Supabase anon key exposed in frontend

Error text / 报错原文

• Supabase anon key exposed
• NEXT_PUBLIC_SUPABASE_ANON_KEY
• service role key exposed

What it means

The public anon key may be normal, but exposing service role keys or relying on anon without RLS is dangerous.

Most common causes

• Service role key put in browser env
• Missing RLS policies
• Generated docs confuse anon and service role
• Secrets committed into Git

Fastest fix

• Reproduce the smallest failing case.
• Check environment, platform, and production settings.
• Use the related local tool to classify the issue.
• Fix the highest-risk security or data issue first.

Safe fix

• Keep secrets out of client code and logs.
• Prefer least privilege and explicit allowlists.
• Add a regression test or checklist before retrying.
• Document the working production configuration.

What not to do

• Do not disable security controls as a permanent fix.
• Do not paste secrets into public issue trackers or AI chats.
• Do not trust preview success as production readiness.

Diagnostic commands

npm run build
git diff --check
grep -R "SERVICE_ROLE\|STRIPE_SECRET\|SUPABASE" .

Related tools

• /tools/vibe-app-risk-scanner/ →
• /tools/hash-generator/ →

Related errors

• vibe coded app failed in production →
• Supabase RLS disabled in Lovable app →
• Stripe webhook signature missing or not verified →
• Vercel preview works but production fails →
• AI regression loop in Cursor / Bolt / v0 app →

Sources

• https://afterbuildlabs.com/resources/state-of-vibe-coding-2026 ↗
• https://bytewise.agency/blog/ai-generated-apps-fail-production/ ↗
• https://docs.stripe.com/payments/accept-stablecoin-payments ↗