What is RLS Exposed Endpoint Check?
RLS Exposed Endpoint Check is the Scavio security endpoint that accepts a Supabase project URL and reports which tables are reachable via the public REST API without row-level security policies enforced. The check uses the public anon key path only, so it never sees private credentials. Returns a per-table verdict (exposed, protected, not-reachable) plus a row-count probe for exposed tables so engineers can triage blast radius immediately.
Example Response
JSON
{ "project": "xyz.supabase.co", "tables": [{ "name": "users", "status": "exposed", "row_sample": 3 }, { "name": "orders", "status": "protected" }] }Use Cases
- Supabase security audits
- Pre-launch security review for agent backends
- Continuous monitoring for config drift
- Bug bounty researchers validating findings
Why RLS Exposed Endpoint Check Matters
Row-level security is opt-in on Supabase and the most common cause of data leaks in 2025 to 2026 agent startups; an automated check catches misconfigs before attackers do.
LangChain Example
Drop rls exposed endpoint check data into your LangChain agent in a few lines:
Python
scavio.security.supabase_rls_check(project_url="https://xyz.supabase.co")