What's the blast radius of a leaked Supabase anon_key?

Updated
Short answer

anon_key is PUBLIC by design — designed to ship in client bundle. With RLS, it's safe. Without RLS, it reads every row in every table. Lovable Apr 2026 breach: exactly this pattern, 10.3% of apps affected.

anon_key safety = RLS coverage. Without RLS on a table, the anon_key reads every row.

The Lovable Apr 2026 BOLA breach affected 170 of 1,645 scanned apps (10.3%) for 48 days because the apps' anon_key + missing RLS = direct data exfiltration via REST API.

Defense: RLS on every table + tenant-scoped policies. See /templates/rls-policy-supabase.

People also ask

Do I need RLS on every Supabase table?
Yes. New Supabase tables default to RLS-OFF. Without explicit enable, the public anon_key reads every row. Lovable Apr 2