How do I rotate a leaked Supabase service-role key?

Updated
Short answer

Immediately: app.supabase.com → Project Settings → API → Roll service_role secret. Update every server env. Audit Supabase Audit Log for past 30 days. If uncertain what attacker touched: restore from backup predating the leak.

Service-role key bypasses every RLS policy. Treat as worst-case exposure.

  • Roll at supabase.com. New key takes effect within seconds.
  • Update every server env (Vercel, Fly, Railway, GitHub Actions).
  • Review Audit Log: app.supabase.com → Reports → Audit Log.
  • If unauthorized activity confirmed: restore from backup.

People also ask

How do I prevent runaway OpenAI bills?
Three layers: vendor-side spend caps (OpenAI Limits page), per-route rate limits at edge (Upstash / Cloudflare), per-use