Supabase Security Rotation Steps (Click to Read)

https://claude.ai/share/31f96692-014d-4628-b56f-605e1a82d1b2

Step 1: Rotate the JWT Secret

1. Go to supabase.com and log in

2. Open your project

3. Click Project Settings (gear icon, bottom left sidebar)

4. Click Data API or JWT Keys in the settings menu

5. Find the Legacy JWT Secret tab

6. Click Change Legacy Secret

7. Click Generate a random secret

8. Read the confirmation dialog — it warns you everything breaks instantly

9. Confirm it

✅ Anon key and service role key auto-regenerate after this.

Step 2: Rotate the Database Password

1. Still in Project Settings

2. Click Database in the left menu

3. Scroll down to Database password

4. Click Reset database password

5. Save the new password in a password manager

Step 3: Get Your New API Keys

1. Go to Project Settings → Data API

2. Copy the new anon key and service role key

Step 4: Update Your App's Environment Variables

1. Open your .env file or your hosting dashboard (Vercel, Railway, etc.)

2. Replace the old SUPABASE_ANON_KEY and SUPABASE_SERVICE_ROLE_KEY with the new ones

3. Redeploy your app

Step 5: Rotate Edge Function Secrets

1. Go to Project Settings → Edge Functions → Secrets

2. Delete all old secrets

3. Re-add them with fresh values (OpenAI keys, any third party stuff, etc.)

Step 7: Change Dashboard Passwords + Enable MFA

1. Go to your Supabase account settings

2. Change your password

3. Enable MFA

4. Have jeet (co-owner) do the same

Step 8: Audit What Happened

1. Go to Logs Explorer in your project sidebar

2. Check for suspicious activity around March 21 (when the attacker was active)

3. Make sure no unknown edge functions exist in your project