ammuench
commented
1 year ago @alexcolls https://supabase.com/docs/guides/api/api-keys
The anon supabase key (which should be what you're using for the env.SUPABASE_KEY) is fine to exist on the browser and be exposed to the user. This is expected. It has very little privileges unless you've configured your supabase in a way that allows anonymous users tons of usually unneeded access
If the serviceKey is exposed then that's a problem, but I'm assuming that's not the case here
alexcolls
Hi,
I'm not sure if it is a bug or not, I haven't test it in production. However, when I call useRuntimeConfig() in the client I can see the supabase api key. So, it seems to me that the key is shared to the client so I'm wondering if it could be a security leak.
Thank you in advance,