/supabase-tutorials

How to secure public API endpoints in Supabase?

Secure your Supabase API endpoints with RLS policies, API key restrictions, and CORS rules to ensure only authenticated users and allowed domains access your data.

Book a free  consultation
Matt Graham, CEO of Rapid Developers

Book a call with an Expert

Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.

Book a free No-Code consultation

How to secure public API endpoints in Supabase?

 

Step 1: Accessing the Supabase Dashboard

 

To secure public API endpoints in Supabase, first, access your Supabase project dashboard. Log in to your Supabase account and navigate to your project.

 

Step 2: Navigate to Authentication Settings

 

On the left-hand side panel, click on Authentication. This will take you to the authentication settings where you can manage user policies and API security.

 

Step 3: Configure Policies

 

Inside the Authentication panel, select the Policies tab. You will define Postgres Row Level Security (RLS) policies here to control access to your tables. This step ensures that only authenticated users can access certain API endpoints.

 

Example Policy to Allow Authenticated Users

 

To create a policy that allows only authenticated users to access data, execute the SQL command in your Supabase SQL editor:


-- Enable Row Level Security for your table
ALTER TABLE your_table_name ENABLE ROW LEVEL SECURITY;

-- Create a policy to allow authenticated users only
CREATE POLICY "Allow authenticated access"
ON your_table_name
FOR SELECT
USING (auth.role() = 'authenticated');

This policy authorizes only users with the authenticated role to access the data.

 

Step 4: Set Up API Key Restrictions

 

Navigate to the API tab from the left navigation. Ensure that your API keys are restricted appropriately:

  1. Click on Generate API Key if you haven't generated keys yet.
  2. Use the Service Role key for backend services where fulsome access to operations is required.
  3. Use the Anon Key for public endpoints but with restricted access due to implemented RLS policies.

 

Step 5: Modify CORS (Cross-Origin Resource Sharing) Rules

 

CORS rules help secure your API endpoints by allowing or denying requests from specific domains:

  • In the API section, scroll down to the CORS settings.
  • Add your application’s domain to the allowed origins list.

https://your-application-domain.com

This setting ensures that only requests from specified domains can interact with your Supabase APIs.

 

Step 6: Secure Client Applications

 

Ensure the frontend applications use proper authentication methods like JWT (JSON Web Tokens) to send requests to your Supabase API. Import Supabase client library in your code and authenticate requests using users' JWT.


// Import the Supabase client
import { createClient } from '@supabase/supabase-js'

// Create a single supabase client for interacting with your database
const supabase = createClient('https://xyzcompany.supabase.co', process.env.SUPABASE_ANON_KEY)

// Authenticate user
async function fetchData() {
  const { data, error } = await supabase
    .from('your_table_name')
    .select('\*')

  if (error) console.error('Error fetching data:', error)
  else console.log('Fetched data:', data)
}

fetchData()

In the example above, ensure that you handle API keys with care and only expose the SUPABASE_ANON_KEY in client-side environments.

 

Step 7: Test Your Configuration

 

Finally, test your API endpoints to verify that access is indeed restricted only to authenticated users or specific domains as intended. Monitor logs to ensure unauthorized requests are blocked.

 

Want to explore opportunities to work with us?

Connect with our team to unlock the full potential of no-code solutions with a no-commitment consultation!

Book a Free Consultation

Client trust and success are our top priorities

When it comes to serving you, we sweat the little things. That’s why our work makes a big impact.

Rapid Dev was an exceptional project management organization and the best development collaborators I've had the pleasure of working with. They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.

CPO, Praction - Arkady Sokolov

May 2, 2023

Working with Matt was comparable to having another co-founder on the team, but without the commitment or cost. He has a strategic mindset and willing to change the scope of the project in real time based on the needs of the client. A true strategic thought partner!

Co-Founder, Arc - Donald Muir

Dec 27, 2022

Rapid Dev are 10/10, excellent communicators - the best I've ever encountered in the tech dev space. They always go the extra mile, they genuinely care, they respond quickly, they're flexible, adaptable and their enthusiasm is amazing.

Co-CEO, Grantify - Mat Westergreen-Thorne

Oct 15, 2022

Rapid Dev is an excellent developer for no-code and low-code solutions.
We’ve had great success since launching the platform in November 2023. In a few months, we’ve gained over 1,000 new active users. We’ve also secured several dozen bookings on the platform and seen about 70% new user month-over-month growth since the launch.

Co-Founder, Church Real Estate Marketplace - Emmanuel Brown

May 1, 2024 

Matt’s dedication to executing our vision and his commitment to the project deadline were impressive. 
This was such a specific project, and Matt really delivered. We worked with a really fast turnaround, and he always delivered. The site was a perfect prop for us!

Production Manager, Media Production Company - Samantha Fekete

Sep 23, 2022