Cap-go · teixr12 · May 11, 2026 · May 11, 2026 · May 11, 2026 · May 11, 2026
diff --git a/supabase/functions/_backend/utils/supabase.ts b/supabase/functions/_backend/utils/supabase.ts
@@ -306,20 +306,26 @@ export function apikeyHasOrgRight(key: Database['public']['Tables']['apikeys']['
 /**
  * Check if API key has org access AND meets org's API key policy requirements
  * Returns { valid: true } if all checks pass, or { valid: false, error: string } if not
+ *
+ * @param _supabase Deprecated compatibility parameter; policy lookups use
+ * supabaseAdmin(c) after local org-scope validation so RBAC denials do not hide
+ * the org policy row.
  */
 export async function apikeyHasOrgRightWithPolicy(
   c: Context,
   key: Database['public']['Tables']['apikeys']['Row'],
   orgId: string,
-  supabase: SupabaseClient<Database>,
+  _supabase: SupabaseClient<Database>,
 ): Promise<{ valid: boolean, error?: string }> {
   // First check basic org access
   if (!apikeyHasOrgRight(key, orgId)) {
     return { valid: false, error: 'invalid_org_id' }
   }
 
-  // Then check if org requires expiring keys
-  const policyCheck = await checkApikeyMeetsOrgPolicy(c, key, orgId, supabase)
+  // Then check if org requires expiring keys. The scope check above proves the
+  // key is org-scoped; use service role for the policy lookup so runtime
+  // permission denials for non-expiring keys do not hide the policy row.
+  const policyCheck = await checkApikeyMeetsOrgPolicy(c, key, orgId, supabaseAdmin(c))
   if (!policyCheck.valid) {
     return policyCheck
   }