Performing administration tasks on the server side with the service_role secret

Last edited: 1/15/2025

By default, the auth-helpers/ssr do not permit the use of the service_role secret. This restriction is in place to prevent the accidental exposure of your service_role secret to the public. Since the auth-helpers/ssr function on both the server and client side, it becomes challenging to separate the key specifically for client-side usage.

However, there is a solution. You can create a separate Supabase client using the createClient method from @supabase/supabase-js and provide it with the service_role secret. In a server environment, you will also need to disable certain properties to ensure proper functionality.

By implementing this approach, you can safely utilize the service_role secret without compromising security or exposing sensitive information to the public.


_10
import { createClient } from '@supabase/supabase-js'
_10
_10
const supabase = createClient(supabaseUrl, serviceRoleSecret, {
_10
auth: {
_10
persistSession: false,
_10
autoRefreshToken: false,
_10
detectSessionInUrl: false,
_10
},
_10
})