Skip to content
BlurFirst

How to Blur the Supabase Dashboard During Screen Sharing (Hide API Keys & User Data)

7 min read

Demoing your Supabase backend on a call? Here's how to hide the project URL and reference, the anon and service_role keys, the database connection string and password, Table Editor rows and the Auth users list before you share your screen.

To hide API keys and data in the Supabase dashboard during a screen share, blur the sensitive items in the page before you present — the project URL and reference on the API settings page, the anon and service_role keys, the database connection string and password, and the rows of user PII in the Table Editor. BlurFirst paints each blur into the page as real pixels, so it survives Zoom, Google Meet, Microsoft Teams, Loom, OBS and even a screenshot of the shared feed.

Supabase is a browser-based dashboard that re-renders as you move between the Table Editor, SQL editor and settings, so lean on anchored region blurs for the fixed chrome — the project name in the top-left and the project switcher — and use element blur or Scan for individual values like the service_role key. Start blurring with Ctrl/⌘ ⇧ Y and keep the panic hotkey Ctrl/⌘ ⇧ H ready for a query result full of emails.

What the Supabase dashboard exposes

  • Project URL and reference — the project name and its reference in https://abcdefgh.supabase.co, shown in the top-left and on the API page; it identifies your backend and is baked into every request.
  • anon and service_role keys — under Settings > API, the anon public key and especially the service_role key, which bypasses Row Level Security and grants full read/write to your database.
  • Connection string and password — under Settings > Database, the Postgres connection string with host, port, user and the database password.
  • Table Editor rows — real user data: names, emails, phone numbers, addresses, Stripe customer IDs and anything else in your users, profiles or orders tables.
  • Auth users list — under Authentication > Users, the full list of registered users with their email addresses, providers, and user UUIDs.
  • SQL editor — queries and their results that print PII to the screen, plus saved snippets that embed table and column names.
  • Project name — chosen by you, it often names the client or product and appears across the sidebar and project switcher.

Blur the Supabase dashboard step by step

  1. 1

    Open the page you'll present

    Navigate to the Table Editor, SQL editor or the exact settings page before the call, so you never open Settings > API live with the service_role key on screen.

  2. 2

    Box-blur the project name and switcher

    Drag a box over the top-left project name and the project switcher so the name and reference stay hidden. The anchored region blur keeps covering that chrome as the dashboard re-renders.

  3. 3

    Element-blur keys and the connection string

    On Settings > API, click the anon and service_role key values to frost them; do the same for the connection string and password on Settings > Database. Don't click the copy/reveal control on the call.

  4. 4

    Run Scan across data and queries

    One click runs Scan (Pro), which detects email, phone, credit-card and API-key patterns locally and blurs them — ideal for a Table Editor grid or a SQL result full of user emails. It won't treat a UUID, a table name or the project reference as a pattern, so blur those yourself.

  5. 5

    Keep panic ready for query results

    If you run a query and it returns a screenful of PII, press Ctrl/⌘ ⇧ H to blur the whole page instantly, then reveal only the columns that are safe to show.

Sensitive itemWhere it appearsBest gesture
Project URL + referenceTop-left, Settings > APIBox-blur the project chrome
anon + service_role keysSettings > APIElement blur; don't reveal live
Connection string + passwordSettings > DatabaseElement blur
User rows (PII)Table EditorScan, or box-blur the grid
Auth users + emailsAuthentication > UsersScan, or element blur per row
What to hide in the Supabase dashboard, and how.

Why RLS and a private project don't cover a screen share

Row Level Security and a project only your team can log into control who can query the data and with which key. On a screen share the signed-in user is *you*, in the dashboard, where the service_role key is printed in full on the settings page and RLS is not what stands between the audience and your data. Those controls gate database access; they say nothing about what a person watching your screen reads. In-page blurring works at the presentation layer instead — it controls what the viewer sees, regardless of your keys or policies. And if the service_role key was ever shown on a recording, rotate it.

Save your Supabase blurs for next time

If you demo or debug from the dashboard regularly, set the structural blurs once and let BlurFirst Pro's per-site auto-apply re-apply them whenever you open supabase.com. Your box over the project name comes back automatically and survives the dashboard's re-rendering as you move between the Table Editor, SQL editor and settings. The profile stores only a CSS selector for each region, never the keys, connection string or user data inside it.

Frequently asked questions

Can I blur the API keys but still show the API settings page?

Yes. Element-blur the anon and service_role key values, or box-blur the keys area. The endpoint URL structure and the rest of the page stay visible, and you can reveal an element with a click. Don't click Supabase's copy/reveal control on the call.

How do I hide a whole table of user data quickly?

Run Scan (Pro) to blur emails, phone numbers and card-like patterns across the grid in one click, or box-blur the Table Editor result area. For a specific column, element-blur its cells. Panic (Ctrl/⌘ ⇧ H) hides everything instantly if a query returns more than you expected.

Does Scan detect the service_role key?

Scan detects API-key patterns locally and blurs many of them, but treat the key as sensitive regardless. Element-blur it yourself on the Settings > API page rather than relying on detection, and never reveal it live.

If a key appeared on a recording, is blurring enough?

Blurring protects the live call and screenshots of the shared feed, but if a service_role or anon key was ever exposed elsewhere, rotate it in Settings > API. Blurring hides what's on screen; it can't recall a key that already leaked.

Does anything I blur leave my browser?

No. BlurFirst runs entirely in the browser and only makes a license-check request. Scan runs locally, so your keys and user data never leave the page.

Blur it before you share it.

Hide any field, region or message on a page before your next call. Nothing you blur leaves your browser.

Add to Chrome