Performing administration tasks on the server side with a secret key

Last edited: 4/20/2026

By default, server side rendering (SSR) does not permit the use of a secret key. This restriction is in place to prevent the accidental exposure of your secret key to the public. Since SSR runs on both the server and client side, it becomes challenging to separate the key specifically for client-side usage.

However, there is a solution. You can create a separate Supabase client using the createClient method from @supabase/supabase-js and provide it with the secret key. In a server environment, you will also need to disable certain properties to ensure proper functionality. See the example code below for the required settings.

By implementing this approach, you can safely utilize the secret key without compromising security or exposing sensitive information to the public.

1
import { createClient } from '@supabase/supabase-js'
2
3
const supabase = createClient(supabaseUrl, secretKey, {
4
  auth: {
5
    persistSession: false,
6
    autoRefreshToken: false,
7
    detectSessionInUrl: false,
8
  },
9
})