feat: rename anon key → publishable key, service role key → secret key (#1360)

* feat: rename anon key to publishable key and service role key to secret key

Renames all references to align with Supabase's updated key naming convention:
- `anonKey` parameter → `publishableKey` in Supabase.initialize() and _init()
- `supabaseAnonKey` → `supabasePublishableKey` (internal parameter)
- `ANON_KEY` / `SUPABASE_ANON_KEY` → `PUBLISHABLE_KEY` / `SUPABASE_PUBLISHABLE_KEY` in examples, docs, and infra config
- `service_role` key references in doc comments → `secret` key
- Test variables `anonToken` → `publishableToken` in gotrue tests

JWT role claims (`'role': 'service_role'`) are left unchanged as they are
internal backend values unrelated to the key naming convention.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: deprecate anonKey instead of hard-removing it, revert ANON_KEY env var rename

- Keep anonKey as @deprecated in Supabase.initialize() so existing callers
  continue to compile; they receive a deprecation warning pointing to publishableKey.
  An assert enforces that at least one of the two is supplied.
- Revert ANON_KEY → PUBLISHABLE_KEY in docker-compose: the storage binary reads
  ANON_KEY by name, renaming it silently breaks the service.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: apply dart format to changed files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor: rename publishableKey to supabaseKey in public API

The key passed to Supabase.initialize() can be either a publishable key
(anon) or a secret key depending on the use case, so the parameter name
should not imply a specific key type. Aligns with SupabaseClient which
already uses supabaseKey as its positional argument.

- Rename publishableKey parameter -> supabaseKey in Supabase.initialize()
- Update deprecated anonKey message to reference supabaseKey
- Update all call sites in tests, examples, docs, and CHANGELOG
- Revert internal gotrue test variable names back to anonToken (they
  represent the anonymous JWT, unrelated to the public API rename)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: rename _init param supabasePublishableKey to supabaseKey, use SUPABASE_PUBLISHABLE_KEY in example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor: publishableKey for flutter package, supabaseKey for dart package; revert CHANGELOG edits

- Supabase.initialize() (supabase_flutter): rename supabaseKey → publishableKey.
  Flutter apps are client-side and should always use the publishable (anon)
  key, matching the label shown on the Supabase dashboard.
- SupabaseClient (supabase): keep supabaseKey as-is. The dart package is used
  in both client and server contexts, so the generic name is appropriate.
- Add a note to SupabaseClient doc distinguishing publishable vs secret usage.
- Revert all CHANGELOG modifications — historical entries should not be
  refactored.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: grdsdev

AGENTS.md

@@ -196,7 +196,7 @@ For integration testing, you may want to point to a local Supabase instance:
 ```dart
 await Supabase.initialize(
   url: 'http://localhost:54321',
-  anonKey: 'your-local-anon-key',
+  publishableKey: 'your-local-supabase-key',
 );
 ```
 

packages/functions_client/lib/src/functions_client.dart

@@ -83,7 +83,7 @@ class FunctionsClient {
   /// final fetchClient = FetchClient(mode: RequestMode.cors);
   /// await Supabase.initialize(
   ///   url: supabaseUrl,
-  ///   anonKey: supabaseKey,
+  ///   publishableKey: supabaseKey,
   ///   httpClient: fetchClient,
   /// );
   /// ```

packages/gotrue/lib/src/gotrue_admin_api.dart

@@ -59,7 +59,7 @@ class GoTrueAdminApi {
 
   /// Creates a new user.
   ///
-  /// This function should only be called on a server. Never expose your `service_role` key on the client.
+  /// This function should only be called on a server. Never expose your `secret` key on the client.
   ///
   /// Requires either an email or phone
   Future<UserResponse> createUser(AdminUserAttributes attributes) async {
@@ -75,11 +75,11 @@ class GoTrueAdminApi {
     return UserResponse.fromJson(response);
   }
 
-  /// Delete a user. Requires a `service_role` key.
+  /// Delete a user. Requires a `secret` key.
   ///
   ///  [id] is the user id of the user you want to remove.
   ///
-  /// This function should only be called on a server. Never expose your `service_role` key on the client.
+  /// This function should only be called on a server. Never expose your `secret` key on the client.
   Future<void> deleteUser(String id) async {
     validateUuid(id);
     final options = GotrueRequestOptions(headers: _headers);
@@ -92,7 +92,7 @@ class GoTrueAdminApi {
 
   /// Get a list of users.
   ///
-  /// This function should only be called on a server. Never expose your `service_role` key on the client.
+  /// This function should only be called on a server. Never expose your `secret` key on the client.
   ///
   /// The result is paginated. Use the [page] and [perPage] parameters to paginate the result.
   Future<List<User>> listUsers({int? page, int? perPage}) async {

packages/gotrue/lib/src/gotrue_admin_oauth_api.dart

@@ -65,7 +65,7 @@ class GoTrueAdminOAuthApi {
   /// Lists all OAuth clients with optional pagination.
   /// Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
   ///
-  /// This function should only be called on a server. Never expose your `service_role` key in the browser.
+  /// This function should only be called on a server. Never expose your `secret` key in the browser.
   Future<OAuthClientListResponse> listClients({
     int? page,
     int? perPage,
@@ -88,7 +88,7 @@ class GoTrueAdminOAuthApi {
   /// Creates a new OAuth client.
   /// Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
   ///
-  /// This function should only be called on a server. Never expose your `service_role` key in the browser.
+  /// This function should only be called on a server. Never expose your `secret` key in the browser.
   Future<OAuthClientResponse> createClient(
     CreateOAuthClientParams params,
   ) async {
@@ -107,7 +107,7 @@ class GoTrueAdminOAuthApi {
   /// Gets details of a specific OAuth client.
   /// Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
   ///
-  /// This function should only be called on a server. Never expose your `service_role` key in the browser.
+  /// This function should only be called on a server. Never expose your `secret` key in the browser.
   Future<OAuthClientResponse> getClient(String clientId) async {
     validateUuid(clientId);
 
@@ -125,7 +125,7 @@ class GoTrueAdminOAuthApi {
   /// Updates an existing OAuth client.
   /// Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
   ///
-  /// This function should only be called on a server. Never expose your `service_role` key in the browser.
+  /// This function should only be called on a server. Never expose your `secret` key in the browser.
   Future<OAuthClientResponse> updateClient(
     String clientId,
     UpdateOAuthClientParams params,
@@ -147,7 +147,7 @@ class GoTrueAdminOAuthApi {
   /// Deletes an OAuth client.
   /// Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
   ///
-  /// This function should only be called on a server. Never expose your `service_role` key in the browser.
+  /// This function should only be called on a server. Never expose your `secret` key in the browser.
   Future<OAuthClientResponse> deleteClient(String clientId) async {
     validateUuid(clientId);
 
@@ -165,7 +165,7 @@ class GoTrueAdminOAuthApi {
   /// Regenerates the secret for an OAuth client.
   /// Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
   ///
-  /// This function should only be called on a server. Never expose your `service_role` key in the browser.
+  /// This function should only be called on a server. Never expose your `secret` key in the browser.
   Future<OAuthClientResponse> regenerateClientSecret(String clientId) async {
     validateUuid(clientId);
 

packages/supabase/example/web/main.dart

@@ -5,7 +5,7 @@ import 'package:web/web.dart' as web;
 
 void main() {
   const supabaseUrl = 'YOUR_SUPABASE_URL';
-  const supabaseKey = 'YOUR_ANON_KEY';
+  const supabaseKey = 'YOUR_SUPABASE_KEY';
   final supabase = SupabaseClient(supabaseUrl, supabaseKey);
 
   final element = web.document.querySelector('#output') as web.HTMLDivElement;
@@ -16,10 +16,8 @@ void main() {
 
 void exampleUsage(SupabaseClient supabase) async {
   // query data
-  final data = await supabase
-      .from('countries')
-      .select()
-      .order('name', ascending: true);
+  final data =
+      await supabase.from('countries').select().order('name', ascending: true);
   print(data);
 
   // insert data
@@ -76,15 +74,13 @@ void exampleUsage(SupabaseClient supabase) async {
   print('upload response : $storageResponse');
 
   // Get download url
-  final urlResponse = await supabase.storage
-      .from('public')
-      .createSignedUrl('example.txt', 60);
+  final urlResponse =
+      await supabase.storage.from('public').createSignedUrl('example.txt', 60);
   print('download url : $urlResponse');
 
   // Download text file
-  final fileResponse = await supabase.storage
-      .from('public')
-      .download('example.txt');
+  final fileResponse =
+      await supabase.storage.from('public').download('example.txt');
   print('downloaded file : ${String.fromCharCodes(fileResponse)}');
 
   // Delete file

packages/supabase/lib/src/supabase_client.dart

@@ -14,6 +14,8 @@ import 'counter.dart';
 /// Creates a Supabase client to interact with your Supabase instance.
 ///
 /// [supabaseUrl] and [supabaseKey] can be found on your Supabase dashboard.
+/// Pass the `publishable` (anon) key for client-side usage or the `secret`
+/// key for trusted server-side environments.
 ///
 /// You can access none public schema by passing different [schema].
 ///

packages/supabase_flutter/README.md

@@ -27,7 +27,7 @@ void main() async {
 
   await Supabase.initialize(
     url: SUPABASE_URL,
-    anonKey: SUPABASE_ANON_KEY,
+    publishableKey: SUPABASE_KEY,
   );
 
   runApp(MyApp());

packages/supabase_flutter/example/lib/main.dart

@@ -2,7 +2,8 @@ import 'package:flutter/material.dart';
 import 'package:supabase_flutter/supabase_flutter.dart';
 
 Future<void> main() async {
-  await Supabase.initialize(url: 'SUPABASE_URL', anonKey: 'SUPABASE_ANON_KEY');
+  await Supabase.initialize(
+      url: 'SUPABASE_URL', publishableKey: 'SUPABASE_PUBLISHABLE_KEY');
   runApp(const MyApp());
 }
 

packages/supabase_flutter/lib/src/supabase.dart

@@ -52,7 +52,9 @@ class Supabase {
   /// This must be called only once. If called more than once, an
   /// [AssertionError] is thrown
   ///
-  /// [url] and [anonKey] can be found on your Supabase dashboard.
+  /// [url] and [publishableKey] can be found on your Supabase dashboard.
+  /// Use the `publishable` (anon) key here — never the secret key in a
+  /// Flutter app.
   ///
   /// You can access none public schema by passing different [schema].
   ///
@@ -76,7 +78,11 @@ class Supabase {
   /// If [debug] is set to `true`, debug logs will be printed in debug console. Default is `kDebugMode`.
   static Future<Supabase> initialize({
     required String url,
-    required String anonKey,
+    String? publishableKey,
+    @Deprecated(
+      'Use publishableKey instead. anonKey will be removed in a future major version.',
+    )
+    String? anonKey,
     Map<String, String>? headers,
     Client? httpClient,
     RealtimeClientOptions realtimeClientOptions = const RealtimeClientOptions(),
@@ -86,6 +92,12 @@ class Supabase {
     Future<String?> Function()? accessToken,
     bool? debug,
   }) async {
+    assert(
+      publishableKey != null || anonKey != null,
+      'Either publishableKey or anonKey must be provided.',
+    );
+    final effectiveKey = publishableKey ?? anonKey!;
+
     if (_instance._isInitialized) {
       _log.info('Supabase is already initialized. Skipping reinitialization.');
       return _instance;
@@ -120,7 +132,7 @@ class Supabase {
     }
     _instance._init(
       url,
-      anonKey,
+      effectiveKey,
       httpClient: httpClient,
       customHeaders: headers,
       realtimeClientOptions: realtimeClientOptions,
@@ -193,7 +205,7 @@ class Supabase {
 
   void _init(
     String supabaseUrl,
-    String supabaseAnonKey, {
+    String supabaseKey, {
     Client? httpClient,
     Map<String, String>? customHeaders,
     required RealtimeClientOptions realtimeClientOptions,
@@ -208,7 +220,7 @@ class Supabase {
     };
     client = SupabaseClient(
       supabaseUrl,
-      supabaseAnonKey,
+      supabaseKey,
       httpClient: httpClient,
       headers: headers,
       realtimeClientOptions: realtimeClientOptions,

packages/supabase_flutter/test/auth_test.dart

@@ -46,7 +46,7 @@ void main() {
 
         await Supabase.initialize(
           url: supabaseUrl,
-          anonKey: supabaseKey,
+          publishableKey: supabaseKey,
           debug: false,
           authOptions: FlutterAuthClientOptions(
             localStorage: mockStorage,
@@ -67,7 +67,7 @@ void main() {
           () async {
         await Supabase.initialize(
           url: supabaseUrl,
-          anonKey: supabaseKey,
+          publishableKey: supabaseKey,
           debug: false,
           authOptions: FlutterAuthClientOptions(
             localStorage: MockEmptyLocalStorage(),
@@ -94,7 +94,7 @@ void main() {
 
         await Supabase.initialize(
           url: supabaseUrl,
-          anonKey: supabaseKey,
+          publishableKey: supabaseKey,
           debug: false,
           authOptions: FlutterAuthClientOptions(
             localStorage: corruptedStorage,
@@ -112,7 +112,7 @@ void main() {
 
         await Supabase.initialize(
           url: supabaseUrl,
-          anonKey: supabaseKey,
+          publishableKey: supabaseKey,
           debug: false,
           authOptions: FlutterAuthClientOptions(
             localStorage: emptyStorage,