Can't rotate to new API keys - JS client fails when legacy keys disabled
authHey everyone, need some help with API key rotation.
Problem: My service_role key was accidentally exposed in a git push. I need to rotate to new keys ASAP.
What I tried:
1. Created new
2. Updated all my configs (Next.js app, Node.js server, Cloudflare Worker)
3. Tested - everything worked while legacy keys were still enabled
4. Disabled legacy anon/service_role keys
Result: All API calls fail with "Legacy API keys are disabled"
My setup:
- @supabase/supabase-js v2.88.0 (Next.js)
- @supabase/supabase-js v2.39.0 (Node server)
- Cloudflare Worker using fetch() with apikey header
I also tried rotating the JWT signing key, but the legacy key VALUES stayed the same - only the signing mechanism changed. Doesn't help when the key itself is leaked.
According to docs, the new keys should be drop-in replacements. But the JS client doesn't seem to work when legacy keys are disabled.
Problem: My service_role key was accidentally exposed in a git push. I need to rotate to new keys ASAP.
What I tried:
1. Created new
sb_publishable_sb_secret_2. Updated all my configs (Next.js app, Node.js server, Cloudflare Worker)
3. Tested - everything worked while legacy keys were still enabled
4. Disabled legacy anon/service_role keys
Result: All API calls fail with "Legacy API keys are disabled"
My setup:
- @supabase/supabase-js v2.88.0 (Next.js)
- @supabase/supabase-js v2.39.0 (Node server)
- Cloudflare Worker using fetch() with apikey header
I also tried rotating the JWT signing key, but the legacy key VALUES stayed the same - only the signing mechanism changed. Doesn't help when the key itself is leaked.
According to docs, the new keys should be drop-in replacements. But the JS client doesn't seem to work when legacy keys are disabled.
