diff --git a/.env.example b/.env.example
index 1607925..3d47971 100644
--- a/.env.example
+++ b/.env.example
@@ -1,3 +1,16 @@
+# =============================================================
+# SECURITY WARNING — Supabase Keys
+# =============================================================
+# NEVER use the service_role key here or in any client-side code.
+# The service_role key bypasses ALL Row Level Security policies,
+# giving anyone who visits your deployed app full admin access
+# to your entire database — reads, writes, deletes, no RLS.
+#
+# CORRECT: use the anon/publishable key in client apps
+# WRONG:   VITE_SUPABASE_KEY="sbp_live_..." or service_role anywhere client-side
+#
+# See: https://supabase.com/docs/guides/api/api-keys
+# =============================================================
 VITE_SUPABASE_PROJECT_ID="your-project-id"
 VITE_SUPABASE_PUBLISHABLE_KEY="your-anon-public-key"
 VITE_SUPABASE_URL="https://your-project-id.supabase.co"