Back to skills
SkillHub ClubShip Full StackFull Stack
supabase-extract-jwt
Extract and decode Supabase-related JWTs from client-side code, cookies, and local storage patterns.
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Stars
31
Hot score
89
Updated
March 20, 2026
Overall rating
C2.0
Composite score
2.0
Best-practice grade
B84.0
Install command
npx @skill-hub/cli install yoanbernabeu-supabase-pentest-skills-supabase-extract-jwt
Repository
yoanbernabeu/supabase-pentest-skills
Skill path: skills/extraction/supabase-extract-jwt
Extract and decode Supabase-related JWTs from client-side code, cookies, and local storage patterns.
Open repositoryBest for
Primary workflow: Ship Full Stack.
Technical facets: Full Stack.
Target audience: everyone.
License: Unknown.
Original source
Catalog source: SkillHub Club.
Repository owner: yoanbernabeu.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install supabase-extract-jwt into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/yoanbernabeu/supabase-pentest-skills before adding supabase-extract-jwt to shared team environments
- Use supabase-extract-jwt for development workflows
Works across
Claude CodeCodex CLIGemini CLIOpenCode
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
---
name: supabase-extract-jwt
description: Extract and decode Supabase-related JWTs from client-side code, cookies, and local storage patterns.
---
# Supabase JWT Extraction
> π΄ **CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED**
>
> You MUST write to context files **AS YOU GO**, not just at the end.
> - Write to `.sb-pentest-context.json` **IMMEDIATELY after each discovery**
> - Log to `.sb-pentest-audit.log` **BEFORE and AFTER each action**
> - **DO NOT** wait until the skill completes to update files
> - If the skill crashes or is interrupted, all prior findings must already be saved
>
> **This is not optional. Failure to write progressively is a critical error.**
This skill extracts and analyzes JSON Web Tokens (JWTs) related to Supabase from client-side code.
## When to Use This Skill
- To find all JWT tokens exposed in client code
- To analyze token claims and expiration
- To detect hardcoded user tokens (security issue)
- To understand the authentication flow
## Prerequisites
- Target application accessible
- Supabase detection completed (auto-invokes if needed)
## Types of JWTs in Supabase
| Type | Purpose | Client Exposure |
|------|---------|-----------------|
| Anon Key | API authentication | β
Expected |
| Service Role Key | Admin access | β Never |
| Access Token | User session | β οΈ Dynamic only |
| Refresh Token | Token renewal | β οΈ Dynamic only |
## Detection Patterns
### 1. API Keys (Static)
```javascript
// Supabase API keys are JWTs
const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
```
### 2. Hardcoded User Tokens (Problem)
```javascript
// β Should never be hardcoded
const userToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZW1haWwiOiJ1c2VyQGV4YW1wbGUuY29tIn0...'
```
### 3. Storage Key Patterns
```javascript
// Code referencing where JWTs are stored
localStorage.getItem('supabase.auth.token')
localStorage.getItem('sb-abc123-auth-token')
sessionStorage.getItem('supabase_session')
```
## Usage
### Basic Extraction
```
Extract JWTs from https://myapp.example.com
```
### With Claim Analysis
```
Extract and analyze all JWTs from https://myapp.example.com
```
## Output Format
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
JWT EXTRACTION RESULTS
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Found: 3 JWTs
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
JWT #1: Supabase Anon Key
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Type: API Key (anon)
Status: β
Expected in client code
Header:
βββ alg: HS256
βββ typ: JWT
Payload:
βββ iss: supabase
βββ ref: abc123def
βββ role: anon
βββ iat: 2021-12-20T00:00:00Z
βββ exp: 2031-12-20T00:00:00Z
Location: /static/js/main.js:1247
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
JWT #2: Hardcoded User Token β οΈ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Type: User Access Token
Status: β οΈ P1 - Should not be hardcoded
Header:
βββ alg: HS256
βββ typ: JWT
Payload:
βββ sub: 12345678-1234-1234-1234-123456789012
βββ email: [email protected]
βββ role: authenticated
βββ iat: 2025-01-15T10:00:00Z
βββ exp: 2025-01-15T11:00:00Z (EXPIRED)
Location: /static/js/debug.js:45
Risk: This token may belong to a real user account.
Even if expired, it reveals user information.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
JWT #3: Storage Reference
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Type: Storage Key Pattern
Status: βΉοΈ Informational
Pattern: localStorage.getItem('sb-abc123def-auth-token')
Location: /static/js/auth.js:89
Note: This is the expected storage key for user sessions.
Actual token value is set at runtime.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
## JWT Claim Analysis
The skill identifies key claims:
### Standard Claims
| Claim | Description | Security Impact |
|-------|-------------|-----------------|
| `sub` | User ID | Identifies specific user |
| `email` | User email | PII exposure if hardcoded |
| `role` | Permission level | `service_role` is critical |
| `exp` | Expiration | Expired tokens less risky |
| `iat` | Issued at | Indicates when created |
### Supabase-Specific Claims
| Claim | Description |
|-------|-------------|
| `ref` | Project reference |
| `iss` | Should be "supabase" |
| `aal` | Authenticator assurance level |
| `amr` | Authentication methods used |
## Security Findings
### P0 - Critical
```
π΄ Service role key exposed (role: service_role)
β Immediate key rotation required
```
### P1 - High
```
π User token hardcoded with PII (email, sub visible)
β Remove from code, may need to notify user
```
### P2 - Medium
```
π‘ Expired test token in code
β Clean up, potential information disclosure
```
## Context Output
Saved to `.sb-pentest-context.json`:
```json
{
"jwts": {
"found": 3,
"api_keys": [
{
"type": "anon",
"project_ref": "abc123def",
"location": "/static/js/main.js:1247"
}
],
"user_tokens": [
{
"type": "access_token",
"hardcoded": true,
"severity": "P1",
"claims": {
"sub": "12345678-1234-1234-1234-123456789012",
"email": "[email protected]",
"expired": true
},
"location": "/static/js/debug.js:45"
}
],
"storage_patterns": [
{
"pattern": "sb-abc123def-auth-token",
"storage": "localStorage",
"location": "/static/js/auth.js:89"
}
]
}
}
```
## Common Issues
β **Problem:** JWT appears truncated
β
**Solution:** May span multiple lines. The skill attempts to reassemble.
β **Problem:** JWT won't decode
β
**Solution:** May be encrypted (JWE) or custom format. Noted as undecodable.
β **Problem:** Many false positives
β
**Solution:** Base64 strings that look like JWTs. Skill validates structure.
## Remediation for Hardcoded Tokens
### Before (Wrong)
```javascript
// β Never hardcode user tokens
const adminToken = 'eyJhbGciOiJIUzI1NiI...'
fetch('/api/admin', {
headers: { Authorization: `Bearer ${adminToken}` }
})
```
### After (Correct)
```javascript
// β
Get token from Supabase session
const { data: { session } } = await supabase.auth.getSession()
fetch('/api/admin', {
headers: { Authorization: `Bearer ${session.access_token}` }
})
```
## MANDATORY: Progressive Context File Updates
β οΈ **This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.**
### Critical Rule: Write As You Go
**DO NOT** batch all writes at the end. Instead:
1. **Before starting any action** β Log the action to `.sb-pentest-audit.log`
2. **After each discovery** β Immediately update `.sb-pentest-context.json`
3. **After each significant step** β Log completion to `.sb-pentest-audit.log`
This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
### Required Actions (Progressive)
1. **Update `.sb-pentest-context.json`** with extracted data:
```json
{
"jwts": {
"found": 3,
"api_keys": [ ... ],
"user_tokens": [ ... ],
"storage_patterns": [ ... ]
}
}
```
2. **Log to `.sb-pentest-audit.log`**:
```
[TIMESTAMP] [supabase-extract-jwt] [START] Beginning JWT extraction
[TIMESTAMP] [supabase-extract-jwt] [SUCCESS] Found 3 JWTs
[TIMESTAMP] [supabase-extract-jwt] [CONTEXT_UPDATED] .sb-pentest-context.json updated
```
3. **If files don't exist**, create them before writing.
**FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.**
## MANDATORY: Evidence Collection
π **Evidence Directory:** `.sb-pentest-evidence/02-extraction/`
### Evidence Files to Create
| File | Content |
|------|---------|
| `extracted-jwts.json` | All JWTs found with analysis |
### Evidence Format
```json
{
"evidence_id": "EXT-JWT-001",
"timestamp": "2025-01-31T10:08:00Z",
"category": "extraction",
"type": "jwt_extraction",
"jwts_found": [
{
"type": "anon_key",
"severity": "info",
"location": "/static/js/main.js:1247",
"decoded_payload": {
"iss": "supabase",
"ref": "abc123def",
"role": "anon"
}
},
{
"type": "hardcoded_user_token",
"severity": "P1",
"location": "/static/js/debug.js:45",
"decoded_payload": {
"sub": "[REDACTED]",
"email": "[REDACTED]@example.com",
"role": "authenticated",
"exp": "2025-01-15T11:00:00Z"
},
"expired": true,
"issue": "Hardcoded user token with PII"
}
],
"storage_patterns_found": [
{
"pattern": "localStorage.getItem('sb-abc123def-auth-token')",
"location": "/static/js/auth.js:89"
}
]
}
```
## Related Skills
- `supabase-extract-anon-key` β Specifically extracts the anon key
- `supabase-extract-service-key` β Checks for service key (critical)
- `supabase-audit-auth-config` β Analyzes auth configuration