To enable authentication with Supabase in Flutterflow, we use the project URL and the anon public key. Supabase's own documentation states that there’s no issue exposing the anon public key because it’s restricted by the row-level security (RLS) rules, unlike the service_role secret, which bypasses them.
The point is that, in many cases, the anon public key is exposed in the browser, meaning that if someone else had our Supabase project URL and the anon public key, they could create users in our app. Is this true?