Free Tool

Supabase RLS Checker

Test your Row Level Security policies in 30 seconds. Enter your project URL and anon key — we probe your tables and show you what's exposed to unauthenticated requests.

Checks run directly from your browser to Supabase — your anon key is never sent to our servers.

Supabase project URL

Your project's REST base URL. Found in Supabase Dashboard → Project Settings → API.

Anon public key

The anon key — NOT the service role key. This is the key already in your client-side code.

Tables to check optional — comma-separated

Leave blank to auto-detect common table names (profiles, users, documents, orders, etc.).

How it works

Three steps. Thirty seconds. No account required.

Probe as anon

We send GET requests to your Supabase REST API using only your anon key — exactly what an unauthenticated attacker would do.

Check 12 patterns

We test for exposed tables, permissive SELECT policies, missing write policies, and common RLS misconfigurations.

Get specific findings

Each check returns a pass, warning, or fail — with the exact policy pattern causing the gap and how to fix it.

Want a full security audit beyond RLS? The free scan covers all 4 dimensions →