Credentials
Access and permissions
All connection tokens are stored encrypted. Once a credential is saved, no one can read it back directly: not workspace members, not workspace admins, and not the Lovable AI agent. Each project receives 2 abstract keys:LOVABLE_API_KEY that uniquely identifies a project and one key per connection. This connection key is an opaque key that encapsulates all secrets and allow one project to reach the connector gateway. Your app and the agent use this key to call the connector, while the underlying tokens stay in Lovable’s secret store.
Some secrets can be visible inside a project and to the agent. This applies when a secret is marked public (for example, a publishable key meant for the browser) or when the connector does not route through the gateway. Gateway connectors keep all credentials lovable-side and never expose them in the project.
Data retention and deletion policy
Secrets are deleted from the workspace as soon as the connection is deleted. If an entire workspace is deleted, its secrets are removed after the grace period. Expired or unused connections are never deleted automatically. Remove a connection yourself when you no longer need it.Rotation
If a credential is leaked, you can rotate theLOVABLE_API_KEY for each project. After rotation, the previous key may still be valid for up to an hour depending on caching.
Gateway connectors
Most app connectors route through a secure gateway between your Lovable app and the third-party service. If you need to confirm whether a specific connector routes through the gateway, contact Lovable support. The gateway provides the following capabilities:- Authentication is handled automatically. The gateway manages OAuth and refreshes expiring tokens in the background, so once connected, your integration keeps working without manual re-authentication.
- Credentials are never exposed in your project. Tokens are stored securely in the gateway and are not visible in project settings or accessible to workspace admins. Your app calls the connector, and authentication is handled behind the scenes.
- There is a per-project usage limit. Gateway connectors allow up to 1,000 requests per minute per connector per project. Each project has its own independent limit, so usage in one project does not affect others. Most apps will not approach this threshold, but if you are building high-volume automations or frequent background operations, you should design with this limit in mind.
- Outbound traffic uses a stable IP range. Requests from gateway-based connectors leave Lovable from a fixed set of IP ranges that you can allowlist. See IP allowlisting for the ranges.
IP allowlisting
Requests from gateway-based connectors to third-party services leave Lovable from a fixed set of IP ranges. Partners and enterprise customers can allowlist these ranges to permit Lovable connector traffic through firewalls or IP-restricted APIs.- IPv4:
185.41.150.0/25 - IPv6:
2a07:8241:fca::/48
Domain restrictions
Some connectors and third-party services let you restrict a key to a set of domains (sometimes called referrer, origin, or HTTP referrer restrictions). When a key is used in your app’s frontend code, such as the Logo.dev or Google Maps Platform browser key, domain restrictions limit where the key works so it can’t be reused elsewhere. For keys or systems that support domain restrictions, add the domains where Lovable serves your app:*.lovable.app/**.lovable.dev/**.lovableproject.com/*your production domain