Upcoming changes to Supabase API Keys

[kangmingtay]

Timestamp	Latest Update
17th June 2025	Early access to new API keys launched, available on all projects. Please give them a try and raise any issues in this discussion for the team to fix or address.

We’re changing the way API keys work in Supabase to improve your project’s security and developer experience. Refer to the timetable below for key dates and info on actions you may need to take in the future.

This change starts out as early preview and is opt-in. No action necessary until at least 1st November 2025. We strongly encourage you to give the new API keys a try!

What's the change?

These are the planned changes for the API keys:

• anon and service_role keys remain available for use.
• A single publishable key with the form sb_publishable_... can be used to replace the anon key.
• You can create multiple secret keys with the form sb_secret_.... You can also choose not to have a secret key if you don’t need one. Secret keys replace the service_role key.
• You can disable and re-enable the anon and service_role keys, as needed during the migration period.

Summarized, there are 4 types of API keys that can now be used with Supabase. This chart should illustrate it better:

Type	Format	Privileges	Availability	Use
Publishable key	sb_publishable_...	Low	Platform	Safe to expose online: web page, mobile or desktop app, GitHub actions, CLIs, source code.
Secret keys	sb_secret_...	Elevated	Platform	Only use in backend components of your app: servers, already secured APIs (admin panels), Edge Functions, microservices, etc. They provide full access to your project's data, bypassing Row Level Security.
anon	JWT (long lived)	Low	Platform, CLI	Exactly like the publishable key.
service_role	JWT (long lived)	Elevated	Platform, CLI	Exactly like secret keys.

Timetable

Key Dates	Description	User Action Needed
June 2025	Early preview and Introduction of new API keys. New projects will automatically generate both new API keys and legacy API keys to help ease the transition. Existing projects can continue to use the legacy API keys and can opt in to use the new API keys by manually generating them.	No immediate action needed. We recommend trying them out and preparing your projects for a future migration.
July 2025	Full feature launch of new API keys. Feedback and issues seen in the early preview period to be resolved.	No immediate action needed. We strongly recommend that you migrate to use the new API keys or start planning for it. Dashboard and docs will focus on new API keys.
November 2025	We will start sending you monthly reminders to migrate off legacy API keys and start using the new keys. Projects restored from 1st November 2025 will no longer be restored with the legacy API keys. New projects no longer have anon and service_role available for use.	You are highly encouraged to migrate off to use the new API keys before this date since paused projects that are restored risk being broken as they won’t have the legacy keys.
Late 2026, TBC	Legacy API keys will be deleted and removed from the Docs / Dashboard.	You have to migrate to use the new API keys by this point or your app will break.

Why are we doing this?

Since the start of Supabase, the JWT-based anon and service_role keys were the right trade-off between simplicity and relative security for your project. Unfortunately they pose some real challenges in live applications, especially around rotation and security best practices.

The main reasons for making this change are:

• Tight coupling between the JWT secret (which itself can be compromised, if you mint your own JWTs) and the anon (low privilege), service_role (high privilege), and authenticated (issued by Supabase Auth) Postgres roles.
• Inability to independently rotate each aspect of the keys, without downtime.
• Inability to roll-back an unnecessary or problematic JWT secret rotation.
• Publishing new versions of mobile applications can take days and often weeks in the app review phase with Apple's App Store and Google's Play Store. A forced rotation can cause weeks of downtime for mobile app users.
• Users may continue using desktop, CLI and mobile apps with very old versions, making rotation impossible without a forced version upgrade.
• JWTs had 10-year expiry duration, giving malicious actors more to work with.
• JWTs were self-referential and full of redundant information not necessary for achieving their primary purpose.
• JWTs are large, hard to parse, verify, and manipulate -- leading to insecure logging or bad security practices.
• They were signed with a symmetric JWT secret, preventing future development of Auth features.

Start using the new API keys

It’s easy to start using the new API keys. You can opt in in the Supabase dashboard. This will create the default publishable key and a single secret API key.

For the most part, you can substitute the sb_publishable_... and sb_secret_... values anywhere you used the anon and service_role keys respectively. They work roughly the same in terms of permissions and data access.

You can initialize any version of the Supabase Client libraries with the new values without any additional changes, and we don't expect any backward compatibility issues.

Key differences to be aware of

We've redesigned how the Supabase hosted platform deals with API keys with a few key goals:

• Advanced and enterprise-ready security features
• Zero-downtime rotation
• Solid foundations for the introduction of asymmetric JWT support and other Auth features requiring this

To achieve these, the new API keys have some subtle differences from anon and publishable:

• Permission and access control. Secret keys are hidden by default and need to be individually "revealed." Each event appears in your organization's Audit Log.
• Instant revocation. By deleting a secret key it is instantly revoked.
• Forbidden use in a browser. Using a secret key in a browser is no longer possible and will always fail with HTTP 401 Unauthorized.
• Limitation with Realtime: Connections last 24 hours when there’s no signed in user, or when using a secret key. Sign users in to extend connections indefinitely.
• Limitation with Edge Functions: Edge Functions provide the option --no-verify-jwt which means they can be called without knowing any API key. You will need to apply this option to functions you are protecting without it.
• Use of the Authorization header. It is no longer possible to use a publishable or secret key inside the Authorization header — because they are not a JWT. Instead pass in the user’s JWT, or leave the header empty. For backward compatibility, it is only allowed if the value in the header exactly matches the value in the apikey header.

We believe these limitations are minor and not likely to impact even a single-digit percentage of existing customers. Should you find any additional limitation do not hesitate to bring it up in this discussion or via Supabase Support.

[Peterksharma]

Is this live?

[j4w8n]

It is not live yet. There's been no further timelines, aside from "Q4".

[kangmingtay]

Hi @Peterksharma and @j4w8n, we've updated the discussion:

Update: Changes to Supabase API Keys will not be released in Q4 2024 because it needs further development work. We will finalize the timeline and announce the updated timeline in Q1 2025.

[hf]

It is now.

[StevenStavrakis]

Dang. I was looking forward to an improved auth flow.

[hodakl099]

Dang. I was looking forward to an improved auth flow.

Dang it me too!!!

[sdocquir]

Would love to get an updated timeline for this, even if it's Q2/3/4 2025

[zachwaterstories]

Also looking for a timeline here. Any info - is helpful for our roadmap.

[o1Suleyman]

Supabase really needs to focus up on this. It's hampering their adoption

[StevenStavrakis]

@o1Suleyman Don't worry, they'll ship five more AI features that barely work and no one uses, instead.

[sourman]

I found the assistants integration in supabase one the best integration by far. Helps me as I am an SQL noob

[Mandalorian007]

Will these custom api keys work for creating a rest api on an edge function and letting user authorize with an api key?

[kengokawano]

Existing projects can continue to use the legacy API keys and can opt in to use the new API keys by manually generating them.

How can I manually generate the new API keys for an existing project?

[GaryAustin1]

@kengokawano you have to generate a new JWT secret. All keys will change and need to be updated where you have applied them.

[jhwheeler]

@GaryAustin1 Are you sure about this? When we did this, it created a new set of legacy anon/service_role keys, rather than the new standard of publishable/secret keys.

@kengokawano Based on the discussion, this is not live yet (see this comment: https://github.com/orgs/supabase/discussions/29260#discussioncomment-11612891).

[j4w8n]

@jhwheeler, Gary is correct in how it's done for an existing project, but you are correct that it won't work yet because they haven't released the feature.

I think Gary was just trying to give a straight answer to the question @kengokawano was asking.

[GaryAustin1]

Yes, I read his question as how to generate new keys currently. Not how to generate THE new keys. Sorry for the confusion.

[jhwheeler]

Thank you for clarifying!

[Sohrab-tech1]

Is there an updated timeline for the new keys, if not when can there be one?

[CalvinWilkinson]

Quick question:

I have some migrations where I created a public.user table and in the sql it is using the term service_role for the permission. With the service_role being replaced by secret, I assume that migrations will not work and need to be updated?

Do we just swap out the word service_role with secret and we are good to go?

Here is the sql:

create table "public"."user" (
    "id" uuid not null default gen_random_uuid(),
    "created_at" timestamp with time zone not null default now(),
    "email" text not null,
    "first_name" text not null,
    "last_name" text not null
);


alter table "public"."user" enable row level security;

CREATE UNIQUE INDEX user_pkey ON public."user" USING btree (id);

alter table "public"."user" add constraint "user_pkey" PRIMARY KEY using index "user_pkey";

grant delete on table "public"."user" to "anon";

grant insert on table "public"."user" to "anon";

grant references on table "public"."user" to "anon";

grant select on table "public"."user" to "anon";

grant trigger on table "public"."user" to "anon";

grant truncate on table "public"."user" to "anon";

grant update on table "public"."user" to "anon";

grant delete on table "public"."user" to "authenticated";

grant insert on table "public"."user" to "authenticated";

grant references on table "public"."user" to "authenticated";

grant select on table "public"."user" to "authenticated";

grant trigger on table "public"."user" to "authenticated";

grant truncate on table "public"."user" to "authenticated";

grant update on table "public"."user" to "authenticated";

grant delete on table "public"."user" to "service_role";

grant insert on table "public"."user" to "service_role";

grant references on table "public"."user" to "service_role";

grant select on table "public"."user" to "service_role";

grant trigger on table "public"."user" to "service_role";

grant truncate on table "public"."user" to "service_role";

grant update on table "public"."user" to "service_role";

[GitTorres]

In the middle of their FAQ on this thread they say the following:

"By default, secret API keys assume the service_role. When creating the new secret API keys, you can override this behavior and assign a custom role."

I'm interpreting this to say that the "service_role" role in Postgres will still be associated with your API key like it is today and we won't need to change any GRANT statements mentioning "service_role". Fingers crossed anyway.

[CalvinWilkinson]

Let's hope! It would be helpful to receive an official response on this matter.

[tarun1sisodia]

yes , i am also worried about that , my whole project migrations and customization based on service_role . i hope it will not change.

[riderx]

i just tried and it seems to work my functions who are allowed on service_role work the same way

[cardilloscreations]

What's the plan for self-hosted via docker? Is it available there already? I did a quick scan but didn't see this in the docker files.

[raitono]

According to the FAQ:

I only connect to the database via the connection string — do I need to worry about this at all?

No, unless you use the supabase client libraries to make queries to the database.

I am using connection strings with Prisma. I just restored a project which was paused for inactivity and can no longer reach it from my application.

Error querying the database: FATAL: Authentication error, reason: "Unsupported or invalid secret format"

Also:

... restored projects affected from 1st May 2025 ...

Has this policy changed? The connection instructions in the project show no change in the recommended setup for connecting with Prisma.

[j4w8n]

Asym jwts have not been released yet, so the timeline is inaccurate. So, theoretically, it shouldn't have affected your project. You might wanna contact support.

[paukstelom]

Updated timeline posted anywhere?

[sanchezcarlosjr]

One day left before the launch week is over...

[paukstelom]

a very sad outcome I must say

[j4w8n]

I completely spaced that they were releasing anything today.

Oh well, someday.

[omarammarthefirst]

It looks like they updated the timeline on supabase , previously it said Q4 2024

[j4w8n]

Nice find @omarammarthefirst. I finally found where this was at in the dashboard. So the announcement link takes you back to this discussion.

[fmp-llauton]

Has anything on this been actioned?

[j4w8n]

Nothing has been implemented, if that's what you're asking. Supabase-hosted project dashboards say asym JWTs will be available by the end of June 2025.

We shall see.

[jhaworth]

my current (old style) anon key has a start date of june 2025, can i migrate to new keys yet or how do i refresh the old one

[keshav-k3]

I don't think the new keys are out yet, they are looking at a Q2 2025 release I believe, which means it will probably come out around June of this year.
So you're anon key needs no immediate update for now

[spk-alex]

Why must I pass both JWT token and anon API keys to access the PostgREST API?
Some tools make me choose one way of authentication and don't work with 2 at once. Like Custom ChatGPT Action.

[liaujianjie]

@kangmingtay Will be be able to create multiple secret keys? It'll help with reducing downtime during key rotation.

[hf]

Yes!

[liaujianjie]

🫶

[AndaluciaSuperPatch]

Necesito ayuda 🆘

[jtxz]

Will we still be able to verify users in cloudflare workers (like we were doing with JWTs) without having to connect to supabase? If so a snippet of some kind would be appreciated.

[wysohn]

Will we still be able to verify users in cloudflare workers (like we were doing with JWTs) without having to connect to supabase? If so a snippet of some kind would be appreciated.

Before:

• Cloudflare worker (or any other third party service) needs to send the JWT to supabase auth to verify it there

New:

• Cloudflare worker now just need 'public key' and use it to verify the JWT

I can't say in detail cause never worked on cloudflare workers before, but if it's some nodejs based instance, I assume you are using jsonwebtoken package, which the verification process is exactly the same for symmetric key but using the public key instead of symmetric key

jwt.verify('ey...', 'the_public_key', ...)

[jtxz]

Before third party services did not need to connect to supabase - they would use the jwt.verify function you linked using the JWT Secret provided in the UI (or fetchtable from the db via the sql: SHOW app.settings.jwt_secret;. This JWT Secret has now been removed from the UI and the SQL no longer works (presumably because the deprecation is complete). The new API keys don't work in decoding the user's JWT (which makes sense if JWTs are no longer being used). I think this means third party services will have to connect to Supabase now, which is frustrating because it will increase requests significantly. I'm hoping I'm wrong...

[GaryAustin1]

The current JWT secret still exists until deprecated well after the transition. The app.settings.jwt_secret was removed along time ago. I don't recall the reason, but I assume for security.

Async JWT's have a "reading" secret and a "signing" secret. The signing secret needs to be kept secure and is used to generate JWTs. The public "reading" secret can be fetched at a new endpoint https://projectid.supabase.co/auth/v1/.well-known/jwks.json: when the feature is turned on (it is not yet). That secret can be cached and used with JWT.verify and the like to decode the JWT. Many JWT libraries already know how to deal with Async JWT's and get the secret I believe.

Two benefits are now your potentially exposed secret can't be used to generate a JWT if it leaks and as long as you call the endpoint you don't have to hard code the public secret in your code and deal with changes by hand. I do not know if the public secret will be in the dashboard or not, but don't know why it wouldn't.

[hf]

When? Tomorrow. 🎉

[jtxz]

Ah I can now see the JWT keys section in the UI... Perfect!

[genrou2004]

Initial commit

[sk8tz]

Can some create a video, for the common programming languages, c#, java, dart, js etc for the new api key method.

[hf]

That's unfortunate, I'll bring it up with the support team.

I will hide this thread now so that the discussion remains on topic.

[Mark-Life]

any one easle face any issues with supabase dashboard management after implementing new keys?

"Failed to delete user: apikey request header or query parameter is either missing or invalid. Double check your Supabase anon or service_role API key."

on https://supabase.com/dashboard/project/id/auth/users

[GaryAustin1]

Hello @hf @GaryAustin1 I'm also having an issue to join public / private channels using the Dashboard in Realtime page as well. After checking my network tab, it seems like it's attempting to join it using the legacy JWT. Tho, I have moved on the new API Keys and it seems like it doesn't pick it.

I believe the realtime monitor is using the anon/service_role key also based on some testing I was just doing. I don't know how that would impact your RLS though, especially as you show service_role which bypasses it.

I have tested and do find an issue with the new async JWT's being turned on and realtime not connecting with the new API keys OR with an async JWT in the user session. The realtime monitor though seemed to work fine at least for postgres_changes. Another user is running into the same problem. I've forwarded info to Supabase on it.

I do think there may be issues though in general with realtime and the new keys/async JWT's.

[djimnz]

Yes, it’s a bit strange that I’m encountering RLS errors while using the service_role key. I haven’t modified anything related to RLS or realtime, everything is still in its default state from the initial project setup -> but I have opt-in for the new API Key and performed a rotation from the legacy.

I also initialized a new Supabase project as a comparison, and Realtime works fine from the Dashboard there.

On local development, using the JS SDK, I’m able to use channels without any issues. So the problem seems to be isolated to the Dashboard itself, which is also spamming websocket connections repeatedly.

[GaryAustin1]

Realtime server had an update last night that resolved the async JWT's and new API keys working with async migration done.
But I'm not sure that is related to your RLS error with service_role.

[djimnz]

My dashboard seems to be using previous JWT still.

[GaryAustin1]

The changes that I saw in realtime were just to make sure the new keys work.
I can only guess the realtime monitor uses the anon/service_role key at this point. That worked for me with jwt async enabled.

[ChrEsb]

Hi. A question:
Using the legacy API anon key in the apiKey header it was possible to fetch the OpenApi (swagger) documentation from https://<project_id>.supabase.co/rest/v1/ however with the new publishable_key this is no longer the case and it returns a 401 with the message:

{
    "message": "Access to schema is forbidden",
    "hint": "Accessing the schema via the Data API is only allowed using a secret API key."
}

Now it requires the secret key. Is this intentional?

[thafeezz]

Hi having an issue where after creating a secret API key (and having legacy jwt secrets disabled), using it with the supabase client in the python SDK returns "Invalid API Key". This error disappears when reverting back to old service_role key.

My Next app, however, only works with the new publishable API key, and authN fails when providing the old anon key.

It seems others are having similar issues with authorization when using the new API keys.

[trevor-ofarrell]

same issue, any fix?

[sapphire008]

Edge function call with new ES256 jwt tokens fails with "Legacy API keys are disabled" error. My setup

1. Create and start using the new API Keys (Publishable + Secret Keys). Disabled legacy API Keys
2. Deploy edge function with --no-verify-jwt
3. Start a client ([email protected]) using the new publishable key (also tried the Python client and got the same error)
4. Call edge function await client.functions.invoke("<function-name">)
5. Error raised:

"{\n  message: \"Legacy API keys are disabled\",\n  hint: \"Your legacy API keys (anon, service_role) were disabled on 2025-07-18T21:40:33.467267+00:00. Re-enable them in the Supabase dashboard, or use the new publishable and secret API keys.\"\n}\n"

Additional things I tried:

• If I manually override the authorization header with the session token, I got the same error as above.
• If I pass the publishable key as the authorization bearer, I got a error message saying the JWT structure is wrong. Apparently, it is still somehow trying to validate the JWT key

"Error: Authentication failed: Invalid JWT structure\n    at validateJWTToken (./supabase/functions/_shared/supabase_utils.ts:65:11)\n    at eventLoopTick (ext:core/01_core.js:168:7)\n    at async Object.handler (./supabase/functions/manage-subscription/index.ts:293:18)\n    at async respond (ext:sb_core_main_js/js/http.js:197:14)\n"

What is the correct set up for Edge function then? I would still like to have the jwt key passed so that I can retrieve the user id ("sub") and make additional queries in the database.

It appears re-enable the legacy JWT token solves the issue, but it does not appear to be recommended. I also do not know if there will be conflicts if both systems are present and which one will take priority.

[sapphire008]

Also, if we deploy without --no-verify-jwt it will complain that the JWT format is wrong Invalid JWT.

[djimnz]

I had a similar error while trying to use an edge function with Auth Hook.

[YashChaubs]

My project currently using nextjs and I have followed the supabase SSR manual for authentication. I have public URL i use and an anon key. Can I replace the anon key with the publishable key and everything should work as is?

[gejjech]

J

[eybel]

I am no longer able to generate types using npx run generate:types after I migrated to the new JWT APIs:

failed to retrieve generated types: {"message":"{\"message\":\"Legacy API keys are disabled\",\"hint\":\"Your legacy API keys (anon, service_role) were disabled on 2025-07-22T16:28:01.624439+00:00. Re-enable them in the Supabase dashboard, or use the new publishable and secret API keys.\"}"} Try rerunning the command with --debug to troubleshoot the error.

[masda70]

With the recent switch to asymmetric JWTs and the new API key generation UI, it seems we can no longer generate tokens with custom roles. Previously, I used a script to sign JWTs with a custom role for backend workers:

import { SignJWT } from 'jose'

const secret = new TextEncoder().encode(process.env.SUPABASE_JWT_SECRET)
const signedJwt = await new SignJWT({ role: role })
  .setProtectedHeader({ alg: 'HS256' })
  .setExpirationTime('10y')
  .sign(secret)

In the initial post of this discussion, it was announced:

"By default, secret API keys assume the service_role. When creating the new secret API keys, you can override this behavior and assign a custom role"

However, it looks like this feature was removed before the final release (I noticed @hf edited the OP to remove this mention). Is there a timeline or plan to support assigning custom roles to secret API keys? This would be welcome to increase the security of some of our backend workflows.

[rcdmtb]

Hi,
First of all, thank you team Supabase for the great effort and the continuous support. After migrating from the deprecated Supabase "anon key" to the new "publishable key" ( sb_publishable_... format), everything in my end works perfectly and i love the new JWTs, with getClaims, thank you for that. ... just two distinct issues arose:

• Database Type Generation Failure (React Application): In one React application, the Supabase CLI's database type generation command (npx supabase gen types typescript --project-id "$PROJECT_REF" --schema public > database.types.ts) continues to expect the old "anon key" despite the project being configured with the new "publishable key." This prevents type generation unless the "anon key" is temporarily re-enabled.
• FlutterFlow Connection Failure: A FlutterFlow application is unable to establish a connection to Supabase using the new "publishable key." The connection fails, preventing data interaction from within FlutterFlow.
  You can find details in "Supabase API Key Migration Issues with Type Generation and FlutterFlow #37493"

[eacolina]

Are publishable keys available on local studio now?

[karmasakshi]

Limitation with Edge Functions: Edge Functions provide the option --no-verify-jwt which means they can be called without knowing any API key. You will need to apply this option to functions you are protecting without it.

Can someone explain You will need to apply this option to functions you are protecting without it.?

What are the steps needed to migrate the user-check step in an edge function? I'm creating a client with user privileges, then getting the user ID as follows, but I keep getting Invalid JWT error.

export function getSupabaseUserClient(request: Request): SupabaseClient {
  const authorizationHeader: null | string =
    request.headers.get('Authorization');

  if (!authorizationHeader) {
    throw new ApiError('Authorization header is not set.', 401);
  }

  return createClient(
    Deno.env.get('SUPABASE_URL')!,
    Deno.env.get('SUPABASE_ANON_KEY')!,
    {
      auth: { persistSession: false },
      global: { headers: { Authorization: authorizationHeader } },
    },
  );
}

export async function getUserId(
  supabaseClient: SupabaseClient,
): Promise<string> {
  const { data, error } = await supabaseClient.auth.getClaims();

  if (error) {
    throw error;
  }

  if (!data) {
    throw new ApiError('User was not found.', 404);
  }

  return data.claims.sub;
}

[mark-monteiro]

I would also like some clarification on this. You will need to apply this option to functions you are protecting without it doesn't mean anything to me, is this a typo?

When you attempt to rotate keys, there is a popup with a checkbox to acknowledge that edge functions may stop working. This is the help text displayed in a popup:

Some of your Edge Functions are set up to require a JWT in the Authorization header signed with the legacy JWT secret. Rotation causes invocations by signed-in users to fail with HTTP 401 Unauthorized, as the JWT no longer meets this requirement.

Recommendation: Change all of your Edge Functions to no longer verify JWT and implement the verification logic in the function's code yourself by using the Supabase client library or any other library for working with JWT.

Is this related? Can we get an example of how we might implement the verification logic in our function's code?

Maybe also an explanation on why this is necessary? I would prefer to let the framework continue to verify authentication for me, there are less chances for mistakes or a bad implementation that way

[traviswimer]

@mark-monteiro Take a look at this comment.

You can still use whatever framework for verification as long as it supports using a JWK URI (e.g. .well-known/jwks.json). Basically, this json file provides an array of public keys and other information needed for verifying a JWT. This means your edge functions no longer need to deal with a private key.

Here is an example from the jsonwebtoken library's docs:

// Verify using getKey callback
// Example uses https://github.com/auth0/node-jwks-rsa as a way to fetch the keys.
var jwksClient = require('jwks-rsa');
var client = jwksClient({
  jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json'
});
function getKey(header, callback){
  client.getSigningKey(header.kid, function(err, key) {
    var signingKey = key.publicKey || key.rsaPublicKey;
    callback(null, signingKey);
  });
}

jwt.verify(token, getKey, options, function(err, decoded) {
  console.log(decoded.foo) // bar
});

Some frameworks handle all of that automatically for you though. For example, hono provides middleware that deals with the jwks.json URI itself.

And the .well-known/jwks.json file includes all your currently valid keys, which means you can easily rotate keys without needing to change any code or update "secrets", since the private key is only used on Supabase's end to generate the user's JWT.

[mark-monteiro]

Forbidden use in a browser. Using a secret key in a browser is no longer possible and will always fail with HTTP 401 Unauthorized.

Can we get some additional clarification on how this check is performed? I am using the supabase-js client in the Google Apps Script runtime environment and this error popped up when trying to switch from the old service_role key to the new sb_secret_... key. Is there any way to override or ignore this error?

To be clear, this is not a browser environment, it is a server cloud-based runtime environment.