Skip to content

Free Supabase exposure checker

The Supabase service_role key bypasses every security policy. If it reaches the browser bundle — common in AI-built apps — anyone can read and write your entire database. Missing Row-Level Security has the same effect with just the anon key.

No signup for a shallow scan · we never store your source code

Free · no signup · we never store your source code

  • We prove vulnerabilities by reproducing them — not guesses
  • Tamper-evident record of what your AI agents do
  • We never store your source code

What the agent checks

  • Exposed service_role key in the live bundle
  • Exposed or misused anon key
  • Signs of missing Row-Level Security
  • Publicly reachable Supabase endpoints

Ask the agent — FAQ

How do I check if my Supabase key is exposed?

Paste your app's URL and tell Opviva to check it. The agent inspects your live front-end bundle and network calls for an exposed service_role or anon key — no code access required.

Why is an exposed service_role key dangerous?

It's a full-admin key that bypasses Row-Level Security. Anyone who finds it can read, modify, or delete all data in your Supabase project.

Can you fix it for me?

Yes — once the agent proves the key is exposed, it opens a reviewed pull request that moves the key server-side and adds Row-Level Security, which you approve before it merges.