Supabase provide two separate keys. One is private, the other one is public.
In our supabase plugin we ask for both.
The private one allow to connect to your supabase as an administrator (like accessing to the supabase back office), it’s used in the editor to analyse your instance and improve the user experience, it make us able to display your table list for example. The private key is never embed inside the published website of course.
The public one is used to connect to your supabase as an user/consumer. This one is made to be embed in a front end.
If you choose to use the rest api plugin you will use the public one. Si there is no security concern.