API Key shows in Request Headers
Please see the image, our API Key is exposed via network calls Request Headers. I'm using Supabase Library only.
import { createClient } from '@supabase/supabase-js';
const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
const supabaseAnonKey = import.meta.env.VITE_SUPABASE_ANON_KEY;
export const supabase = createClient(supabaseUrl, supabaseAnonKey);
Please Help
4 Replies
What are you asking for help on?
The apikey and user access_token are always exposed in browser based calls to the dev console. They are encrypted in transit.
This is why service role should never be used on a browser.
As @garyaustin said, there's no problem on the anon key being exposed as long as you are using RLS policies. It's stated in Supabase Dashboard under Project Settings > API Keys > Legacy API Keys.
Oh, Thanks for answer @garyaustin & @patito1009