Free & Open Source

PolicyCheck

Analyze your Supabase project's public API exposure. See what attackers can see with just your anon key.

Find it in: Project → Project Settings → Data API

Find it in: Project → Project Settings → API KEY

Note: The anon key is a public key and safe to share.

100% client-side. Your keys never leave your browser.

What we check

Comprehensive security analysis in seconds

Exposed Tables

Discover all tables and views accessible with your anon key, including column details and row counts.

Exposed RPC Functions

List all exposed RPC functions with their parameters and identify potentially sensitive operations.

Security Issues

Detect sensitive columns, unrestricted write operations, and calculate an overall risk score.

How it works

Three simple steps to better security

1

Enter your credentials

Provide your Supabase project URL and anon key. These are public credentials that are safe to share.

2

We fetch the OpenAPI spec

Using read-only GET and OPTIONS requests, we discover what's exposed through your PostgREST API.

3

Get your security report

Review identified issues, export as JSON or PDF, and take action to improve your security posture.