Is it okay to expose the API KEY and URL to users?

[Wunhyeon]

Hello, I am currently working on implementing OAuth login for a Chrome extension. Docs

This documentation does not include a section on creating a Supabase client, so I created it myself within this file.

import { createClient } from "@supabase/supabase-js";
const SUPABASE_KEY ="My Supabase API KEY";
const SUPABASE_URL = "My Supabase URL";

const supabase = createClient(SUPABASE_URL, SUPABASE_KEY, {
  global: { fetch: fetch.bind(globalThis) },
  auth: {
    // storage: localforage,
    persistSession: true,
  },
});

when creating the Supabase client, the API KEY and URL are required.

Since Chrome extensions don’t have something like .env files for managing environment variables, my Supabase project's API KEY and URL will be exposed to users.
Is it safe to expose them?

++Additionally, do you know where the session cookie is stored in a Chrome extension?
I've checked service-worker under Application > Local Storage and Cookies,
as well as the same under the popup context, but I haven't been able to find it

[GaryAustin1]

It is normal to have the URL and ANON key exposed and it will be if the REST API is used from a browser. To not have it exposed you would have to run all Supabase calls from your own server.
You do need to have RLS on your tables though.

Supabase-js does not use a cookie for storing data and uses local storage for saving the user session info.