Free public scanner

Is your Supabase app leaking data?

Paste your project's public details. In a few seconds we'll show you what anyone on the internet can read — using only the public key that already ships in your app.

Supabase project URL Public anon key

This is the public key from your app. We never store it. We only read row counts, never your data, and never write anything.

Deployed app URL (optional — enables header & bundle checks) Your table names (optional — comma-separated; gives the most accurate scan)

The anon key can't list your tables (Supabase locks that to service_role). Paste yours here and we'll probe them directly — otherwise we guess from a wordlist plus your deployed bundle.

Email (optional — get the results & a fix checklist)

Scanning… connecting with your public key, checking what's reachable

Why this is safe. The anon key is public by design — it's in every visitor's browser already. We do exactly what a visitor's browser can do: read only counts (not your data), make no changes, and don't keep your key.

Drydock · React + Supabase production specialists drydock.digital →