Skip to main content
This page covers how data flows through Lovable connectors, how Lovable stores and protects integration credentials, and the security controls that apply to connector traffic: the connector gateway, outbound IP allowlisting, and domain restrictions.

Connector data flow

When your app uses an app connector, Lovable acts as a secure intermediary between your app and the third-party service. For example, when your app displays a SharePoint document, the document is fetched live from Microsoft and handed straight to your app. A connector request follows these steps:
  1. Your app requests an item, such as a document, record, or message.
  2. The request goes to Lovable’s connector gateway.
  3. The gateway authenticates with the third-party service using the connection’s stored credentials and fetches the item live.
  4. The gateway returns the response directly to your app.
This design has two practical consequences:
  • Access mirrors the connected account. A connector can only see what the account used to create the connection is permitted to see at the third-party service. If that account has read-only access, your app has read-only access.
  • Disconnecting cuts access immediately. When you delete a connection, its secrets are removed and apps using it stop working. See Data retention and deletion policy.
This flow applies to gateway-based connectors, which covers most app connectors. See Gateway connectors for details on the exceptions.

Credentials

Access and permissions

All connection tokens are stored encrypted. Once a credential is saved, no one can read it back directly: not workspace members, not workspace admins, and not the Lovable AI agent. Each project receives 2 abstract keys: LOVABLE_API_KEY that uniquely identifies a project and one key per connection. This connection key is an opaque key that encapsulates all secrets and allows one project to reach the connector gateway. Your app and the agent use this key to call the connector, while the underlying tokens stay in Lovable’s secret store. Some secrets can be visible inside a project and to the agent. This applies when a secret is marked public (for example, a publishable key meant for the browser) or when the connector does not route through the gateway. Gateway connectors keep all credentials lovable-side and never expose them in the project.

Data retention and deletion policy

Secrets are deleted from the workspace as soon as the connection is deleted. If an entire workspace is deleted, its secrets are removed after the grace period. Expired or unused connections are never deleted automatically. Remove a connection yourself when you no longer need it.

Rotation

If a credential is leaked, you can rotate the LOVABLE_API_KEY for each project. After rotation, the previous key may still be valid for up to an hour depending on caching.

Gateway connectors

Most app connectors route through a secure gateway between your Lovable app and the third-party service. If you need to confirm whether a specific connector routes through the gateway, contact Lovable support. The gateway provides the following capabilities:
  • Authentication is handled automatically. The gateway manages OAuth and refreshes expiring tokens in the background, so once connected, your integration keeps working without manual re-authentication.
  • Credentials are never exposed in your project. Tokens are stored securely in the gateway and are not visible in project settings or accessible to workspace admins. Your app calls the connector, and authentication is handled behind the scenes.
  • There is a per-project usage limit. Gateway connectors allow up to 1,000 requests per minute per connector per project. Each project has its own independent limit, so usage in one project does not affect others. Most apps will not approach this threshold, but if you are building high-volume automations or frequent background operations, you should design with this limit in mind.
  • Outbound traffic uses a stable IP range. Requests from gateway-based connectors leave Lovable from a fixed set of IP ranges that you can allowlist. See IP allowlisting for the ranges.
App connectors that do not use the gateway may authenticate differently, such as through a direct API key or credentials managed by Lovable. The capabilities listed above apply only to gateway-based connectors.

IP allowlisting

Requests from gateway-based connectors to third-party services leave Lovable from a fixed set of IP ranges. Partners and enterprise customers can allowlist these ranges to permit Lovable connector traffic through firewalls or IP-restricted APIs.
  • IPv4: 185.41.150.0/25
  • IPv6: 2a07:8241:fca::/48

Domain restrictions

Some connectors and third-party services let you restrict a key to a set of domains (sometimes called referrer, origin, or HTTP referrer restrictions). When a key is used in your app’s frontend code, such as the Logo.dev or Google Maps Platform browser key, domain restrictions limit where the key works so it can’t be reused elsewhere. For keys or systems that support domain restrictions, add the domains where Lovable serves your app:
  • *.lovable.app/*
  • *.lovable.dev/*
  • *.lovableproject.com/*
  • your production domain
These cover all Lovable’s environments. If your app is served from a custom domain, add that domain to the list as well.

Share how gateway connectors work

Need to explain how Lovable accesses your external data to colleagues, IT, or a security reviewer? Share the one-pager below. It walks through the gateway connector data flow in plain language, without requiring a docs deep dive.

How Lovable connects to your data

A shareable one-pager explaining how Lovable’s gateway connectors fetch your data live, what they can access, and how to disconnect.