Never expose the service_role key to the client
The SUPABASE_SERVICE_ROLE_KEY must never be in a NEXT_PUBLIC_ env var or imported in "use client" files.
Why This Matters
The service_role key bypasses ALL Row Level Security policies. If leaked to the browser, any user can read, modify, or delete ALL data in your database.
Tags
nextjssupabaseAuthentication
Related Rules
Catch this automatically on every PR
BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.