Rotating Anon, Service, and JWT Secrets
Last edited: 1/8/2026
This troubleshooting guide is about rotating Legacy anon, service_role API keys. We are deprecating Legacy , and recommend migrating to New API keys. To learn more about API keys, refer to the API documentation.
Once the JWT secret is regenerated, all current API secrets will be immediately invalidated, and all connections using them will be severed. You will need to deploy the new secrets for connections to begin working again. You can avoid downtime by migrating to new API Keys.
Have you ever accidentally committed a service key to a public repo? Or maybe rotating keys is just something you regularly do for security compliance. Whatever the reason, here's how to rotate the keys for your Supabase project.
If you haven’t migrated to asymmetric JWT signing keys:
- Go to Project Settings → JWT Keys in the Supabase Dashboard
- Navigate to the Legacy JWT Secret tab
- Click on Change Legacy Secret
- Click on Generate a random secret to let Supabase decide the JWT secret.
- Click on Create my own secret to enter a custom JWT secret
- You will see a Confirmation dialog. Read it through and confirm to proceed.
If you have migrated to new symmetric JWT signing keys:
- Go to Project Settings → JWT Keyss in the Supabase Dashboard
- Navigate to the JWT Signing Keys tab.
- Click on Rotate Keys. This will move the current key to “Previously used keys”
- Select the three-dot icon (action icon) of your previously used key and click “Revoke”. If you do not “Revoke” the key, older keys will still be valid.