S
Supabase3w ago
yootaki

How to regenerate individual service_role key?

Current situation I need to rotate my service_role key, but the individual "Regenerate" button is no longer available in the Legacy API Keys section. I can see the key but there's no regenerate option. I'm currently using this key in Edge Functions. Questions 1. Is it still possible to regenerate just the service_role key individually? 2. What's the recommended approach for rotating a compromised service_role key? 3. If using new Secret API keys with Edge Functions, what code changes are required?
3 Replies
inder
inder3w ago
You can't generate the old keys individually. You generate a new jwt secret and that will automatically generate new anon_key and service_role_key. Its been moved here https://supabase.com/dashboard/project/_/settings/jwt For edge functions with new keys: https://github.com/orgs/supabase/discussions/29260#discussioncomment-13936897
yootaki
yootakiOP3w ago
@inder Thank you! Your quick response is very helpful. I now understand from your response that regenerating only the service_role key is not possible. I'll check the GitHub discussion link you provided and consider my approach for Edge Functions with the new keys. @inder I want to migrate from the anon_key and service_role_key approach to the publishable_key and secret_key approach. I have two questions about this migration: 1. If existing users have active sessions authenticated with a client created using the old anon_key, and I update the anon_key to the new publishable_key in my application, what happens to those users' login state? 2. If I regenerate the anon_key in the Supabase dashboard, users with expired sessions who haven't updated to the latest app version yet won't be able to authenticate via OAuth because the anon_key they're using is now invalid. Is this understanding correct? Also, for the Supabase initialization in my app, would it be sufficient to simply pass the publishable_key like this? ``` await Supabase.initialize( url: Env.SUPABASE_URL, anonKey: Env.SUPABASE_PUBLISHABLE_KEY, );
inder
inder3w ago
1. As long as you don't revoke the old keys, old sessions can still be verified. 2. correct. anon_key and service_role keys are jwt. Once you rotate the jwt_secret, these old keys become invalid 3. Yes, the client initialization process remains same as far as I know. I've used supabase js client and that is still same

Did you find this page helpful?