Fix guide · critical · supabase_service_role_jwt_pattern

Supabase personal access token (sbp_*) in client code

Why it matters

Personal access tokens grant account-level admin access via Supabase's Management API: list and modify projects, rotate keys, change billing, delete data. Different from anon/service_role JWTs (which are project-scoped).

How to fix it

1. Revoke the token at supabase.com/dashboard/account/tokens.
2. Move all Management API calls server-side. PATs should never appear in browser code.
3. For per-project programmatic access, use the project's API key (anon or service_role) instead of an account-level PAT.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.