users can do. You can't stop them from calling the functions but can make sure they only do exactly what you want.