API keys

Lovable writes frontend code, which means it runs in the browser. Therefore, no sensitive data of any kind should be stored in code. To connect to third party services (like OpenAI, Anthropic etc), API keys are needed. We recommend you use Supabase secrets to store your API keys, in combination with the Supabase Edge Functions.

Automatic API key detection

Whenever you paste an API key into the chat, Lovable will automatically detect it and warn you not to hardcode sensitive credentials directly into your frontend code. Instead of pasting API keys, describe what you’re trying to accomplish and Lovable will guide you through the secure implementation. API key detection in action For example, instead of: “Add this API key to call OpenAI: sk_test_abc123…” Try this: “I want to integrate OpenAI’s API to generate text responses” Lovable will then show you how to:
  1. Store your API key securely in Supabase secrets.
  2. Create a Supabase Edge Function to make the API call server-side.
  3. Call that Edge Function from your frontend code.
This approach keeps your sensitive credentials secure and follows security best practices for web applications.

Supabase RLS

RLS policies determine who can access what data in your Supabase database. We recommend you carefully review them before publishing your project.

Security scanning

Before publishing, Lovable displays security warnings from the Supabase security advisor and will ask you to confirm that you want to publish if there are any warnings. We highly recommend you resolve all issues before publishing your projects and to keep your app’s data safe.
Seeing no warnings or errors from the Supabase security advisor does not guarantee that there are no security issues in your app. We recommend you ask Lovable to review your app’s security before publishing.

Security scanning

Lovable includes comprehensive AI-powered security scanning to help identify potential vulnerabilities in your code before you publish.

Security View

The Security View displays findings from two sources: feedback from the Supabase security advisor and an in-depth AI review of your Supabase schema and RLS (Row Level Security) policies by the Lovable AI. This comprehensive approach ensures broader coverage of potential security issues. Findings are categorized by severity level:
  • Error: Critical security issues that should be addressed immediately. These include the “try to fix” option, though fixes are not guaranteed to resolve all cases.
  • Warning: Important security concerns that should be reviewed and likely addressed.
  • Info: General security recommendations and best practices for your consideration.
The “Security Review” button triggers a more comprehensive AI analysis that includes your entire codebase, going beyond just the database schema and RLS policies to examine your application code for additional security vulnerabilities. API key detection in action

Manual security review

You can request a security review at any time by asking Lovable to “review my app’s security” or clicking the “Review Security” button in the publish dialog. Lovable will:
  1. Analyze your entire codebase for security vulnerabilities
  2. Check for common issues like XSS prevention, input sanitization, and authentication flaws
  3. Review your Supabase RLS policies and database security (going deeper than Supabase’s own advisor)
  4. Provide a detailed report with specific recommendations
How to find the security review The security review in action

Pre-publish security checks

Before publishing, Lovable automatically displays security warnings from both the Supabase security advisor and its own enhanced AI security scanner. You’ll be asked to confirm if there are any warnings, though we highly recommend resolving all issues first. Pre-publish security review
Remember: Even with no warnings, always request a manual security review for production applications.