Free & Open Source

PolicyCheck

Analyze your Supabase project's public API exposure. See what attackers can see with just your anon key.

Find it in: Project → Project Settings → Data API

Find it in: Project → Project Settings → API KEY

Note: The anon key is a public key and safe to share.

100% client-side. Your keys never leave your browser.

What we check

Comprehensive security analysis in seconds

Exposed Tables

Discover all tables and views accessible with your anon key, including column details and row counts.

Exposed RPC Functions

List all exposed RPC functions with their parameters and identify potentially sensitive operations.

Security Issues

Detect sensitive columns, unrestricted write operations, and calculate an overall risk score.

Claude Code Skills

10 security audit skills for Claude Code. Read-only SQL — nothing is executed automatically.

npx skills add nocodetalks/supabase-security-audit
/full-security-audit
Comprehensive 13-check audit in one script
/emergency-assessment
Breach response with containment plan
/audit-rls
Find tables missing Row Level Security
/audit-policies
Review RLS policies for permissive rules
/audit-sensitive-columns
Detect exposed passwords, tokens, PII
/audit-storage
Audit public buckets and upload policies
/audit-rpc-functions
Audit anon-callable and SECURITY DEFINER functions
/audit-api-exposure
Review API surface and role grants
/audit-auth
Audit auth config, MFA, and service_role usage
/audit-realtime
Audit Realtime subscriptions for data leaks
View on GitHub

How it works

Three simple steps to better security

1

Enter your credentials

Provide your Supabase project URL and anon key. These are public credentials that are safe to share.

2

We fetch the OpenAPI spec

Using read-only GET and OPTIONS requests, we discover what's exposed through your PostgREST API.

3

Get your security report

Review identified issues, export as JSON or PDF, and take action to improve your security posture.