DRAFT: (breaking change) createAdminClient()

[kiwicopple]

throws an error if the user runs createClient() with a service_role key

This is a spike for internal discussion. It would be considered a breaking change as developers would need to change their Adming init code from

import { createClient } from '@supabase/supabase-js'

const admin = createClient('SUPABASE_URL', 'SERVICE_ROLE_KEY')

to

import { createAdminClient } from '@supabase/supabase-js'

const admin = createAdminClient('SUPABASE_URL', 'SERVICE_ROLE_KEY')

[coveralls]

Pull Request Test Coverage Report for Build 12400374958

Details

• 18 of 19 (94.74%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+2.4%) to 70.0%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
src/index.ts	18	19	94.74%

Totals
Change from base Build 12389444550:	2.4%
Covered Lines:	117
Relevant Lines:	147

---

💛 - Coveralls

[kiwicopple]

Since this is a breaking change - for now, perhaps we start simply with a prominent warning and then in the next major bump we make it an error.

console.log(
  '%c⚠️ WARNING ⚠️',
  'color: white; background-color: red; font-size: 20px; font-weight: bold; padding: 5px 10px;'
);
console.log(
  '%cYou are using a Supabase admin key in a browser environment. This poses a serious security risk and could expose your database to unauthorized access. Use createAdminClient() instead. This warning will be elevated to an error 1 July 2025.',
  'color: red; font-size: 16px; font-weight: bold;'
);

[grdsdev]

Yes @kiwicopple preferable to go first with the warning

[kiwicopple]

Discussed internally - we are going to raise these alerts in the API logs inside the project dashboard (and email users). This is more targeted to the developer who is building the project