JWT Decoder for Supabase Auth Tokens
Quick Answer: Paste a Supabase JWT to examine claims used by Row Level Security (RLS): sub (user UUID), role (authenticated/anon), email, user_metadata, and app_metadata. Supabase uses the JWT role claim to determine which RLS policies apply.
FAQ
How does Supabase use JWT claims for RLS?
Supabase passes the JWT role to PostgreSQL via set_config. RLS policies use auth.uid() (from sub claim) and auth.jwt() to access claims. The role determines which database role is used.
What is the Supabase JWT secret?
Found in Project Settings > API > JWT Secret. It is used to sign and verify tokens. Never expose it client-side. The anon and service_role keys are pre-signed JWTs, not the secret itself.