How are you managing Supabase credentials across environments without things drifting?

One recurring issue we’ve been seeing with Supabase setups is not the database itself, but how credentials are managed across environments. The common pattern looks something like:

• credentials stored in .env files or secrets managers

• multiple environments (dev, staging, prod)

• manual propagation or duplication across those environments

It works, but over time it seems easy for things to drift:

• a key gets rotated in one environment but not others

• a redeploy misses an env var

• credentials get misconfigured during setup or migration

We’ve seen this cause failures that have nothing to do with application logic, just the surrounding setup. A few approaches we’ve come across:

• .env files per environment + validation checks before deploy

• centralized secrets (GCP, AWS, etc.) reused across services

• scripts/tests to ensure required env vars are present

Curious how others here are handling this in practice.

• Are you fully relying on your cloud provider’s secrets layer?

• How are you handling rotation across multiple environments?

• Have you found a setup that actually eliminates drift, or is it mostly managed with guardrails?

Would be especially interesting to hear if the move toward JWT signing keys is changing how people think about this layer.