Supabase Key

Detects Supabase credentials: personal access tokens (sbp_), the new opaque secret API keys (sb_secret_) introduced in 2025 to replace the legacy service_role JWT, and, when labelled with Supabase context in an assignment, the legacy anon/service_role JWT keys that remain valid until late 2026. A leaked secret key or service_role JWT grants full admin access to the project's production Postgres database, bypassing Row Level Security; a leaked personal access token grants account-wide Management API control.

Type
regex
Engine
universal
Confidence
high
Confidence justification
High confidence: both distinctive prefixes are multiply attested. sbp_ is pinned at a 40-character body by two independent production detectors (TruffleHog sbp_[a-z0-9]{40}, Kingfisher sbp_[a-z0-9_-]{40} case-insensitive) and confirmed as the personal-access-token format by Supabase's own Management API and CLI documentation. sb_secret_ is confirmed by Supabase's changelog (new API keys, June 2025), by a literal default key hardcoded in Supabase's own open-source CLI (of the form sb_secret_ABCDEFGHIJKLMNOPQRSTUV_abcdefgh -- a 31-character body: 22 chars + underscore + 8-char suffix), and by Kingfisher's production rule (sb_secret_[a-z0-9_-]{31}) -- two convergent sources pinning 31 exactly, so the body is bounded 28-36: the pin plus a small hedge, because the vendor documents the keys only as opaque random strings and a hard 31 would silently miss minor generation-format drift. The legacy JWT branch is deliberately context-gated: eyJ-prefixed JWTs are one of the most common token shapes in any log or config file, so it requires a labelled assignment and never fires value-only.
Jurisdictions
global
Regulations
Criminal Code Act 1995 (Cth)
Frameworks
CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories
credentials, security
Scope
narrow
Risk rating
9
Platform compatibility
Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_-])(?:sbp_[A-Za-z0-9_-]{40}|sb_secret_[A-Za-z0-9_-]{28,36})(?![A-Za-z0-9_-])

Corroborative evidence keywords

supabase, supabase.co, SUPABASE_ACCESS_TOKEN, SUPABASE_SERVICE_ROLE_KEY, service_role, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host (+38 more)

Proximity: 300 characters

Should match

Should not match

Known false positives

References