From 6deb7c0db236820e0247db0a04b91366f4a93771 Mon Sep 17 00:00:00 2001
From: 7ttp <117663341+7ttp@users.noreply.github.com>
Date: Wed, 17 Dec 2025 15:52:08 +0530
Subject: [PATCH] fix: disable session persistence for service role keys

---
 src/createServerClient.ts | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/createServerClient.ts b/src/createServerClient.ts
index 9eae3b1..609f447 100644
--- a/src/createServerClient.ts
+++ b/src/createServerClient.ts
@@ -13,6 +13,20 @@ import type {
   CookieMethodsServerDeprecated,
 } from "./types";
 import { memoryLocalStorageAdapter } from "./utils/helpers";
+import { stringFromBase64URL } from "./utils/base64url";
+
+function isServiceRoleKey(apiKey: string): boolean {
+  try {
+    const parts = apiKey.split(".");
+    if (parts.length !== 3) {
+      return false;
+    }
+    const payload = JSON.parse(stringFromBase64URL(parts[1]));
+    return payload.role === "service_role";
+  } catch {
+    return false;
+  }
+}
 
 /**
  * @deprecated Please specify `getAll` and `setAll` cookie methods instead of
@@ -142,6 +156,8 @@ export function createServerClient<
     );
   }
 
+  const isServiceRole = isServiceRoleKey(supabaseKey);
+
   const { storage, getAll, setAll, setItems, removedItems } =
     createStorageFromOptions(
       {
@@ -169,7 +185,7 @@ export function createServerClient<
       flowType: "pkce",
       autoRefreshToken: false,
       detectSessionInUrl: false,
-      persistSession: true,
+      persistSession: !isServiceRole,
       storage,
       ...(options?.cookies &&
       "encode" in options.cookies &&