Also known as: SUPABASE_SERVICE_ROLE_KEY, service_role, admin key
Definition
The service role key is the Supabase API key that bypasses Row Level Security and grants full database access. It must never enter the browser bundle. In a Next.js app, the service role key is used only in Server Actions and Route Handlers via createAdminClient, with the import gated by Next.js's server-only enforcement.
Supabase issues two keys per project: an anon key (safe for the browser, respects RLS) and a service_role key (server-only, bypasses RLS). The service_role key is the equivalent of a Postgres superuser for the project's PostgREST API. Anyone who has the key can read or modify any row in any table.
Use import 'server-only' at the top of every file that touches the key. The Next.js compiler refuses to bundle any module marked server-only into client output, so even a transitive import from a Client Component triggers a build error. Combined with naming the env var SUPABASE_SERVICE_ROLE_KEY (no NEXT_PUBLIC_ prefix), the key has two structural barriers against leaking.
Service_role for admin operations (webhook handlers, scheduled jobs, system tasks) and for backend-only data access where the Server Action does its own authorization. Anon for client-side reads where RLS provides the authorization. Never instantiate a service_role client in any code path that runs in the browser.