Rotating Anon, Service, and JWT Secrets
Last edited: 5/13/2026
This troubleshooting guide is about rotating Legacy anon, service_role API keys. We are deprecating Legacy, and recommend migrating to New API keys. To learn more about API keys, refer to the API documentation.
Once the JWT secret is regenerated, all current API secrets will be immediately invalidated, and all connections using them will be severed. You will need to deploy the new secrets for connections to begin working again. You can avoid downtime by migrating to new API Keys.
Have you ever accidentally committed a service key to a public repo? Or maybe rotating keys is just something you regularly do for security compliance. Whatever the reason, here's how to rotate the keys for your Supabase project.
If you haven’t migrated to asymmetric JWT signing keys:
We recommend that you migrate to asymmetric JWT signing keys and publishable/secret API keys as it is no longer possible to rotate the legacy anon, service and JWT secrets. You can view this Get Started guide for steps to migrate to asymmetric JWT signing keys.
If you have migrated to new symmetric JWT signing keys:
- Go to Project Settings → JWT Keyss in the Supabase Dashboard
- Navigate to the JWT Signing Keys tab.
- Click on Rotate Keys. This will move the current key to “Previously used keys”
- Select the three-dot icon (action icon) of your previously used key and click “Revoke”. If you do not “Revoke” the key, older keys will still be valid.