The Supabase Service Role Key is a highly privileged API key for your Supabase project. Unlike the Anon Key, this key has full administrative access to your database and bypasses all Row Level Security (RLS) policies. It effectively acts as a superuser, capable of reading, writing, and deleting any data in your database, regardless of RLS rules.
Due to its powerful capabilities, the Service Role Key must be kept strictly server-side. It should never be exposed in client-side code (e.g., in a browser, mobile app, or any publicly accessible frontend). If this key is compromised, an attacker could gain complete control over your Supabase database and potentially your entire application's data.
You would typically use the Service Role Key in secure backend environments, such as server-side functions (e.g., Supabase Edge Functions, Vercel Serverless Functions), cron jobs, or internal scripts that require elevated permissions. For example, it might be used to perform migrations, run analytics queries that need access to all data, or manage user accounts from an admin panel that runs on a secure backend.