I just found out that the rest api keys are findable in the browser:
So how should be use rest apis with the key being public?
Not only update and insert are a problem even the selects when you deal with sensitive data.
In another thread about supabase problems with the plugin (rsl) you tell us to use the rest-api untill you change the plugin. But how should we use the supabase rest api when the key is public? Then everybody can alter the database as they want to.
With supabase auth you can restrict insert and update to authenticated users but need to activate select to everyone. What? So everyone can read everything?
Maybe I am wrong but it seams not possible to use weweb for sentive data at all?