Skip to main content
Stackbastion

Your Supabase keys are probably in your frontend bundle. Here's how to check in 5 minutes

7 July 2026· 3 min read · by Stackbastion

Here’s an uncomfortable fact: every file your browser downloads to render a website, anyone can read. That includes your app’s JavaScript. If a privileged key ever ended up in that JavaScript, it’s not hidden. It’s sitting in plain text, one view-source away from anyone who looks.

This happens more than people expect with vibe-coded apps, because it’s an easy mistake to make once and never notice. Here’s how to check your own app in about 5 minutes.

The check

This only looks at files your own browser already downloads. It doesn’t touch anyone else’s app, log in as anyone, or send any request beyond what a normal visitor’s browser sends.

Step 1: find your JavaScript files.

Open your app in a browser, right-click, and choose “View Page Source.” Look for <script src="..."> tags. Note every URL.

Step 2: fetch each one and check it.

curl -s https://your-app.example.com/assets/index.js | grep -Eo "(sk_live_|service_role|SUPABASE_SERVICE|AIza|AKIA)[A-Za-z0-9_-]+"

Repeat for every script URL you found. That command looks for the shape of a few common secret types: a live Stripe secret key (sk_live_), a Supabase service-role key, a Google API key (AIza), and an AWS access key (AKIA). Adjust the pattern for whatever your stack actually uses.

Step 3: read the result.

  • Nothing came back? Good sign. Move on to checking whether your anon/publishable key (which is meant to be public) actually has proper row-level security behind it: a public key with no authorization checks is its own problem, just a different one.
  • Something came back? That’s a real, current exposure. Treat it as urgent, not “get to it this week.”

If you found something

  1. Rotate the key immediately, in whatever dashboard issued it (Supabase, Stripe, Google Cloud, AWS). A key you know is exposed is a key you can no longer trust, even after you fix the code.
  2. Move the privileged call server-side. Anything that needs a service-role key, a secret API key, or similar should run on a server you control, never in code the browser downloads.
  3. Re-run the check against the new build to confirm the new key isn’t there too.

Why this happens so often

Most of the time, it’s not carelessness. It’s a natural mistake: a call that works fine locally gets left calling a privileged endpoint directly from the frontend, because that’s the fastest way to get a feature working. The fix isn’t “be more careful.” It’s moving that one call behind a small server endpoint, once, and then it’s fixed for good.

Or, we do it for you

This is check #1 of the 15-point audit we run for free. See the full checklist. If you’d rather have someone else check all 15 and fix what they find, get a free production audit, or see our Secrets & Access Lockdown if you already know you need it fixed fast.

FAQ

Is this safe to run on someone else’s app?

Only run this against apps you own. It’s a passive, read-only check of files any visitor’s browser already downloads, but running it against a third party without permission is out of scope for what we’d recommend, and for what we do ourselves.

What if I don’t find anything with this exact command?

The command above checks a few common patterns. Your stack might use a different key format. Adjust the pattern, or just read through the fetched files by eye for anything that looks like a long, random string tied to a service you use.

Does this mean my app is fully secure?

No. This is one check out of 15. See the full production checklist for the rest.