Also known as: SUPABASE_ANON_KEY, anonymous key, public key
Definition
The anon key is the Supabase public API key that respects Row Level Security. It is safe to include in the browser bundle because RLS gates every query against the user's JWT claims. The anon key alone cannot read or modify rows unless an RLS policy explicitly allows it.
The anon key is a long-lived JWT signed by your Supabase project's secret. It identifies any caller as "the public role" and is the credential that browser clients use to talk to PostgREST and Supabase Auth. The key itself confers no data access; RLS policies do.
Yes, by design. The key is marked NEXT_PUBLIC_SUPABASE_ANON_KEY for exactly this reason. The safety argument depends on RLS being enabled with sensible policies on every table. A table without RLS enabled, or with a permissive "true" policy, exposes data to any browser caller who knows the table name.
They are inverse. Anon is bounded by RLS; service_role bypasses RLS. Anon belongs in the browser; service_role never does. A common attack pattern in AI-generated code is using service_role in a Client Component because the AI confused the two keys. The fix is structural: import 'server-only' on the file that owns the service_role client.