Store sensitive env vars without NEXT_PUBLIC_ prefix
Only the Supabase URL and anon key should have NEXT_PUBLIC_ prefix. All other Supabase credentials are server-only.
Why This Matters
NEXT_PUBLIC_ variables are embedded in the client JavaScript bundle and visible to anyone with browser DevTools.
Tags
nextjssupabaseAuthentication
Related Rules
Catch this automatically on every PR
BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.