Using Supabase Vault for Storing User Secrets and API Keys
Hello, Is Supabase Vault a good option for securely storing user-specific secrets and API keys (like access tokens or service credentials) within a project?
Like api keys from a user's payment gateway in my situation
Are there any limitations or best practices I should be aware of when using it for this purpose?
4 Replies
In general vault is intended to store your secrets not secrets of your users. Vault mainly allows secrets not to exposed in a logical backup/replication and in functions and triggers code in your project.
If you store user secrets you can still see them in the DB with the Vault view so they are not secret from you.
What do you recommend for what I'm trying to achieve?
I don't have a recommendation. You'll have to see if another user has some ideas.
The key thing you have to decide is it OK if you or your staff has access to these keys. If not then you cannot encrypt/decrypt them in the database at all. Any method that stores the encryption secret on the SB server side would allow you to see the user data. Even Vault allows you to see the "encrypted" data with a view. Vault only helps with protecting data for logical backups and replication. Note that all data is encrypted at rest on the hard drives.
If you do not to want to allow staff to see the data then you have to do client side encryption which is not Supabase specific.
If you don't care if your staff can see the data then Vault MIGHT work but Supabase does not seem to encourage that use in the docs. I don't know if there is a max limit or performance issue if over used.
Thanks for the response, I'll try to find something