Security//API key

2026-03-15

A credential that identifies your app to a service. Two kinds, and they live in different places:

A credential that identifies your app to a service. Two kinds, and they live in different places:

Publishable key (public) — lives in the frontend. Everyone's browser gets it. It's the light lock — enough to know which app is calling, but not enough to access data. In Supabase, it's the URL + anon key that tells the SDK where the "building" is and opens the front door. The real security is the token + RLS.

Secret key (private) — lives ONLY on the backend. Never reaches the browser. In Supabase, the service role key bypasses RLS entirely — it's the master key. In Google Cloud, the Client Secret proves your server is who it claims to be during the OAuth handshake.

Stored in environment variables (.env.local in dev, dashboard in production). Never committed to git, never sent to the frontend.