Skip to content

How your published app and its data are kept safe

All plans Admin

When you build an app with Onplana Maker, the AI writes the code, runs it, and publishes it to a live onplana.app URL. This page explains how that stays safe, both for you and for anyone who visits your app, and the one thing that is your responsibility.

  • Every build runs in an isolated, single-use sandbox. Your app can never see another customer’s app, data, or credentials.
  • Your published app is public. Anything in it, including any secret you paste into the code, is readable by anyone who visits the URL.
  • App secrets stay off the public page. Store keys in the app secret store, not in your source, and they never ship in the published bundle.
  • We scan every publish for hardcoded credentials and warn you if we spot one.
  • Published apps are served over HTTPS with a web application firewall, are not search-indexed by default, and can be reported and taken down if abused.

The AI agent that builds your app can only write files inside your own app. It cannot run arbitrary commands, reach the network on its own, or read anything outside your project. So even if you paste something unusual into your app description, the result is bounded to your app, which publishes to your own URL.

A published app is static and world-readable at its onplana.app URL. That means anything embedded in the code, an API key, a password, a token, is visible to anyone who opens it or views the page source.

So the rule is simple: never hardcode a secret into your app. Use the app secret store instead. Secrets you add there are kept in Onplana’s backend and are never included in the published bundle, the AI agent that builds your app never sees them either.

As a safety net, every publish is scanned for things that look like hardcoded credentials (API keys, tokens, private keys). If we find one, you get a warning at publish time, the publish still succeeds, so a false positive never blocks you, but you should remove the key and move it to the secret store.

  • HTTPS everywhere, with HTTP Strict Transport Security so browsers only ever connect securely.
  • A web application firewall in front of every onplana.app app.
  • Not indexed by search engines by default, your app is not advertised to the world unless you share the link.
  • Abuse reporting and takedown: anyone can report an app that violates the acceptable-use policy. Reports are reviewed, and an abusive app can be taken offline. If your app is taken down by mistake, you can appeal. See Publishing apps, limits, and reporting abuse.
  • Don’t hardcode secrets. Use the app secret store.
  • Don’t build or publish abusive content (phishing, malware, spam, anything against the acceptable-use policy), a published app is yours, and you’re accountable for what it does.
  • Rotate anything you exposed. If you published a real credential, assume it’s compromised.

Can another Onplana user see my app or its data while it’s building? No. Each build is isolated in its own sandbox with no path to other tenants.

If I put my Stripe key in the code, is it safe? No, a published app is public, so a key in the code is exposed. Put it in the app secret store instead. We’ll warn you at publish time if we detect one in the code.

Is my app visible to the whole internet the moment I publish? It’s reachable at its URL, but it is not search-indexed by default. It’s discoverable mainly by people you share the link with.