Paste your project URL + anon key. The scan runs entirely in your browser. Nothing is sent to my server. Open DevTools → Network if you want to verify — every request goes directly from your browser to your-project.supabase.co.
How this works: the form fires GET https://<your-url>/rest/v1/<table>?select=*&limit=1 with apikey: <your-anon-key> for each table name. If the response has rows, the table is publicly accessible. This is the same request any anonymous visitor with your site's bundled anon key could fire — we're just making it visible to you.
If you don't want to paste the key here, you can also run the same scan from your terminal: npx supabase-security <project-ref> (requires a personal access token, more thorough).