The Scenario
You are a security engineer. Your company's SOC 2 audit starts in two weeks. One of the audit items is verifying that only approved environment variables exist in your Supabase projects and that a rotation schedule is in place.
Your production Supabase project has secrets configured. You need a list of every secret name — values masked, names visible — in a Google Sheet, with a "Last Rotated" column for you to fill in manually.
The slow version:
- You open the Supabase dashboard and navigate to Edge Functions > Secrets
- The page shows secret names but no export
- You type the names into a sheet by hand
- You realize you have three other Supabase projects to document
- You spend an hour copying names across four dashboards, and by the time you are done, you are not confident the list is complete.
The fast version is one prompt.
The Easy Way: One Prompt in SheetXAI
SheetXAI reads your Supabase secrets list directly and writes the audit-ready inventory into the sheet, so you do not have to click through dashboards or type names by hand.
Open the SheetXAI sidebar and type:
List all secrets for Supabase project abc123. Write secret name and any non-sensitive metadata into this sheet — note that values will be masked. Add a blank "Last Rotated" column C for me to fill in manually.
SheetXAI calls the Supabase secrets API, retrieves all secret names (values never exposed), and writes the formatted list with the blank rotation column.
What You Get
A secrets audit sheet ready for the SOC 2 review:
- One row per secret — name visible, value never written
- Blank "Last Rotated" column — ready for you to fill in from your rotation records
- All secrets captured — no dashboard clicking, no manual typing
You hand the sheet to the auditor. The rotation schedule gets filled in from your team's records. The audit item closes.
What If the Audit Needs More Context
A flat secrets list is the starting point. SheetXAI can enrich and cross-reference in the same prompt.
When you need to audit secrets across multiple projects
You have four Supabase projects and the audit covers all of them.
List all secrets for Supabase project abc123 and write secret names into column A with "abc123" in column B. Then list all secrets for project xyz789 and append those names in column A with "xyz789" in column B. Continue for all four projects. Add a blank "Last Rotated" column C.
When you want to flag secrets that match a known deprecated pattern
Your team retired a set of legacy API keys last quarter. Any secret starting with LEGACY_ should be flagged.
List all secrets for Supabase project abc123 and write names into this sheet. In column C, flag any secret whose name starts with "LEGACY_" as "DEPRECATED — DELETE."
When you want to cross-reference against an approved list
You have an approved secrets inventory in column A of a second tab. Any secret not on the approved list is unauthorized.
List all secrets for Supabase project abc123 and write secret names into this sheet. In column B, check whether each name appears in the Approved tab column A — if not, label it "UNAUTHORIZED."
When you need the full secrets audit across all projects in one shot
Names, project attribution, deprecation flags, and an unauthorized flag — all in one prompt.
List all secrets for Supabase projects abc123, xyz789, def456, and ghi012. Write project ref and secret name into the Raw tab. In the Audit tab, flag any secret starting with "LEGACY_" as "DEPRECATED" and any secret not in the Approved tab as "UNAUTHORIZED." In the Summary tab, write total secret count per project and count of flagged secrets per project.
The pattern: the prompt captures the compliance context the auditor actually needs, not just the names.
Try It
Get the 7-day free trial of SheetXAI and open any Google Sheet, then ask it to list the secrets for your Supabase project. The Supabase integration is included in every SheetXAI plan. For related workflows, see how to export API keys for a governance audit or the Supabase in Google Sheets overview.