Performing administration tasks on the server side with the service_role secret

Last edited: 5/27/2025

By default, the auth-helpers/ssr do not permit the use of the service_role secret. This restriction is in place to prevent the accidental exposure of your service_role secret to the public. Since the auth-helpers/ssr function on both the server and client side, it becomes challenging to separate the key specifically for client-side usage.

However, there is a solution. You can create a separate Supabase client using the createClient method from @supabase/supabase-js and provide it with the service_role secret. In a server environment, you will also need to disable certain properties to ensure proper functionality. See the example code below for the required settings.

By implementing this approach, you can safely utilize the service_role secret without compromising security or exposing sensitive information to the public.

1
2
3
4
5
6
7
8
9
import { createClient } from '@supabase/supabase-js'const supabase = createClient(supabaseUrl, serviceRoleSecret, { auth: { persistSession: false, autoRefreshToken: false, detectSessionInUrl: false, },})