Free Supabase exposure checker
The Supabase service_role key bypasses every security policy. If it reaches the browser bundle — common in AI-built apps — anyone can read and write your entire database. Missing Row-Level Security has the same effect with just the anon key.
Free · no signup · we never store your source code
- We prove vulnerabilities by reproducing them — not guesses
- Tamper-evident record of what your AI agents do
- We never store your source code
What the agent checks
- Exposed service_role key in the live bundle
- Exposed or misused anon key
- Signs of missing Row-Level Security
- Publicly reachable Supabase endpoints
Ask the agent — FAQ
How do I check if my Supabase key is exposed?
Paste your app's URL and tell Opviva to check it. The agent inspects your live front-end bundle and network calls for an exposed service_role or anon key — no code access required.
Why is an exposed service_role key dangerous?
It's a full-admin key that bypasses Row-Level Security. Anyone who finds it can read, modify, or delete all data in your Supabase project.
Can you fix it for me?
Yes — once the agent proves the key is exposed, it opens a reviewed pull request that moves the key server-side and adds Row-Level Security, which you approve before it merges.
